So I am trying to link using data I got from a function but it keeps giving me a blank value for ID. Here's my code for what I'm trying to print
<h3 style="text-align: center;">Seller: <?php $sellername =
getNameFromListingID(); $id = getIDByUsername($sellername); echo "".$sellername."";?></h3>
The functions work properly, I have tried printing both of them and it works. They're in a file called getinfo.php, which I have
Include 'getinfo.php';
At the top of my document.
The link with the name works but I always get seller.php?id=, with no value after. Any clue as to why?
You're ending the href attribute too early.
<a href=\"seller.php?id=".$id."\">
This will put the $id inside the href attribute, where it belongs.
Use single quotes in PHP, it's a good practice to get into, and it's also slightly (a teeny tiny bit) faster for PHP to process. Why? Because, when you use double quotes, you're telling PHP that your string contains variables that may need to be evaluated.
So in truth, you don't even need the quotes around variables here.
echo "$sellername";
But doing it like this would be following a best practice.
And now you don't need to escape \" double quotes that HTML uses.
echo ''.$sellername.'';
Caution: It's also a very good idea to escape special characters in anything you're outputting into HTML markup. That avoids the potential for an XSS vulnerability. See: htmlspecialchars()
echo ''.htmlspecialchars($sellername).'';
Related
When doing this job in PHP,one may meet this kind of issue:
<span title="<?php echo $variable;?>">...
The problem is that if $variable contains double quotes,should change it to \"
And that's not the whole story yet:
<span title='<?php echo $variable;?>'>...
In this case,we need to change single quotes to \',but leave double quotes as is.
So how can we do it in a general property manner?
You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:
<span title="<?php echo htmlspecialchars($variable); ?>">
You probably want to set the second parameter ($quote_style) to ENT_QUOTES.
The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.
Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.
Pay attention to the second parameter of that function.
To address your edit [Edit: that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should before know quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.
Beyond that,
<a onclick="func('l')">
works exactly like
<a onclick="func('l')">
The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.
https://github.com/lingtalfi/Bat/blob/master/StringTool.php
Just noticed that when using single quotes to echo a basic link in php, the url repeats itself.
<?php
echo 'Link URL - Single Quotes<br />';
?>
The above code outputs the link as:
http://example.com/"http://example.com/"
Can anyone shed some light on the reason for this?
You shouldn't \-escape your " when you're using ' to surround the string as a whole. This couldn't create that output itself, but it might confuse a parser somewhere down the line, producing the problem. Try this instead:
echo 'Example.com<br />';
Use PHP to output dynamic data and leave the HTML out of it. This will save you hours of quotation frustration
?>
Example.com<br />
<?php
// carry on with the PHP
echo 'Example.com<br />';
outputs
Example.com<br />
The backslashes are included in the final output and most likely trip up the HTML parser.
You're escaping the double quotes. It isn't necessary when using single quotes and vice-versa.
<?php
echo 'Example.com<br />';
?>
The above code outputs the link as:
http://example.com/"http://example.com/"
No, it doesn't produce that output.
This is what you see in the browser when you put the cursor over the link and when you click on the link. It's part of the browser's job to resolve the relative and incomplete links, but what it shows to the user is, most of the times, not what it is written in the HTML code.
Use the browser's "View Source" functionality to see the HTML generated by your code.
The (invalid) HTML produced by your code is:
Link URL - Single Quotes<br />
The browser interprets \"http://example.com\" as the value of the href attribute. The HTTML attribute values can be either enclosed in quotes (") or apostrophes (') or unquoted at all and the quoting character must be the first non-space character after the equal sign (=). Because it finds a backslash (\) after the equal sign, it concludes the attribute value is not quoted and read everything until the first whitespace or until the tag ends (>) as the attribute's value.
The value \"http://example.com\" is not a valid URL and the browser handles it as an incomplete URL. An incomplete URL needs to be resolved to a complete URL in order to be used. It doesn't look like a relative URL (doesn't start with ..), it doesn't look like an absolute path without a host name either (doesn't start with /). The only way to resolve it is to treat it as a file name located in the same directory as the page that is currently loaded. Chances are that your offending code runs in a page located in the root of your website (http://example.com/index.php, for example).
I won't provide a fix for your problem here. The question already have plenty of answers that provide you various ways to avoid this happen.
However, take a look at the strings documentation page in the PHP manual. All you need to know is explained there.
I'm new to PHP and don't understand what the point of <<<_END is. Could someone please explain when this should be used? I've looked at various examples and they all seem to have HTML embedded within them. But I can use HTML without the <<<_END tags, so why should I use them? I tried searching the manual, but I keep finding the end() method for arrays.
It's the start of a heredoc. you can do:
$data = <<< _END
You can write anything you want in between the start and end
_END;
_END can be just about anything. You could put EOF or STUFF. as long as you use the same thing at the start and the finish.
This signifies the beginning of a heredoc (a multi-line string that allows you to use quotation marks in the middle, unescaped) that ends when you encounter the _END
It can be useful to define HTML in one of these if the goal is to assign it to a variable or pass it to a function rather than printing it to the web server immediately.
That syntax is called heredoc
<<<_END
some text
_END
Basically, it's a way of writing a string without worrying about escaping quotes and so on.
As you've mentioned, it doesn't really provide a lot of benefit over other string formats - although, it does mean you can write a block of HTML without escaping out of PHP with ?>
It also isn't too popular as its use generally goes against the practice of seperating content from logic by embedding the content in the middle of your script.
Does this help? http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
It allows you to echo out a block of text (just the same as with echo "words";), but without using the beginning/ending quotes, and without having to escape contained double quotes. Read the manual link above for more detail.
It's a heredoc. It's just a way of defining a string.
I am trying to echo out some JavaScript, but I can't get the formatting right I start off by putting the javascript I want to out into a string
$javascript = 'onmouseover="this.style.backgroundColor='blue'" onmouseout="this.style.backgroundColor='white'"';
and then echo it out like this
$hint="<span $javascript>".$artistname->item(0)->childNodes->item(0)->nodeValue."</span>";
any help would be much appreciated
Using the event attributes is considered bad practise. JavaScript should be unobtrusive. Also, I do not see why you would have to store the attributes in a PHP variable instead of simply adding them to the span tag directly. And last but not least, why dont you just use the CSS :hover selector to change the background color when the mouse is over the span? That would be a clean approach.
As you can tell from the coloring in the quoted code, you need to escape your single quotes. You will end up with:
$javascript = 'onmouseover="this.style.backgroundColor=\'blue\'" onmouseout="this.style.backgroundColor=\'white\'"';
You should start with the output string. You want it to look like this:
onmouseover="this.style.backgroundColor='blue'"
onmouseout="this.style.backgroundColor='white'"
Now, in order to put that string in PHP into a variable, you need to surround it with either single or double quotes. Since your string contains both single and double quotes, either of them needs to be "escaped".
Using single quotes:
$javascript = 'onmouseover="this.style.backgroundColor=\'blue\'"
onmouseout="this.style.backgroundColor=\'white\'"';
Using double quotes:
$javascript = "onmouseover=\"this.style.backgroundColor='blue'\"
onmouseout=\"this.style.backgroundColor='white'\"";
Edit:
Final note: read carefully what Gordon has posted.
When doing this job in PHP,one may meet this kind of issue:
<span title="<?php echo $variable;?>">...
The problem is that if $variable contains double quotes,should change it to \"
And that's not the whole story yet:
<span title='<?php echo $variable;?>'>...
In this case,we need to change single quotes to \',but leave double quotes as is.
So how can we do it in a general property manner?
You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:
<span title="<?php echo htmlspecialchars($variable); ?>">
You probably want to set the second parameter ($quote_style) to ENT_QUOTES.
The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.
Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.
Pay attention to the second parameter of that function.
To address your edit [Edit: that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should before know quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.
Beyond that,
<a onclick="func('l')">
works exactly like
<a onclick="func('l')">
The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.
https://github.com/lingtalfi/Bat/blob/master/StringTool.php