To display a string from the database In the output the string is shown halfway
Like the following Sample in database
PHP is a server scripting language
The output is as follows
php
.
Code to display
<input type="radio" name=<?php echo 'answare'.$r['id_q'];?>
value=<?php echo $r['answare'];?> >
Its messy,
Please separate the 2, your view & your controller should not be mixing.
$radio = sprintf('<input type="radio" name="answare%s" value="%s" >', $r['id_q'], $r['answare'] );
Please look into template & mvcs.
Try Laravel, its an easy thing to pick up.
You should always put quotes around attributes. Otherwise, a space in the attribute will end it.
<input type="radio" name="<?php echo 'answare'.$r['id_q'];?>"
value="<?php echo htmlentities($r['answare']);?>" >
Using htmlentities() protects in case $r['answare'] contains quotes or other special characters.
Related
When I use PHP to set the value of a HTML form input element, it works fine provided I don't have any spaces in the data.
<input type="text" name="username"
<?php echo (isset($_POST['username'])) ? "value = ".$_POST["username"] : "value = \"\""; ?> />
If I enter "Jonathan" as the username, it is repeated back to me as expected. If I enter "Big Ted", however, I only get "Big" repeated back when I submit the form.
Note that the $_POST["Username"] variable is correct; when I echo it using PHP, it is set to "Big Ted".
Quote it. Otherwise the space will just become an attribute separator and everything after spaces will be seen as element attributes. Rightclick page in webbrowser and view source. It should not look like this (also see syntax highlight colors):
<input value=Big Ted>
but rather this
<input value="Big Ted">
Not to mention that this would still break when someone has a quote in his name (and your code is thus sensitive to XSS attacks). Use htmlspecialchars().
Kickoff example:
<input value="<?php echo (isset($_POST['username']) ? htmlspecialchars($_POST['username']) : ''); ?>">
<input type="text" name="username"
<?php echo (isset($_POST['username'])) ? "value = '".$_POST["username"]' : "value = ''"; ?> />
You have to wrap the variable result with quotes, so that the browser can know what's the content of the input.
<input type="text" name="username"
<?php echo (isset($_POST['username'])) ? ('value = "'.$_POST["username"].'"') : "value = \"\""; ?> />
Be aware of your quote usage.
As you see its not PHP5 or even PHP question at all.
Basic HTML knowledge is obligatory for one who want to be a PHP user.
And with using templates it looks way more neat:
Getting data part code:
$username = "";
if isset($_POST['username'])) $username = htmlspecialchars($_POST["username"]);
And template code:
<input type="text" name="username" value="<?=$username?>">
If you divide your code to 2 parts it become way more supportable and readable.
just make sure you put the colon after the field for example :
<option value="'.$row['name'].'">
Used quotes and it worked.
On the other side, needed to use the following:
$param=preg_replace('/[^A-Za-z0-9 ]/','', $param);
I have a problem with 'hidden',
PHP:
$text = addslashes("Black Sun's zenith");
echo "<input type='hidden' value=".$text." name='saveCard[]'>";
showing the actual code is:
<input type="hidden" value="Black" sun\'s="" zenith="" name="saveCard[]">
to show the correct code is:
<input type="hidden" value="Black Sun's zenith" name="saveCard[]">
Thank all.
addslashes is a generic routine for escaping content for languages that use the \ character to start an escape sequence. HTML is not such a language, and most languages that are have a better, more specific function to handle escaping.
Use htmlspecialchars, not addslashes to escape content for HTML.
Since the attribute value contains spaces, you also need to wrap it in quote characters.
echo "<input type='hidden' value=\"".htmlspecialchars($text)."\" name='saveCard[]'>";
As a rule of thumb, try to avoid putting HTML inside PHP strings.
?>
<input
type="hidden"
value="<?php echo htmlspecialchars($text); ?>"
name="saveCard[]">
<?php
Yes, put {} around $text variable should help.
I retrieve three pieces of information from the database, one integer, one string, and one date.
I echo them out to verify the variables contain the data.
When I then use the variables to populate three input boxes on the page, they do not populate correctly.
The following do not work:
id: <input type="text" name="idtest" value=$idtest>
Yes, the variable must be inside <?php var ?> for it to be visible.
So:
id: <input type="text" name="idtest" value=<?php $idtest ?> />
The field displays /.
When I escape the quotes,
id: <input type="text" name="idtest" value=\"<?php $idtest ?>\" />
the field then displays \"\".
With single quotes
id: <input type="text" name="idtest" value='<?php $idtest ?>' />
the field displays nothing or blank.
With single quotes escaped,
id: <input type="text" name="idtest" value=\'<?php $name ?>\' />
the field displays \'\'.
With a forward slash (I know that's not correct, but to eliminate it from the discussion),
id: <input type="text" name="idtest" value=/"<?php $name ?>/" />
the field displays /"/".
Double quotes, escape double quotes, escape double quotes on left side only, etc. do not work.
I can set an input box to a string. I have not tried using a session variable as I prefer to avoid do that.
What am I missing here?
Try something like this:
<input type="text" name="idtest" value="<?php echo htmlspecialchars($name); ?>" />
That is, the same as what thirtydot suggested, except preventing XSS attacks as well.
You could also use the <?= syntax (see the note), although that might not work on all servers. (It's enabled by a configuration option.)
You need, for example:
<input type="text" name="idtest" value="<?php echo $idtest; ?>" />
The echo function is what actually outputs the value of the variable.
Solution
You are missing an echo. Each time that you want to show the value of a variable to HTML you need to echo it.
<input type="text" name="idtest" value="<?php echo $idtest; ?>" >
Note: Depending on the value, your echo is the function you use to escape it like htmlspecialchars.
From the HTML point of view everything's been said, but to correct the PHP-side approach a little and taking thirtydot's and icktoofay's advice into account:
<?php echo '<input type="text" name="idtest" value="' . htmlspecialchars($idtest) . '">'; ?>
If you want to read any created function, this how we do it:
<input type="button" value="sports" onClick="window.open('<?php sports();?>', '_self');">
I have been doing PHP for my project, and I can say that the following code works for me. You should try it.
echo '<input type = "text" value = '.$idtest.'>';
i have the following code :
<input type="text" value="<?php echo $_GET['msg']; ?>">
This input is automatically filled with the name that is writen in the previous page.
So, if the user wrote : i like "apples" and banana
The input will be broken because it will close the tag after the double quotes.
I know i can avoid that by html entiting the value, but i don't want this, is there another solution or is there an <<< EOD in html ?
Thanks
htmlentities() / htmlspecialchars() is the standard way for this. You should use it.
You can always decode the entities before you send them by E-Mail, or do something else with them using html_entity_decode().
You should use the htmlspecialchars function, to escape the output for HTML :
<input type="text" value="<?php echo htmlspecialchars($_GET['msg']); ?>">
Note : you might have to add some additionnal parameters, if you are not using ISO-8859-1 as charset ; for example, with UTF-8 :
<input type="text" value="<?php echo htmlspecialchars($_GET['msg'], ENT_COMPAT, 'UTF-8'); ?>">
One function or another will cause some kind of trouble.
I came up with the following to keep the ampersand:
<input type="text" value="<?php echo parseString($_GET['msg']); ?>">
<?php
function parseString($str) {
$result=str_replace('"','"',$str);
$result=str_replace("'","'",$result);
return $result;
}
when I have a value like this in the database ("foo")
how can I echo it without any conflict with html code
notice
<input type="text" value="<? echo '"foo"'; ?>" />
the result will be like this
<input type="text" value=""foo"" />
how can I fix it ?
use urlencode
or htmlspecialchars
link
You can use htmlentities to overcome this problem like so:
<input type="text" value="<? echo htmlentities('"foo"'); ?>" />
this will return
<input type="text" value=""foo"" />
avoiding any conflict with html.
htmlspecialchars() basically, for example
<input type="text" value="<? echo htmlspecialchars($value, ENT_QUOTES); ?>" />
The ENT_QUOTES is optional and also encodes the single quote ' .
I used $value since I'm not sure what exactly you have in the database (with or without quotes?) but it will sit in some kind of variable if you want to use it anyway, so, I called that $value.
Since the above is a bit unwieldy I made a wrapper for it:
// htmlents($string)
function htmlents($string) {
return htmlspecialchars($string, ENT_QUOTES);
}
So you can
<input type="text" value="<? echo htmlents($value); ?>" />
Not to be confused with the existing htmlentities(), which encodes all non-standard characters. htmlspecialchars() only encodes &, <, >, " and ', which is more appropriate for UTF8 pages (all your webpages are UTF8, right? ;-).
First, don't use short tags ('
Next, your HTML is malformed because you've got an extra set of quotes. Since you seem to be taking the approach of embedding PHP into the HTML, then a quick fix is:
<input type="text" value="<?php echo 'foo'; ?>" />
...although since this value is coming from your database it will be stored in a variable, probably an array, so your code should look more like:
<input type="text" value="<?php echo $db_row['foo']; ?>" />
For clarity, most programmers would try to eliminate switching between PHP parsed and non-parsed code either using a template system like smarty or....
<?php
....
print "<input type='text' value='$db_row[foo]' />\n";
....
?>
(Note that
1) when the variable is within double quotes with a block of PHP, the value is automatically substituted
2) when refering to an associative array entry within a double quoted string, the index is NOT quoted.
HTH
C.
<?php
echo "<input type='text' value='{$foo}' />" ;
?>