I have a website where users can write posts, however im haveing trouble echoing the post along with its title.
Heres My Code:
Post.inc.php:
echo '<input type="button" value="Read More"
onclick="window.location=\'read_more.php?start=' .
urlencode($row['post']) . ' \';" />';
echo "</p>";
Read_more.php:
<?php
date_default_timezone_set('America/New_York');
include 'post.inc.php';
?>
<?php
$start = (!empty($_GET['start']) ? $_GET['start'] : false);
echo '<p>. $title .<br> ' . $start . '<p>';
?>
Only the post is being echoed and not the title. How would I go about fixing this problem?
-Thanks in advance
As Chris said, this is very vulnerable to XSS attacks, you need to sanitize the $_GET['start'] value before echoing it. Also, passing the entire post in the url is not a great idea. If you are storing the post in a database you are better off sending an ID value of some sort through the URL, validating/sanitizing it and retrieving the post directly from the database to be displayed.
I cannot see where you have given $title a value. It is not defined in any of the code you have provided. This means it cannot display anything when echoed.
Also, the structure of your echo is incorrect.
echo '<p>'. $title .'<br>'. $start .'</p>';
is what you are looking for here. notice the single quotes are closed before $title and re-opened before the break tag.
variable will not be expanded when it occur in single quoted strings.You can find this notice in PHP Manual
so,
echo '<p>. $title .<br> ' . $start . '<p>'
should be modified to
echo '<p>'. $title .'<br>'. $start .'</p>';
or use double quoted instead,
"<p>{$title}<br>{$start}</p>"
As Matt said, echoing the $_GET['start'] directly will make your site be vulnerable,which can result in attacks like phishing.
In a general way, there are some operations like filter,type check to sanitize the value gained from frontend. The PHP Manual provides a lot of function to do this,intval(),PCRE,mysqli_escape_string(),array_filter(),htmlspecialchars()...
IMHO,you should use a SQL server like MySQL,SQLite,or others to storage the data from frontend which can help your site work better.
Related
I'm using the echo command in PHP, but I want to enter PHP code like <?php echo $variable [id_login]?>, while echoing something else out, but this does not work.
Is this possible to do, and if so, how would I do it?
echo "<script>location='member.php?&id=<?php echo $taruh[id_login] ?></script>";
You cannot use echo or open/cloce php twice like you did, you might want to try something like the line below,
echo '<script>location=member.php?id=' . $taruh[id_login] . '</script>';
after echo you can write enything you'd like, even if it's a php variable, just use single quote and dot where you need it (like I do here), as you can see, echo is only used once..
For example:
<?php
$your_variable = 'some text';
$other_variable = 'some PHP code';
echo 'I wrote: ' . $your_variable . ' and ' . $other_variable . '!';
?>
Output will be:
I wrote: some text and some PHP code!
I hope this will bring you into the right direction..
EDIT
Also important: if you use query string in URLs, the first 1 can be a ? every other part after should be a & for example see the url below
http://www.example.com/index.php?id=12345&coder=yes&country=usa
before id I used a quest sign, for all others I didn't use the quest sign...
I'm a little lost here, hoping that someone can help. I'm using the Meta Box plugin for WordPress, and I'm trying to create a process for the user to select an option from a predefined list, and then assign a URL to that option as a link. Im trying to define the URL in a variable, and then call it in a function, but I'm still a little green on PHP syntax. this is my code now:
<?php
$article_url= rwmb_meta('orion_2016_article_url', 'type=URL');
if (rwmb_meta('orion_2016_article_source') != '') {
echo '<a href= ("$article_url") target=blank>';
echo rwmb_meta('orion_2016_article_source');
echo '</a>';} ?> on <?php the_date(); ?>
Since the options are already predefined, it seems like assigning a random URL to one of the options should be pretty simple. Hopefully this makes sense!
You need to to place variables you wish to echo inside double quotes or simply concatenate strings using . as in my example. Note that I didn't check the plugin's specific syntax, only general PHP syntax.
<?php
$article_url= rwmb_meta( 'orion_2016_article_url', 'type=URL' );
if (rwmb_meta('orion_2016_article_source') != '') {
echo '' . rwmb_meta( 'orion_2016_article_source' ); . '';
} ?> on <?php the_date(); ?>
Hopefully this is simple to solve. I have a few elements which pull in form data previously entered into the database, which are added to the post as custom fields. I extract this using a php query as such:
<a href="<?php echo get_post_meta($post->ID, 'societywebsite', true); ?>" target="_blank" >Website</a>
Obviously, this appears in the Loop (content.php) and will get added to any appropriate post. Sometimes, however, there won't be any data because a user chose not to enter a website into the 'societywebsite' field on a form. When this happens, there's no need for a link to 'Website' to be there, because it wouldn't go anywhere useful.
What I'd like to know is how to have an If clause that checks if the data exists and then shows the link only if it does. I don't mind javascript, but the cleaner and less 'hacky' the solution, the better, as content.php will run multiple times for search results.
Thanks so much for any help or advice you can provide.
Another way to do this, more according to the Wordpress Codex is the following...
$societywebsite = get_post_meta($post->ID, 'societywebsite', true);
if ($societywebsite != '') {
echo '<a href="' . $societywebsite . '" target="_blank" >Website</a>';
}
You can add an 'else' at the end of this for debugging purposes.
Assuming that field is a string for a url, you could do something like this.
if (strlen(get_post_meta($post->id, 'societywebsite', true)) < 1) {
echo '<a href="' . get_post_meta($post->ID, 'societywebsite', true) . '" target="_blank" >Website</a>';
}
That will very simply check if that field has a string that is more than 1 characters. If it is more than 1 characters, it will display the link. If not...it won't do anything.
I have been using the following to add a dynamic link on a page I am writing, it works ok and appears how it should on the page but I cant help but think that I am going a bit backwards with the way its written as it looks messy. What is the correct way to write it, as if I put it all in one line it doesn't work ?..
echo '<a href="./customer-files/';
echo $customerID;
echo '/';
echo $filename->getFilename();
echo '">';
echo $filename->getFilename();
echo '</a>';
Try with
echo "{$filename->getFilename()}";
Here there is the documentation with a lot of examples of how to concatenate output.
I'd approach it like this:
$safe_customer_id = htmlspecialchars(urlencode($customerID));
$safe_filename = htmlspecialchars(urlencode($filename->getFilename()));
$safe_label = htmlspecialchars($filename->getFilename());
echo "$safe_label";
I would go with this:
$fn = $filename->getFilename();
$link = $customerID . '/' . $fn;
echo ''.$fn.'';
If you're using a template layer, it is even better to break out into PHP only when you need to:
<a href="./customer-files/<?php
echo $customerID . '/' . $filename->getFilename()
?>">
<?php echo $filename->getFilename() ?>
</a>
This way, your IDE will correctly highlight your HTML as well as your PHP. I've also ensured that all PHP is in single-line blobs, which is the best approach for templates (lengthy statements should be banished to a controller/script).
Concatenation is your friend. Use a . to combine multiple string expression into one.
echo ''.$filename->getFilename()/'';
Even better way would be
$filename = $filename -> getFilename(); //cache the filename
echo "<a href='/$customerId/$filename'>$filename</a>";
// ^ On this echo NOTICE that variables can be DIRECTLY placed inside Double qoutes.
I am storing in a mySQL table the HTML/PHP content of individual slides to be displayed on a single page.
Here is an example of HTML/PHP code stored in the mySQL table:
<p>Welcome <?php echo $userData['fname']; ?>!</p>
<p>You made it to the first slide!</p>
I retrieve the content of the slides in PHP with the following code:
<?php
$fetchedPageSlideData = mysql_query("SELECT * FROM pageSlides WHERE pageID = $pageID ORDER BY 'order' DESC") or die(mysql_error());
while ($pageSlideData = mysql_fetch_array($fetchedPageSlideData)) {
$pageSlideContent = $pageSlideData['content']; ?>
<div><?php echo $pageSlideContent; ?></div>
<?php }
?>
All of the HTML of the content displays correctly, but the PHP is inserted as follows:
<!--?php echo $userData['fname']; ?-->
So the PHP is commented out and doesn't display.
How can I retrieve the HTML/PHP code and have the PHP not commented out?
It might be a better idea to use placeholder strings in the DB data. Executing arbitrary php code from a DB can be dangerous. PHP is Evil
Look into PHP function eval(): http://php.net/manual/en/function.eval.php
Dropping in and out of the PHP interpreter makes your code rather difficult to read. Consider:
<?php
$f = mysql_query(
"SELECT *
FROM pageSlides
WHERE pageID = $pageID
ORDER BY 'order' DESC"
) or die(mysql_error());
while ($d = mysql_fetch_array($f)) {
print "<div>" . $d['content'] . "</div>\n";
}
Regardless there is no implicit nor explicit mechanism here which would inject the comment tags you've presented. However it may be the browser trying to make sense of the unescaped html code and <?php ... ?> tags.
Try:
print "<div>" . htmlentities($d['content']) . "</div>\n";
As a side note, you might consider using
print "<div>" . highlight_string($d['content']) . "</div>\n";
Or do you mean that you actually want to run the code stored in the database - if so, you're asking for a world of pain. Eval is not evil - but you really must know what you're doing to avoid getting bitten by it.