If it has a single quote in it, any string that I try to enter into my HTML input box is truncated in the input box once it is submitted. Its POST value comes thru unchanged, but the string shows as truncated in the input box, whether I use htmlspecialchars() or not. A noobie question, no doubt, but I've tried hard to figure it out and run out of ideas. Thanks for any help.
<!DOCTYPE html>
<body><title> Self-inserting input_box_SO.php </title>
<?php
// POST form initiation.
ECHO "<form action='input_box_SO.php' method='post'>";
// GET POSTed value and escape it for HTML use
$Caption_htmlspecialchars=$_POST['Caption_htmlspecialchars'];
$Caption_htmlspecialchars=htmlspecialchars($Caption_htmlspecialchars);
ECHO "The echo of the variable <em> \$Caption_htmlspecialchars </em> looks like this:<br>";
ECHO "<b> $Caption_htmlspecialchars </b><br>";
ECHO "But in the input box, \$Caption_htmlspecialchars is truncated by a single quote: <br>";
// ETA: Bad old line that caused the problem, now commented:
// ECHO "<input type='text' name='Caption_htmlspecialchars' size=100 value='$Caption_htmlspecialchars' maxlength = 100 required /><br><br>";
// ETA: Newly added line that fixes the problem:
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
// SUBMIT button. Submits back to the same page: input_box.php
echo "<b><input type='Submit' name='submit' value='Submit'/></b></br></br>";
?>
</body></html>
Here is what Inspect Elements > Elements shows for the input element:
input_box_SO.php
The echo of the variable $Caption_htmlspecialchars looks like this: test with special chars. & " < > and a single quote ('), which causes truncation in the input box. But in the input box, $Caption_htmlspecialchars is truncated by a single quote: and a single quote (" ),="" which="" causes="" truncation="" in="" the="" input="" box.="" '="" maxlength="100" required="">
With the Source looking like this: value='test with special chars. & " < > and a single quote ('), which causes truncation in the input box. '
You need to change your sequence of single quotes nad double quotes to display string. change your echo <input as below
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
Try to use the addslashes and do it like
$Caption_htmlspecialchars = addslashes($Caption_htmlspecialchars);
Related
i am struggling to get a whole string to be the value of an input tag
this is my code thus far but am not sure what is wrong with it
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
but when i check the value in javascript or something it just outputs the first word You any help would be appreciated as i am stuck
There are at least two problems in your code:
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
The HTML generated by the line above looks like this:
<input id='message' style='display: none;' value=You have completed ...>
There are no quotes around the value of HTML attribute value. While the quotes are optional if the attribute value is a single word, they are needed when the value of the attribute contains many words; otherwise the value of attribute "value" is You and have, completed etc. are other HTML attributes of the input element.
The second problem of the code comes from the fact that you put some text there without correctly encoding the HTML special characters. For example, if the value of $offername is O'Brian, the generated HTML code (after the value of the "value" HTML attribute is correctly quoted) becomes:
<input id='message' style='display: none;' value='You have completed O'Brian [...] and received ...'>
and it is still invalid. Use the PHP function htmlspecialchars() to properly encode the HTML special characters to get their literal value in the final HTML page.
Another minor notice (not a show stopper) is the quoting character. It's better to use quotes (") for quoting of the attribute values in HTML. Apostrophes (') are allowed but not recommended.
All in all, a better way to write the code is:
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
$encodedMsg = htmlspecialchars($message);
printf('<input id="message" style="display: none;" value="%s">%s</div>',
$encodedMsg, $encodedMsg);
Remember that everything you put in the HTML should be properly encoded or the browser might correct and interpret it in a different way than you intended.
Try this
echo "<input id='message' style='display: none;' value='{$message}'>$message</div>";
The attributes values must enclosed with single or double quotes otherwise it will split the text with space. it will print out like this.
<input id="message" style="display: none;" value="You" have="" completed="" and="" received="">
I'm trying to build a comment system, each comment has a unique id, many comments can be associated with a post, and each post has a unique id. I want to pass the post id to a submit.php file (where comments are update to the database), but no matter what I tried I just can't pass the data. Currently I have something like this:
$sql="SELECT postid,post,pdate FROM posts";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
echo '$row["post"]';
echo '<form action="submit.php" method="POST">';
echo '<input name="comment" type="text" id="comments"></input>';
echo '<input type="hidden" name="id" value="$row["postid"]" />';
echo '<input type="submit" value="enter comments" />';
}
?>
for testing purpose I have submit.php as follows,
<?php
$ha=$_POST['id'];
echo $ha;
?>
data of postid is not passed, and I just got "$row[" as output.
inside the while loop if I say $haha=$row["postid"]; echo "$haha"; then each individual post id will be printed correctly, but I just cannot pass the data to submit.php file.
update: I just changed my code to :
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
Now a number is succesfully passed to submit.php, the problem is ,it's always "3". My post id ranges from 3 to 13, post with id=3 is at the bottom of the page and post with id=13 is at the top.However,if I write a comment at the post with id=13(same issue occur to other posts as well), after clicking submit, the data passed to submit.php is always 3. Is there something wrong with the while loop?
Another update: it's always 3 because i forget to close the form tag, now everything worked perfectly
you're using single quote, so you cannot insert variables inside of string, use
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
In PHP, you can wrap a string in single-quotes ('), or double quotes (").
When you use single quotes, the string is not interpreted - this means that all the characters are left intact, and no variables are parsed.
When you use double quotes, any variables in the string will be replaced with their value.
In your case, you're using single quotes, so your variable is not being interpreted and converted. Instead, use double quotes:
$sql="SELECT postid,post,pdate FROM posts";
$result = mysql_query($sql);
while ($row = mysql_fetch_array($result)) {
echo $row["post"];
echo '<form action="submit.php" method="POST">';
echo '<input name="comment" type="text" id="comments"></input>';
echo "<input type=\"hidden\" name=\"id\" value=\"{$row["postid"]}\" />";
//Alternatively, keep the single quotes and use the concatenation method:
//echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
echo '<input type="submit" value="enter comments" />';
//Also, if you're opening a form tag in this loop, be sure to close it
echo '</form>';
}
Some other things to note:
When you use double quotes to wrap your string, and you have double quotes inside your string, you must escape them (using a \). Notice name="id" became name=\"id\"; and
When referencing an item in an array within a string, you can either use string concatenation to ensure the full variable is interpreted correctly (value=\"" . $row["postid"] . "\"), or you can leave the variable in place and wrap it in curly brackets - which is my preference and is what is used above. If you're going to use the concatenation method, then you can keep the single quotes wrapping everything else - there are no variables to parse.
When echoing a variable value, you don't need to wrap it in anything - notice I removed the quotes from the first echo.
Here is PHP's documentation on strings, including single and double quoted strings: http://php.net/manual/en/language.types.string.php.
And here is PHP's documentation on string operators: http://php.net/manual/en/language.operators.string.php.
Try adding a conditional at the start of your file like this just to be sure the form is actually submitted properly:
<?php
if(isset($_POST['submit_form'])) {
$ha=$_POST['id'];
echo $ha;
}
with your button like this
<input type="submit" value="enter comments" name="submit_form"/>
and please close your form tag.
You can pass value as follow,
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" >';
I have a profile page in which I want to display informations from the database for most users, and a form with the current data as default value for the users with modification rights.
if ($IDprofile == $_SESSION['userID'])
{
echo "<form method='post'>
Surname: <input type='text' required name='surname' maxlength=50
value=".htmlentities($user['Surname'])."><br>
Name: <input type='text' required name='name' maxlength=50
value=".htmlentities($user['Name'])."><br>
Birthdate (format YYYY-MM-DD): <input type='text' required name='BirthDate' value='";
if ($user['BirthDate'] != null)
echo $user['BirthDate'];
else
echo "-";
echo "'><br>
Description: <input type='text' maxlength=255 name='description' value='";
if ($user['Description'] != null)
echo htmlentities($user['Description']);
else
echo "-";
echo "'><br>
<input type='submit' value='OK'></form>";
}
As you can see, I tried with htmlentities, which should transform the apostrophe into ', but it doesn't work. Other methods like addslashes and addcslashes don't work either.
What is displayed is my form input with the value it should have, until the place where there should be an apostrophe, where it just ends. addslashes does the same, with a / before the end.
What puzzles me the most is that I have a surname with an apostrophe in it in my database, and this one is displayed just fine.
htmlentities by default only encodes " double quotes, because those are the more common terminators for HTML attributes. If you want it to encode ' single quotes too, you need to set the ENT_QUOTES flag:
htmlentities($foo, ENT_QUOTES | ENT_HTML401)
(ENT_HTML401 is the other default flag; these days you may want to use ENT_HTML5 instead.)
You should also actually delimit your attributes with quotes! Currently your result looks like value=James, which isn't incorrect, but will get you into trouble once your values contain spaces or, well, quotes or other special characters.
Please try outputting your variables like this:
htmlspecialchars($user['Surname'], ENT_QUOTES);
Also be sure to disable magic quotes in your system so you don't get any extra slashes automagically when posting new data.
This is my php code. For an example:
<?php
while($row=sqlsrv_fetch_array($result))
{
$ItmName = $row['ItemName'];
}
?>
This is my html:
<input type="text" id="ItmName" name="ItmName" value="<?php echo $ItmName; ?>" />
If the data is as such 3" FILE which have double quotes, in the textbox field it will only be displayed as:
3
which it supposed to be
3" FILE
but IF the data is 3' FILE which is a single quote, it will be displayed as 3' FILE. So there's no problem. So my question is, how to display the data with the double quotes in a HTML input's value.
Always always always escape output that you don't trust.
Use htmlspecialchars (or htmlentities) to escape strings so they are safe to use in HTML.
I try to show this string : «let's go» in a the value of an input tag
i wrote:
$chaine="let's go";
echo "<input type=text name=test value='".$chaine."'>";
result: let
What can i do to show the correct string in this case ?
use htmlspecialchars
echo "<input type=text name=test value='".htmlspecialchars($chaine, ENT_QUOTES)."'>";
You can look at htmlentities()
htmlentities($chaine, ENT_QUOTES) ;
This produces
<input type=text name=test value='let's go'>
You can see, that for HTML (--> your Browser) the value ends after "let". Everything after that is invalid (but ignored). Escape
$chaine = "let\'s go";
However, in HTML double quotes are prefered and omitting the quotes is also no good style
$chaine="let's go";
echo '<input type="text" name="test" value="'.$chaine.'">';
In this case you must escape every double quote.