I'm trying to add a variable as a part of a link, but I haven't could do it.
<?php
$fname=$data_array["firstname"];
echo '<a class="pin-button" href="https://myweb.com/description=$fname&editable=false&success_url=http%3A%2F%myweb.com%2Fsuccess"><img src="http://myweb.com/images/button.png" width="120"></a>';
?>
the link works perfect, but I need to add the variable after description=$fname
Thanks a lot!
1: $variables don't work inside single quotes, instead of
echo '<a href="$path">'`
try
echo "<a href='$path'>"
2: If you wish to use single quotes you can use concatenation instead:
echo '<a href="'.$path.'">'
3: In either case, you should be escaping your strings when printing them inside HTML:
echo "<a href='".htmlspecialchars($path, ENT_QUOTES)."'>"
This prevents characters (such as quotes and less-than signs) having unintended effects, and prevents exploits by maliciously crafted data.
Related
I am quite new in php. I have to store a img tag in a var. I think this is ok:
$fotoTag1 = "<img src='42.png'
alt='text alt'>";
But the problem comes if there is a single quote in the name of the photo or in the alt?. For intance, don't
What I have tried:
$fotoTag1 = "<img src='don't.svg' alt='don't>'";
echo htmlspecialchars ($fotoTag1);
echo addslashes($fotoTag1);
$fotoTag2 = "<img src='don\'t.svg' alt='don\'t'>";
echo $fotoTag2;
(This is a simplified example but the url and alt comes from a sql database and of course, I cannot change the text manually. I need a general solution)
Use htmlspecialchars() to properly encode the text fragments you use to build the HTML fragment, not the HTML you built:
$fotoTag1 = '<img src="'.htmlspecialchars("don't.svg").'" alt="'.htmlspecialchars("don't").'">';
Or, to be more clear:
// Wrapped for clarity
$fotoTag1 = sprintf(
'<img src="%s" alt="%s">',
htmlspecialchars("don't.svg"),
htmlspecialchars("don't")
);
Read about sprintf() and the different ways to specify a string in PHP.
addslashes() doesn't help when you build HTML content. As a side note, it is an obsolete function that doesn't have many usages nowadays.
$fotoTag2 = "<img src=\"don't.svg\" alt=\"don't\">";
echo $fotoTag2;
$fotoTag1 = "<img src='don't.svg' alt='don't>'";
Your problem here has nothing to do with PHP.
You have an HTML attribute value delimited with apostrophe characters and you want to use an apostrophe inside that value.
When you want to represent a character with special meaning in HTML as that raw character, you can use a character reference.
This can be a named entity (') or one of the numeric references to the position of the character in unicode (');
<img src='don't.svg' alt='don't'>
Beware: ' was added to HTML relatively late. Old versions of IE do not support it.
Alternatively you could change your HTML so you use double quotes to delimit the data:
<img src="don't.svg" alt="don't">
This would introduce a PHP problem because you are using them to delimit the string literal.
In this case you would need to escape the data for PHP, which you do with a backslash character.
$fotoTag1 = "<img src=\"don't.svg\" alt=\"don't\">";
Alternatively, you could use some other form of string generation, such as HEREDOC.
$fotoTag1 = <<<END
<img src="don't.svg" alt="don't">
END;
As a rule of thumb, it is better to avoid storing HTML in variables in the first place.
When you want to output data, just switch to output mode:
?>
<img src="don't.svg" alt="don't">
<?php
You can always drop back into PHP mode if you need a variable.
$src = "don't.svg";
$alt = "don't";
?>
<img src="<?php echo htmlspecialchars($src); ?>" alt="<?php echo htmlspecialchars($alt); ?>">
<?php
(Note that for the characters involved, htmlspecialchars isn't needed in this example, but it does protect you when dealing with programmatically acquired data that you can't guarantee to be HTML safe).
You had the right idea using htmlspecialchars(), the issue with this specific example is that function does not escape ' by default. You need to add the flag ENT_QUOTES to escape single quotes with htmlspecialchars().
You should also be applying this function just to strings you wish to escape, not the entire html line. This could, and most likely will in most cases, cause unintended side effects of escaping characters you didn't want escaped.
Try this, it's working:
$fotoTag1 = '<img src="'.htmlspecialchars("don't.svg").'"
alt="'.htmlspecialchars("don't").'">';
echo $fotoTag1;
You should use the html ascii codes, so for your example:
$fotoTag2 = "<img src='don't.svg' alt='don't'>";
Since ' is the ascii code for single quote.
Well it is pretty much straight forward to encode or skip different html characters by using:
echo htmlspecialchars('<b>"name"</b>', ENT_QUOTES).'<br>';
or
echo htmlentities('<b>"name"</b>', ENT_QUOTES).'<br>';
These both statements work fine. But when I add single quotes '' inside the string like:
echo htmlspecialchars('<b>"'name'"</b>', ENT_QUOTES).'<br>';
or
echo htmlentities('<b>"'name'"</b>', ENT_QUOTES).'<br>';
Then in such case it gives an error. Here I need to allow these single quotes inside that string. Please show me how to make allow the single quotes '' inside string.
You have to escape the ' with \. So try the following solution:
echo htmlspecialchars('<b>"\'name\'"</b>', ENT_QUOTES).'<br>';
echo htmlentities('<b>"\'name\'"</b>', ENT_QUOTES).'<br>';
The other way using " for parameter would look like the following:
echo htmlspecialchars("<b>\"'name'\"</b>", ENT_QUOTES).'<br>';
echo htmlentities("<b>\"'name'\"</b>", ENT_QUOTES).'<br>';
I have a print statement in some PHP code:
print "<a href='item.php?id='{$row[0]}''><img src='{$row[0]}.jpg'></a>";
In {$row[0]} is a int. When I click on the image I get to a page "restofweburl/item.php?id=" with no number at the end of the URL. What am I doing wrong?
You end the href prematurely with a single quote, after id=. Change the line to:
print "<a href='item.php?id={$row[0]}'><img src='{$row[0]}.jpg'></a>";
This is because after the href you have two single quotes. I prefer to use the following syntax:
print '<img src="'.$row[0].'".jpg"/>';
I used single quotes for the print so I can use double quotes for the html attributes (alt/src). This is a prefered method, not a rule, but quite common practice.
As you can see, the color highlighing shows you where the echo ends, a variable gets inserted and the string continues. This makes it easier to spot small mistakes like your double single quote problem.
I am pretty new to php but I'm stuck on this problem... Say i wait to put a link to another site with a given parameter, how do I do it correclty?
This is what i have now:
<html>
<body>
<?php
$param = "test";
echo "Click Here;
?>
</body>
</html>
Well, for starters, you might not wanna overuse echo, because (as is the problem in your case) you can very easily make mistakes on quotation marks.
This would fix your problem:
echo "Click Here";
but you should really do this
<?php
$param = "test";
?>
Click Here
You can do it a number of ways, depending on the type of quotes you use:
echo "<a href='http://www.whatever.com/$param'>Click here</a>";
echo "<a href='http://www.whatever.com/{$param}'>Click here</a>";
echo 'Click here';
echo "Click here";
Double quotes allow for variables in the middle of the string, where as single quotes are string literals and, as such, interpret everything as a string of characters -- nothing more -- not even \n will be expanded to mean the new line character, it will just be the characters \ and n in sequence.
You need to be careful about your use of whichever type of quoting you decide. You can't use double quotes inside a double quoted string (as in your example) as you'll be ending the string early, which isn't what you want. You can escape the inner double quotes, however, by adding a backslash.
On a separate note, you might need to be careful about XSS attacks when printing unsafe variables (populated by the user) out to the browser.
There's a shorthand-type way to do this that I have been using recently.
This might need to be configured, but it should work in most mainline PHP installations.
If you're storing the link in a PHP variable, you can do it in the following manner based off the OP:
<html>
<body>
<?php
$link = "http://www.google.com";
?>
Click here to go to Google.
</body>
</html>
This will evaluate the variable as a string, in essence shorthand for echo $link;
I recommend using the short ' instead of ". If you do so, you wont longer have to escape the double quote (\").
In that case you would write
echo 'Click Here';
But look onto nicolaas' answer "what you really should do" to learn how to produce cleaner code.
You can embed a variable into a double quoted string like my first example, or you can use concantenation(the period) like in my second example:
echo "Click Here";
echo 'Click Here';
Notice that I escaped the double quotes inside my first example using a backslash.
HI Jasper,
you can do this:
<?
sprintf("Click Here", $param);
?>
Heredoc may be an option, see example 2 here: http://php.net/manual/en/language.types.string.php
I am using a bit of JavaScript like this:
echo '<a href="javascript:playSong'."('$row[artist]','$row[title]','$row[sourcefile]')".'">';
My problem is that sometimes my $row[artist] and $row[title] variables contain double qoutes.
When this happens it breaks the javascript:playSong(); function call.
For example if the line was output like this:
<a href="javascript:playSong('Danny Elfman','Beetlejuice Theme (Kamei Halloween Edit)','2009-10-31-10-52-01.4521.data','28330')">
Everything would be fine.
But sometimes the function will look like this:
<a href="javascript:playSong('Danny Elfman','Beetlejuice "Theme" (Kamei Halloween Edit)','2009-10-31-10-52-01.4521.data','28330')">
Which would then cause my site to think the command ends at the double quote before "Theme" and thus cause it to fail.
Is there a way I should be properly quoting my javascript so it treats double quotes inside the function as text and no the end of the function.
I am using addslashes() and have tried various other encodings but nothing like that seems to work.
The best solution here is to stop using href="javascript:… and start using unobtrusive JavaScript and progressive enhancement.
If you do want to continue down this route, then you need to remember that you are dealing with three different languages and generating one from the other in a chain.
Start with the JavaScript. Then make it work with the HTML. Then make it work with the PHP.
javascript:playSong('Danny Elfman','Beetlejuice "Theme" (Kamei Halloween Edit)','2009-10-31-10-52-01.4521.data','28330')
There are no syntax errors here. You just have double quotes in a string.
href="javascript:playSong('Danny Elfman','Beetlejuice "Theme" (Kamei Halloween Edit)','2009-10-31-10-52-01.4521.data','28330')"
Now you hava nested the JavaScript in an HTML attribute which is delimited with double quotes. This means that the double quotes in the JS are now a problem as it terminates the attribute value half way through the script.
Deal with these quotes in the usual way for HTML. Replace them with an HTML entity: "
href="javascript:playSong('Danny Elfman','Beetlejuice "Theme" (Kamei Halloween Edit)','2009-10-31-10-52-01.4521.data','28330')"
Then we get to the PHP:
echo '<a href="javascript:playSong'."('$row[artist]','$row[title]','$row[sourcefile]')".'">';
Dealing with quotes inside quotes inside quotes is a pain. So don't try.
href="javascript:playSong('<?php echo $row[artist] ?>','<?php echo $row[title] ?>','<?php echo $row[sourcefile]; ?>')"
You seem to have lost an argument between examples there.
Follow the normal rules for dealing with inserting content into HTML with PHP: htmlspecialchars
href="javascript:playSong('<?php echo htmlspecialchars($row[artist]); ?>','<?php echo htmlspecialchars($row[title]); ?>','<?php echo htmlspecialchars($row[sourcefile]); ?>')"
Escaping ONLY with backslash won't help you because you also need to escape them in html, try using ' for single quotes and " for double quotes in your embedded js functions.
This should do what you need.
Sinan.
Edit: Oh. You need to escape it in html. Try htmlspecialchars: