i am struggling to get a whole string to be the value of an input tag
this is my code thus far but am not sure what is wrong with it
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
but when i check the value in javascript or something it just outputs the first word You any help would be appreciated as i am stuck
There are at least two problems in your code:
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
The HTML generated by the line above looks like this:
<input id='message' style='display: none;' value=You have completed ...>
There are no quotes around the value of HTML attribute value. While the quotes are optional if the attribute value is a single word, they are needed when the value of the attribute contains many words; otherwise the value of attribute "value" is You and have, completed etc. are other HTML attributes of the input element.
The second problem of the code comes from the fact that you put some text there without correctly encoding the HTML special characters. For example, if the value of $offername is O'Brian, the generated HTML code (after the value of the "value" HTML attribute is correctly quoted) becomes:
<input id='message' style='display: none;' value='You have completed O'Brian [...] and received ...'>
and it is still invalid. Use the PHP function htmlspecialchars() to properly encode the HTML special characters to get their literal value in the final HTML page.
Another minor notice (not a show stopper) is the quoting character. It's better to use quotes (") for quoting of the attribute values in HTML. Apostrophes (') are allowed but not recommended.
All in all, a better way to write the code is:
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
$encodedMsg = htmlspecialchars($message);
printf('<input id="message" style="display: none;" value="%s">%s</div>',
$encodedMsg, $encodedMsg);
Remember that everything you put in the HTML should be properly encoded or the browser might correct and interpret it in a different way than you intended.
Try this
echo "<input id='message' style='display: none;' value='{$message}'>$message</div>";
The attributes values must enclosed with single or double quotes otherwise it will split the text with space. it will print out like this.
<input id="message" style="display: none;" value="You" have="" completed="" and="" received="">
Related
echo "<button onClick='follow(".$name.");'></button>";
I need to pass a string as a parameter in follow(user) function onClick event jquery. But it's getting called as a value.
I tried kind of everything, but in php it looks a bit of a big deal for me. Is there any other way around to get the expected result as a string from a php variable.
You echo a php variable in javascript without adding quotes thus ending with a javascript variable name instead of a string.
Just add escaped quotes like this:
echo "<button onClick='follow(\"".$name."\");'></button>";
Quotes are off and if you're passing a string you need quotes wrapping the string in the function call.
There is various ways to do it, for standard " in html properties:
echo '<button onClick="follow(\''.$name.'\')"></button>';
echo "<button onClick=\"follow('".$name."')\"></button>";
echo "<button onClick=\"follow('$name')\"></button>";
for single quotes
echo '<button onClick=\'follow("'.$name.'")\'></button>';
echo "<button onClick='follow(\"".$name."\")'></button>";
echo "<button onClick='follow(\"$name\")'></button>";
But that's presuming your users are nice, a crafty user may create a username with \n in it, then from POSTing to storing and retrieving it would most likely be rendered as a new line:
<?php
$name = "Foo\nBar";
echo '<button onClick="follow(\''.$name.'\')"></button>';
Rendering the following which would cause the page to break:
<button onClick="follow('Foo
Bar')"></button>
Or worse a username like:
$name = "Foo')\"></button>\n<button onClick=\"window.location.href = ('http://example.com";
Which would render a stored XSS:
<button onClick="follow('Foo')"></button>
<button onClick="window.location.href = ('http://example.com')"></button>
So a better solution then to directly pass it in, would be to escape it, using htmlentities and json_encode so \n is not rendered by the html.
echo '<button onClick=\'follow('.json_encode(htmlentities($name, ENT_QUOTES, 'UTF-8')).')\'></button>';
Which would render to:
<button onClick='follow("Foo')"><\/button>\n<button onClick="window.location.href = ('http:\/\/example.com")'></button>
Though you should be validating usernames on create before allowing such an attack.
If it has a single quote in it, any string that I try to enter into my HTML input box is truncated in the input box once it is submitted. Its POST value comes thru unchanged, but the string shows as truncated in the input box, whether I use htmlspecialchars() or not. A noobie question, no doubt, but I've tried hard to figure it out and run out of ideas. Thanks for any help.
<!DOCTYPE html>
<body><title> Self-inserting input_box_SO.php </title>
<?php
// POST form initiation.
ECHO "<form action='input_box_SO.php' method='post'>";
// GET POSTed value and escape it for HTML use
$Caption_htmlspecialchars=$_POST['Caption_htmlspecialchars'];
$Caption_htmlspecialchars=htmlspecialchars($Caption_htmlspecialchars);
ECHO "The echo of the variable <em> \$Caption_htmlspecialchars </em> looks like this:<br>";
ECHO "<b> $Caption_htmlspecialchars </b><br>";
ECHO "But in the input box, \$Caption_htmlspecialchars is truncated by a single quote: <br>";
// ETA: Bad old line that caused the problem, now commented:
// ECHO "<input type='text' name='Caption_htmlspecialchars' size=100 value='$Caption_htmlspecialchars' maxlength = 100 required /><br><br>";
// ETA: Newly added line that fixes the problem:
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
// SUBMIT button. Submits back to the same page: input_box.php
echo "<b><input type='Submit' name='submit' value='Submit'/></b></br></br>";
?>
</body></html>
Here is what Inspect Elements > Elements shows for the input element:
input_box_SO.php
The echo of the variable $Caption_htmlspecialchars looks like this: test with special chars. & " < > and a single quote ('), which causes truncation in the input box. But in the input box, $Caption_htmlspecialchars is truncated by a single quote: and a single quote (" ),="" which="" causes="" truncation="" in="" the="" input="" box.="" '="" maxlength="100" required="">
With the Source looking like this: value='test with special chars. & " < > and a single quote ('), which causes truncation in the input box. '
You need to change your sequence of single quotes nad double quotes to display string. change your echo <input as below
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
Try to use the addslashes and do it like
$Caption_htmlspecialchars = addslashes($Caption_htmlspecialchars);
I have a profile page in which I want to display informations from the database for most users, and a form with the current data as default value for the users with modification rights.
if ($IDprofile == $_SESSION['userID'])
{
echo "<form method='post'>
Surname: <input type='text' required name='surname' maxlength=50
value=".htmlentities($user['Surname'])."><br>
Name: <input type='text' required name='name' maxlength=50
value=".htmlentities($user['Name'])."><br>
Birthdate (format YYYY-MM-DD): <input type='text' required name='BirthDate' value='";
if ($user['BirthDate'] != null)
echo $user['BirthDate'];
else
echo "-";
echo "'><br>
Description: <input type='text' maxlength=255 name='description' value='";
if ($user['Description'] != null)
echo htmlentities($user['Description']);
else
echo "-";
echo "'><br>
<input type='submit' value='OK'></form>";
}
As you can see, I tried with htmlentities, which should transform the apostrophe into ', but it doesn't work. Other methods like addslashes and addcslashes don't work either.
What is displayed is my form input with the value it should have, until the place where there should be an apostrophe, where it just ends. addslashes does the same, with a / before the end.
What puzzles me the most is that I have a surname with an apostrophe in it in my database, and this one is displayed just fine.
htmlentities by default only encodes " double quotes, because those are the more common terminators for HTML attributes. If you want it to encode ' single quotes too, you need to set the ENT_QUOTES flag:
htmlentities($foo, ENT_QUOTES | ENT_HTML401)
(ENT_HTML401 is the other default flag; these days you may want to use ENT_HTML5 instead.)
You should also actually delimit your attributes with quotes! Currently your result looks like value=James, which isn't incorrect, but will get you into trouble once your values contain spaces or, well, quotes or other special characters.
Please try outputting your variables like this:
htmlspecialchars($user['Surname'], ENT_QUOTES);
Also be sure to disable magic quotes in your system so you don't get any extra slashes automagically when posting new data.
This is my php code. For an example:
<?php
while($row=sqlsrv_fetch_array($result))
{
$ItmName = $row['ItemName'];
}
?>
This is my html:
<input type="text" id="ItmName" name="ItmName" value="<?php echo $ItmName; ?>" />
If the data is as such 3" FILE which have double quotes, in the textbox field it will only be displayed as:
3
which it supposed to be
3" FILE
but IF the data is 3' FILE which is a single quote, it will be displayed as 3' FILE. So there's no problem. So my question is, how to display the data with the double quotes in a HTML input's value.
Always always always escape output that you don't trust.
Use htmlspecialchars (or htmlentities) to escape strings so they are safe to use in HTML.
I try to show this string : «let's go» in a the value of an input tag
i wrote:
$chaine="let's go";
echo "<input type=text name=test value='".$chaine."'>";
result: let
What can i do to show the correct string in this case ?
use htmlspecialchars
echo "<input type=text name=test value='".htmlspecialchars($chaine, ENT_QUOTES)."'>";
You can look at htmlentities()
htmlentities($chaine, ENT_QUOTES) ;
This produces
<input type=text name=test value='let's go'>
You can see, that for HTML (--> your Browser) the value ends after "let". Everything after that is invalid (but ignored). Escape
$chaine = "let\'s go";
However, in HTML double quotes are prefered and omitting the quotes is also no good style
$chaine="let's go";
echo '<input type="text" name="test" value="'.$chaine.'">';
In this case you must escape every double quote.