I just try to use Codeigniter escape_str function it's working good, but when i try to get data and show in front side then some extra code showing. any way for replace those all extra symbol.
This is the function
$content = $this->db->escape_str($content);
I'm trying to input below data from HTML texarea
Hello all how are you?
I'm from cox's bazar. see you again.
but when i try to echo it then i'm getting like this
Hello all how are you?\r\n\r\nI\'m from cox\'s bazar. see you again.
It should return same as my input. please help me for solve this issue. Thanks
You can use the html_escape() CodeIgniter function:
http://www.codeigniter.com/user_guide/general/common_functions.html?highlight=html_escape#html_escape
Related
I have built a custom CMS. Recently, I added the ability to create pages dynamically. I used CKEditor for the content of these pages.
I would also like to run some php functions that may be included in the content of the page stored in mysql.
I DO NOT want to store actual PHP code in the database, but rather function names perhaps. For example, in a page stored in the database I may have.
<?php //begin output
hello world!
check out this latest news article.
news($type, $id);
//end output
?>
What is the best way to find and execute this existing function without using EVAL if its found in the output? I was thinking along the lines of wordpress style short codes. Maybe [[news(latest, 71]] ? Then have a function to find and execute these functions if they exist in my functions.php file. Not really sure the best way to go about this.
I'm not searching for any code answers, but more of a best practice for this type of scenario, especially one that is safest against possible injections.
I found a solution from digging around and finding this thread
How to create a Wordpress shortcode-style function in PHP
I am able to pass short codes like this in CKEditor
[[utube 1 video_id]]
Then, in my page that renders the code:
print shortcodify($page_content);
using this function:
function shortcodify($string){
return preg_replace_callback('#\[\[(.*?)\]\]#', function ($matches) {
$whitespace_explode = explode(" ", $matches[1]);
$fnName = array_shift($whitespace_explode);
return function_exists($fnName) ? call_user_func_array($fnName,$whitespace_explode) : $matches[0];
}, $string);
}
If the function name exist (utube) it will fire the function.
Only problem Im having at the moment is not matter where I place the [[shortcode]] in my editor, it always executes first.
For example, in CKEditor I put:
Hello world! Check out my latest video
[[utube 1 video_id]]
It will always put the text under the video instead of where it is in the document. I need to figure a way to have the short code execute in the order it is placed.
I'm trying to work on my new wordpress plugin, and I encountered an issue.
I'm setting a variable to contain something like this:
esc_html('likeit'.wp_generate_password(4))
And then - I want to call another function via GET, but it's sometimes breaking.
For example if I have: likeitA9&n, it will break at &.
Can you please tell me what's the best (and most secured) but simple way to handle this in my plugin?
Examples would be appreciated!
Thanks a lot!
P.S. - I did try to look at previous posts, but nothing that actually solved this :(
urlencode('likeit'.wp_generate_password(4));
or
rawurlencode('likeit'.wp_generate_password(4));
i am creating a CMS and have php creating a page. i have a while loop like this
while($row = mysql_fetch_array($results)) {
echo "some html code" . $row['name'];
its shortend but hopefully you get the point. i have the full thing in my page working just as it should and i wanted to move it to a function include as i want to reuse it. the problem is i do that and it stops working.
i did some testing and found that the function is getting the query result and after doing a var dump both were identical the problem comes when i try to assign it to an array. it comes back as false so in the above code, for example,
$row = false;
im toatly lost in this and if my explanation is confusing i appologise but i am a bit of a newbie i have tried searching but....i dont really know where to begin
any thoughts.
the query you are doing is basically wrong, try posting exactly the code which you have in $query and then let us see the problem.
also, it is better to use mysqli functions.
but for this, edit the question and type the query, or simply put a die(mysql_error()) at the end of your query which is in $query. It will show your exact error.
i fugured it out
when i was testing the function i commented out the original code on the main page but for some reason i had not comented out enough (it was a mix of php and html clearly the php had not been commented out properly) this must have been causing a clash of some kind as when i put the function above the code on my page the function worked and the long code below it did not
sorry for wasting your time guys
Probably another basic question but its been annoying me for a while now...
I have a php file which is included on a php web page to bring in dynamic content from my mysql database.
Everything works fine with this except when i try get pictures to work and here is the problem.
I am using the code:
echo "<img src=fishery_images/$region/$url/$url1.jpg'/>";
All of which has been selected from the correct table and so on. an example of what i want this to resolve to is below:
fishery_images/fife/goldenloch/goldenloch1.jpg
However because i have the code:
$url1.jpg
and $url1 is not defined as anything then it resolves as the following:
fishery_images/fife/goldenloch/.jpg
i can have anything from goldenloch1.jpg all the way to goldenloch10.jpg so need to be able to say which image should be used.
how is it i say $url1.jpg without meaning $url1?
Really hope this makes sense... and thanks in advance
echo "<img src=fishery_images/{$region}/{$url}/{$url}1.jpg'/>";
http://en.wikipedia.org/wiki/String_interpolation#PHP
You'll want to use curly braces to wrap your variable:
echo "<img src=fishery_images/$region/$url/{$url}1.jpg'/>";
I have the following example of what a user might type into a field for a post name:
<h1><span>They're awesome people</span></h1>
Now because this is a post title I want to remove all that HTML completely before saving it to the database. This is because for a) security reasons and b) if I export this as JSON I don't want to be cleaning up HTML on output for 3rd party users.
I have tried the following in my model:
public function beforeSave() {
if (isset($this->data[$this->alias]['title']))
{
//$this->data[$this->alias]['title'] = Sanitize::clean($this->data[$this->alias]['title'], array('encode'=>true,'remove_html'=>true));
$this->data[$this->alias]['title'] = html_entity_decode(Sanitize::html($this->data[$this->alias]['title'], array('remove'=>true)));
}
return true;
}
As you can see I have tried both Clean and HTML from the Sanitize class to clean out the HTML but both cause a problem in that they escape the quote from they're making it like '. I have tried using the html_entity_decode around the sanitize to clean this up but it still happens. Any ideas on how to do this?
If I do this though:
echo html_entity_decode('They're awesome people');
it works fine so the function is fine, it's a problem with using it in conjunction with the sanitize class in CakePHP.
Thanks
Why not use
Sanitize::paranoid()
Manual
Or even strip_tags
To make Sanitize::html work
Sanitize::html($var, array('remove'=>true, 'quotes' => ENT_NOQUOTES));
it uses htmlentities internaly and default flag is set to ENT_QUOTES.
You should try htmlspecialchars_decode() function.
Edit:
Using only PHP function instead CakePHP library, you can try strip_tags().