I have a profile page in which I want to display informations from the database for most users, and a form with the current data as default value for the users with modification rights.
if ($IDprofile == $_SESSION['userID'])
{
echo "<form method='post'>
Surname: <input type='text' required name='surname' maxlength=50
value=".htmlentities($user['Surname'])."><br>
Name: <input type='text' required name='name' maxlength=50
value=".htmlentities($user['Name'])."><br>
Birthdate (format YYYY-MM-DD): <input type='text' required name='BirthDate' value='";
if ($user['BirthDate'] != null)
echo $user['BirthDate'];
else
echo "-";
echo "'><br>
Description: <input type='text' maxlength=255 name='description' value='";
if ($user['Description'] != null)
echo htmlentities($user['Description']);
else
echo "-";
echo "'><br>
<input type='submit' value='OK'></form>";
}
As you can see, I tried with htmlentities, which should transform the apostrophe into ', but it doesn't work. Other methods like addslashes and addcslashes don't work either.
What is displayed is my form input with the value it should have, until the place where there should be an apostrophe, where it just ends. addslashes does the same, with a / before the end.
What puzzles me the most is that I have a surname with an apostrophe in it in my database, and this one is displayed just fine.
htmlentities by default only encodes " double quotes, because those are the more common terminators for HTML attributes. If you want it to encode ' single quotes too, you need to set the ENT_QUOTES flag:
htmlentities($foo, ENT_QUOTES | ENT_HTML401)
(ENT_HTML401 is the other default flag; these days you may want to use ENT_HTML5 instead.)
You should also actually delimit your attributes with quotes! Currently your result looks like value=James, which isn't incorrect, but will get you into trouble once your values contain spaces or, well, quotes or other special characters.
Please try outputting your variables like this:
htmlspecialchars($user['Surname'], ENT_QUOTES);
Also be sure to disable magic quotes in your system so you don't get any extra slashes automagically when posting new data.
Related
If it has a single quote in it, any string that I try to enter into my HTML input box is truncated in the input box once it is submitted. Its POST value comes thru unchanged, but the string shows as truncated in the input box, whether I use htmlspecialchars() or not. A noobie question, no doubt, but I've tried hard to figure it out and run out of ideas. Thanks for any help.
<!DOCTYPE html>
<body><title> Self-inserting input_box_SO.php </title>
<?php
// POST form initiation.
ECHO "<form action='input_box_SO.php' method='post'>";
// GET POSTed value and escape it for HTML use
$Caption_htmlspecialchars=$_POST['Caption_htmlspecialchars'];
$Caption_htmlspecialchars=htmlspecialchars($Caption_htmlspecialchars);
ECHO "The echo of the variable <em> \$Caption_htmlspecialchars </em> looks like this:<br>";
ECHO "<b> $Caption_htmlspecialchars </b><br>";
ECHO "But in the input box, \$Caption_htmlspecialchars is truncated by a single quote: <br>";
// ETA: Bad old line that caused the problem, now commented:
// ECHO "<input type='text' name='Caption_htmlspecialchars' size=100 value='$Caption_htmlspecialchars' maxlength = 100 required /><br><br>";
// ETA: Newly added line that fixes the problem:
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
// SUBMIT button. Submits back to the same page: input_box.php
echo "<b><input type='Submit' name='submit' value='Submit'/></b></br></br>";
?>
</body></html>
Here is what Inspect Elements > Elements shows for the input element:
input_box_SO.php
The echo of the variable $Caption_htmlspecialchars looks like this: test with special chars. & " < > and a single quote ('), which causes truncation in the input box. But in the input box, $Caption_htmlspecialchars is truncated by a single quote: and a single quote (" ),="" which="" causes="" truncation="" in="" the="" input="" box.="" '="" maxlength="100" required="">
With the Source looking like this: value='test with special chars. & " < > and a single quote ('), which causes truncation in the input box. '
You need to change your sequence of single quotes nad double quotes to display string. change your echo <input as below
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
Try to use the addslashes and do it like
$Caption_htmlspecialchars = addslashes($Caption_htmlspecialchars);
i am struggling to get a whole string to be the value of an input tag
this is my code thus far but am not sure what is wrong with it
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
but when i check the value in javascript or something it just outputs the first word You any help would be appreciated as i am stuck
There are at least two problems in your code:
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
The HTML generated by the line above looks like this:
<input id='message' style='display: none;' value=You have completed ...>
There are no quotes around the value of HTML attribute value. While the quotes are optional if the attribute value is a single word, they are needed when the value of the attribute contains many words; otherwise the value of attribute "value" is You and have, completed etc. are other HTML attributes of the input element.
The second problem of the code comes from the fact that you put some text there without correctly encoding the HTML special characters. For example, if the value of $offername is O'Brian, the generated HTML code (after the value of the "value" HTML attribute is correctly quoted) becomes:
<input id='message' style='display: none;' value='You have completed O'Brian [...] and received ...'>
and it is still invalid. Use the PHP function htmlspecialchars() to properly encode the HTML special characters to get their literal value in the final HTML page.
Another minor notice (not a show stopper) is the quoting character. It's better to use quotes (") for quoting of the attribute values in HTML. Apostrophes (') are allowed but not recommended.
All in all, a better way to write the code is:
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
$encodedMsg = htmlspecialchars($message);
printf('<input id="message" style="display: none;" value="%s">%s</div>',
$encodedMsg, $encodedMsg);
Remember that everything you put in the HTML should be properly encoded or the browser might correct and interpret it in a different way than you intended.
Try this
echo "<input id='message' style='display: none;' value='{$message}'>$message</div>";
The attributes values must enclosed with single or double quotes otherwise it will split the text with space. it will print out like this.
<input id="message" style="display: none;" value="You" have="" completed="" and="" received="">
Is it possible to add a value to a dynamically created input field?
Im trying something like this: echo "<input value="$row['test']">" but that gives me a syntax error. It has to be in my php file since im calling it via ajax and want to keep my html and php seperate.
Im getting content via ajax and I need to set many field names as there are records in the database.
You can do it like this:
echo '<input value="' . $row['test'] . '">';
Alternatively escape the " (not recommended if not needed, because it is hardly readable):
echo "<input value=\"" . $row['test'] . "\">";
Otherwise you’re mixing quotation marks, which is a syntax error. The . is to combine strings with variables (in this case).
You can also Use:
<input value="<?php echo htmlspecialchars($row['test']); ?>" >
OR
echo "<input name='test' value=".$row['test'].">";
OR
echo "<input name='fred' value='{$row['test']}'>";
Reference
When using certain php values within a quoted string, such as the array syntax in the question, you should either escape from the quotes or encapsulate the variable in curly braces. Also, as the string was quoted with double quotes you should use single quotes around attributes and values.
echo "<input name='fred' value='{$row['test']}'>";
<input type="text" name="post_title" class="form-control" value="<?php
if(isset($post_title))echo $post_title;
?>">
If you want to add it into the HTML
I have inserted the following TEXT value into mysql..
$_POST['groupname'] = "Linda's Group";
$groupname = $addslashes($_POST['groupname'];
then retrieve it like this..
$groupname = $row['groupname'];
when I echo it it shows up correctly as "Linda's group"
but when I put it into..
echo "<input name='groupname' type='hidden' value='$groupname' />";
it shows up as "Linda", only show text before the apostrophe
What am I doing wrong?
Whenever you want to send a string to the browser, use htmlspecialchars($string).
Replace that with:
echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname, ENT_QUOTES) . "' />";
... and remove the addslashes() call.
Also, make sure you always use mysql_real_escape_string($string) when inserting string values in a MySQL database.
you need to escape content before displaying it on a web page. your markup reads:
try:
htmlspecialchars($dataToEscape, ENT_QUOTES, 'UTF-8' false)
without this you are vulnerable to XSS.
consider Linda'><script src='evil.js'></script>s Group this example:
<input name='groupname' type='hidden' value='Linda'><script src='evil.js'></script>s Group' />
You need to escape your single quote before you use it in your HTML. This is because your attribute values are surrounded by single quotes.
If you didn't escape the quote, the generated HTML is:
<input name='groupname' type='text' value='Linda's group' />
This is not valid. What you need is:
<input name='groupname' type='text' value='Linda's group' />
You can get that by calling htmlspecialchars:
echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname) . "' />";
This also prevents XSS attacks. Otherwise someone could enter '/><script type="text/javascript">alert("omg hax!")</script><br' for example, and you would get an alert on your page.
I try to show this string : «let's go» in a the value of an input tag
i wrote:
$chaine="let's go";
echo "<input type=text name=test value='".$chaine."'>";
result: let
What can i do to show the correct string in this case ?
use htmlspecialchars
echo "<input type=text name=test value='".htmlspecialchars($chaine, ENT_QUOTES)."'>";
You can look at htmlentities()
htmlentities($chaine, ENT_QUOTES) ;
This produces
<input type=text name=test value='let's go'>
You can see, that for HTML (--> your Browser) the value ends after "let". Everything after that is invalid (but ignored). Escape
$chaine = "let\'s go";
However, in HTML double quotes are prefered and omitting the quotes is also no good style
$chaine="let's go";
echo '<input type="text" name="test" value="'.$chaine.'">';
In this case you must escape every double quote.