I have something like this (code simplified):
<?php
$var = 'Read "The Book"';
?>
<input type="text" value="<?php echo $var; ?>" />
The problem is that in the input looks like if it prints read and when you look at the source code you see it has <input type="text" value="Read "The Book"" /> and it doesn't work.
I can't simply replace value="<?php echo $var; ?>" for value='<?php echo $var; ?>' because $var could has any value and if I do it that way and its value is D'Artagnan it is going to try to print <input type="text" value='D'Artagnan' />.
=(
Any suggestion?
You should sanitize all your output by escaping characters with special meaning into their respective HTML entities. You can do that in the html context with htmlspecialchars.
<input type="text" value="<?php echo htmlspecialchars($var); ?>" />
So, with that, you can avoid XSS attack.
Related
I'm looking to send my session variable: $_SESSION['steamid']
to another webpage by using a form. I also want to have a disabled text form with the variable in it.
Currently, this is the code I have:
$variable = $_SESSION['steamid'];
and
<input type="hidden" name="b64id" value="'$variable'"/></br>
<p>Your 64 ID: <input type="text" name="b64id" value="'$variable'" disabled="disabled"/></br>
But I am just recieving "$variable" on the other end. I would like to avoid using POST and Cookies but if it's needed I'm happy to use it. I can ensure that $variable has a value.
Two issues:
You forgot your PHP tags and echo statement
The single quotes are unnecessary if even if you did #1 would cause the same issue to occur
This should do what you need (assuming PHP 5.4+ or short tags enabled):
<p>Your 64 ID: <input type="text" name="b64id" value="<?= $variable ?>" disabled="disabled"/></br>
when you want to use PHP variable you should open PHP tag
NOT CORRECT
<input type="hidden" name="b64id" value="'$variable'"/></br>
<p>Your 64 ID: <input type="text" name="b64id" value="'$variable'" disabled="disabled"/></br>
CORRECT
<input type="hidden" name="b64id" value="<?php echo $variable ?>"/></br>
<p>Your 64 ID: <input type="text" name="b64id" value="<?php echo $variable ?>" disabled="disabled"/></br>
there is a short form <?= $variable ?>
it means <?php echo $variable ?>
WELCOME ON PHP WORD !!!
Enjoy :)
Use following code having php tags:
<input type="hidden" name="b64id" value="<?php echo $variable ?>"/></br>
<p>Your 64 ID:
<input type="text" name="b64id" value="<?php echo $variable ?>" disabled="disabled"/>
</br>
You should also check if session having value or not.
like:
$variable = (isset($_SESSION['steamid']))?$_SESSION['steamid']):'';
Here is a simplified version of my code that I am having a problem with.
$variable = "{\\\"JSON" //long JSON string created in Javascript with JSON.stringify
?> <input type="text" name="somename" value="<?php echo $variable; ?>"/> <?php
The input box only contains {\
I need a way to escape the entire JSON string
Thanks
Alex
You're outputting into an HTML context, so you need html-specific escaping:
<input ... value="<?php echo htmlspecialchars(json_encode($whatever)); ?>" />
^^^^^^^^^^^^^^^^----
$val= json_encode($val);
<input type="hidden" value="<?php echo htmlspecialchars($val); ?>" name="bye">
I'm using a metadata reader in php. It works great, but when I'm using it to put the values that came from the function in INPUT I get strange symbols in the inputbox.
Here is the source code:
if($fileStatus == 1){
include ("include/functions.php");
$filename=$uploaded;
$mp3file=new CMP3File;
$mp3file->getid3($filename);
$hej = "hejhejhej";
?>
<form>
<input type="text" name="hej" value="<?php echo $hej;?>">
<input type="text" name="title" value="<?php echo "$mp3file->title";?>"><br>
<input type="text" name="artist" value="<?php echo "$mp3file->artist";?>"><br>
<input type="text" name="album" value="<?php echo "$mp3file->album";?>"><br>
<input type="text" name="year" value="<?php echo "$mp3file->year";?>"><br>
<textarea name="artist"><?php echo "$mp3file->comment";?></textarea><br>
<input type="text" name="genre" value="<?php echo "Ord($mp3file->genre)";?>"><br>
</form>
<?php
}
Source code I get from the browser:
<form>
<input type="text" name="hej" value="hejhejhej">
<input type="text" name="title" value="Selene
Screenshot
Try using HTML Entities.
This might be because of UTF-8 and the browser doesn't support that encoding. May be, PHP's htmlentities might help you. Replace:
<?php echo $hej;?>
With:
<?php echo htmlentities($hej);?>
The strange characters you see are because CMP3File uses fread to get bytes from the actual MP3 file (read up on ID3 Tags if you want to know more about this). If you want to see the actual bytes as a string, use the ord function as such:
<?php
for($i = 0; $i < strlen($mp3file->title); $i++) {
echo ord($mp3file->title[$i]);
}
?>
The solution for this problem is "Trim()"
Data or value in $description from database is
<div>Henry</div>
My HTML Code
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
Output :
If the code be
<input type="hidden" id="hidden" value='<?php echo $description; ?>'/>
Its working fine !..Any one please tell me the issue ?
You are trying to have HTML code inside the value of a hidden input in a form? That doesn't sound right.
If you need to keep it as it is, you should at least use htmlentities to make it a string:
<input type="hidden" id="hidden" value="<?php echo htmlentities($description); ?>"/>
An example:
<?php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
Your code becomes like this...
<input type="hidden" id="hidden" value = "<div><a href="www.google.com" > Henry </a></div> "/>
You can divide this as...
<input type="hidden" id="hidden" value = "<div><a href="www.google.com" >
Henry
</a></div>
"/>
That's how you get Henry"/>
Here comes 2 issues,
First of all use htmlentities to convert all applicable characters to HTML entities.
htmlentities($description);
And Its fair to use Single quote instead of double quotes. Ref link
By default, SGML requires that all attribute values be delimited using either double quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39). Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa
look at the different between " and ':
if your code is :
$description = <div>Henry</div>
and
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
so it's actually means
<input type="hidden" id="hidden" value="<div>Henry</div>"/>
and the " that before the url closes the "value", so the value is actually -
value="<div><a href="
so try to use ' instead of " on the url (google) OR in the value (not both).
This is how your browser sees the code:
<input type="textbox" id="textbox" value="<div>Henry</div>
"/>
See how the double-quotes don't make sense?
If you want to keep double-quotes you need to go with htmlentities.
$description = htmlentities($description);
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
Also, your link "www.google.com" will point to a page called www.google.com RELATIVE to your directory. Be sure to use ABSOLUTE path: http://www.google.com
A simple replace in here like this
<div><a href='www.google.com'>Henry</a></div>
or like this
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value='<?php echo $description; ?>'/>
but not both should do the trick.
http://php.net/manual/en/function.strip-tags.php
Try this:
div><a href='www.google.com'>Henry</a></div>
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value='<?php echo strip_tags($description); ?>'/>
I tried $_POST['<?php echo $var ?>] but I should have known that it wouldn't be that easy.
The reason why I try to do is because I have several input boxes with values I take from a database and I'm trying to create an updation script where any of the input box values can be changed.
for example
<form action="process.php" method="post">
<?php
while($variable=mysql_fetch_array($sqlconnec))
{
?>
<input type="text" name="<?php echo $variable['col1']?>" value="<?php echo $variable['val'] ?>" />
<?php
}
?>
<input type="submit" />
</form>
Any help is appreciated.
I think that what you need is:
<input type="text" name="<?php echo $col; ?>" value="<?php echo $val; ?>" />
$_POST[$col] //this will have the input value defined above.
In process.php you have to do the same query as mentioned above. If you iterate through those results $_POST[$col] will contain the posted values.
You need to do like this:
<form action="process.php" method="post">
<?php
$variable = mysql_fetch_assoc($sqlconnec);
foreach($variable as $col => $val)
{
?>
<input type="text" name="<?php echo $col; ?>" value="<?php echo $val; ?>" />
<?php
}
?>
<input type="submit" />
</form>
Now, mysql_fetch_assoc gets you the database row in a associative array. Then, the code iterates each column in the row and displays the name/value pair for it. And yes, you were not closing the value tag correctly.
foreach($_POST as $k=>$v) {
//do something with $v or $_POST[$k]
}
I think that you want to change the name of the input to something that is constant.
For example:
<input type="text" name="testname" value="<?php echo $variable['val'] ? />
And then retrieve your variable like so:
$_POST['testname']
For example you could print the variable you sent in the input to test it like so:
echo $_POST['testname'];
You are not closing your input 'value' tag with ". Also your second php closing tag is incorrect.
<input type="text" name="<?php echo $variable['col1']?>" value="<?php echo $variable['val'] ?>" />