Using a standard xampp install, and running the following code inside my index.php page, I am receiving what I believe to be odd output. I'm not certain if it is a bug or if I am just not understanding this correctly.
Having read over numerous threads created here on stack overflow regarding this, I am still not sure why I am receiving this output.
<?php echo htmlspecialchars("&"); ?>
Will output the following in the source: &
But... if I use:
<?php
echo htmlspecialchars("&");
echo "<br />"
echo htmlspecialchars("&");
?>
The following will be output to source: &<br />&
I suppose I am just confused as to why the output, when viewing the html source generated by php, is generated differently when the same statement is used a second time. I assume it has something to do with double_encoding but have tried several statements to disable and enable double encoding within the htmlspecialchars function but it always seems to output & to the last call to htmlspecialchars.
Any additional input would be greatly appreciated.
Related
I am not able to figure out how to get an HTML out of a simple quoted_pritable_decode command.
Consider the following code from w3schools.
$str = "Hello=0Aworld.";
echo quoted_printable_decode($str);
The output for this code is:
Hello world.
However, when I view the source it is:
Hello
world.
Well, I am trying to figure out if there is a simpler way to get the second output. I would like to store it in my database in HTML format. I am aware of way arounds like replacing the encoded part, however, is there a recommended way here?
Edit 1:
Both the answers are perfectly fine and a precise explanation from Xavier was great. Since, I just have to mark one as correct, I mark the one which I believe is more precise.
You could use nl2br() encapsulating that when you are storing it into your table.
<?php
$str = "Hello=0Aworld.";
echo nl2br(quoted_printable_decode($str));
Change your code to:
$str = "Hello=0Aworld.";
echo "<pre>" . quoted_printable_decode($str) . "</pre>";
What you echo is being interpreted as pure HTML, and HTML doesn't honor newlines, except when you use tag. You also could do a echo str_replace('\n','<br>',quoted_printable_decode($str)); (i.e. AFTER decoding)
I am still struggling with this problem after about 2 weeks with no sign of a solution.
Any data that is returned by PHP using $.ajax or $.post always has two spaces added onto the returned data. I have trimmed the data being echoed in PHP to confirm it's not an issue with the server or my scripts.
e.g.
echo '{"id": "'.$myId.'"}';
Becomes:
' {"id": "'.$myId.'"}'
When viewing the returned data in inspector. This causes problems for my js scripts because they expect nothing returned when there is no error. Double space is returned which causes errors when there are actually none, which in turn stops other events from firing.
I am using Jquery 1.8.3.
Does anyone have any idea what is causing this extremely strange and annoying issue?
I am using NetBeans
I recall that this only started happening since I moved my app to a new server, but I don't see how that would have effected it in this way.
This may be helpful,
I think there is a whitespace in your script (may be from included files, but not sure). You can overcome this by clearing the output buffer, before you send the data to browser. The following code will demonstrate the idea.
<?php
ob_start();
echo ' '; // Possible whitespace (may be from included files)
----------
----------
if (YOUR_CHECK_FOR_AJAX_REQUEST) {
ob_end_clean();
$myId = 1;
echo '{"id": "'.$myId.'"}';
exit;
}
?>
There is chance that you've got whitespaces at the end of your included php files (to prevent it, skip ending ?> tag).
Also you should check if there is nothing in front of <?php and disable BOM in your UTF-8 files.
The data which is returned from the file would have spaces or you would have html tags. Remove all the tags, lines, spaces and at the end remove ?>
If you are returning data from test.php the file should look like as below
<?php
$myId = '1';
echo '{"id": "'.$myId.'"}';
Could somebody explain me why the PHP tags are giving me a linebreak?
And also, how can you delete this or stop this from happening, as it messes up my site.
An example I'm using on my site:
<?php include('assets/common/theme_header.php'); ?>
EDIT:
This doesn't seem to happen when I'm using:
<?php ?>
It does however seem to happen only when I'm using echo, which I also use on my include.
Example:
<?php echo "hello"; ?>
This still gives me a "linebreak", and it shows like this in Chrome development kit:
I had a similar situation where a php file on the server always echoed a space, then newline and then the actual echo. Like " \n[someVariable]". I got rid of it by making sure the php file had no empty lines at the beginning or end of the file.
So no empty line before the <?php or after the end ?>
Perhaps your problem is related.
I just noticed today that I have got lots of spam links in my wordpress blog. I just found a file which contains
<?php eval (chr(101).chr(114)...
Its very very long string. Can someone tell me how can I decode this to see what it does? So that I can try to remove the spam links?
Thanks.
Just replace eval by echo and have a look at the generated output
<?php echo (chr(101).chr(114)...
Instead of executing (eval) you can just echo out what it says, preferrably with htmlspecialchars if you execute it via browser:
<?php echo htmlspecialchars(chr(101)...
odds are though that you won't see anything understandable, since it is probably encoded in more ways than one.
Simply replace eval with echo:
<?php echo (chr(101).chr(114)...
Besides that, you most likely need to reinstall whatever you have on your webspace as you obviously have been hacked. Ensure that you use the most recent version of Wordpress and all other software you are running to prevent this from happening again.
I have a string that has HTML & PHP in it, when I pull the string from the database, it is echo'd to screen, but the PHP code doesn't display. The string looks like this:
$string = 'Hello <?php echo 'World';?>';
echo $string;
Output
Hello
Source Code
Hello <?php echo 'World';?>
When I look in the source code, I can see the php line there. So what I need to do is eval() just the php segment that is in the string.
One thing to consider is that the PHP could be located anywhere in the string at any given time.
* Just to clarify, my PHP config is correct, this is a case of some PHP being dumped from the database and not rendering, because I am echo'ing a variable with the PHP code in it, it fails to run. *
Thanks again for any help I may receive.
$str = "Hello
<?php echo 'World';?>";
$matches = array();
preg_match('/<\?php (.+) \?>/x', $str, $matches);
eval($matches[1]);
This will work, but like others have and will suggest, this is a terrible idea. Your application architecture should never revolve around storing code in the database.
Most simply, if you have pages that always need to display strings, store those strings in the database, not code to produce them. Real world data is more complicated than this, but must always be properly modelled in the database.
Edit: Would need adapting with preg_replace_callback to remove the source/interpolate correctly.
You shouldn't eval the php code, just run it. It's need to be php interpreter installed, and apache+php properly configured. Then this .php file should output Hello World.
Answer to the edit:
Use preg_replace_callback to get the php part, eval it, replace the input to the output, then echo it.
But. If you should eval things come from database, i'm almost sure, it's a design error.
eval() should work fine, as long as the code is proper PHP and ends with a semicolon. How about you strip off the php tag first, then eval it.
The following example was tested and works:
<?php
$db_result = "<?php echo 'World';?>";
$stripped_code = str_replace('?>', '', str_replace('<?php', '', $db_result));
eval($stripped_code);
?>
Just make sure that whatever you retrieve from the db has been properly sanitized first, since you're essentially allowing anyone who can get content into the db, to execute code.