Is it possible to add a value to a dynamically created input field?
Im trying something like this: echo "<input value="$row['test']">" but that gives me a syntax error. It has to be in my php file since im calling it via ajax and want to keep my html and php seperate.
Im getting content via ajax and I need to set many field names as there are records in the database.
You can do it like this:
echo '<input value="' . $row['test'] . '">';
Alternatively escape the " (not recommended if not needed, because it is hardly readable):
echo "<input value=\"" . $row['test'] . "\">";
Otherwise you’re mixing quotation marks, which is a syntax error. The . is to combine strings with variables (in this case).
You can also Use:
<input value="<?php echo htmlspecialchars($row['test']); ?>" >
OR
echo "<input name='test' value=".$row['test'].">";
OR
echo "<input name='fred' value='{$row['test']}'>";
Reference
When using certain php values within a quoted string, such as the array syntax in the question, you should either escape from the quotes or encapsulate the variable in curly braces. Also, as the string was quoted with double quotes you should use single quotes around attributes and values.
echo "<input name='fred' value='{$row['test']}'>";
<input type="text" name="post_title" class="form-control" value="<?php
if(isset($post_title))echo $post_title;
?>">
If you want to add it into the HTML
Related
I'm trying to build a comment system, each comment has a unique id, many comments can be associated with a post, and each post has a unique id. I want to pass the post id to a submit.php file (where comments are update to the database), but no matter what I tried I just can't pass the data. Currently I have something like this:
$sql="SELECT postid,post,pdate FROM posts";
$result = mysql_query($sql);
while($row = mysql_fetch_array($result)) {
echo '$row["post"]';
echo '<form action="submit.php" method="POST">';
echo '<input name="comment" type="text" id="comments"></input>';
echo '<input type="hidden" name="id" value="$row["postid"]" />';
echo '<input type="submit" value="enter comments" />';
}
?>
for testing purpose I have submit.php as follows,
<?php
$ha=$_POST['id'];
echo $ha;
?>
data of postid is not passed, and I just got "$row[" as output.
inside the while loop if I say $haha=$row["postid"]; echo "$haha"; then each individual post id will be printed correctly, but I just cannot pass the data to submit.php file.
update: I just changed my code to :
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
Now a number is succesfully passed to submit.php, the problem is ,it's always "3". My post id ranges from 3 to 13, post with id=3 is at the bottom of the page and post with id=13 is at the top.However,if I write a comment at the post with id=13(same issue occur to other posts as well), after clicking submit, the data passed to submit.php is always 3. Is there something wrong with the while loop?
Another update: it's always 3 because i forget to close the form tag, now everything worked perfectly
you're using single quote, so you cannot insert variables inside of string, use
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
In PHP, you can wrap a string in single-quotes ('), or double quotes (").
When you use single quotes, the string is not interpreted - this means that all the characters are left intact, and no variables are parsed.
When you use double quotes, any variables in the string will be replaced with their value.
In your case, you're using single quotes, so your variable is not being interpreted and converted. Instead, use double quotes:
$sql="SELECT postid,post,pdate FROM posts";
$result = mysql_query($sql);
while ($row = mysql_fetch_array($result)) {
echo $row["post"];
echo '<form action="submit.php" method="POST">';
echo '<input name="comment" type="text" id="comments"></input>';
echo "<input type=\"hidden\" name=\"id\" value=\"{$row["postid"]}\" />";
//Alternatively, keep the single quotes and use the concatenation method:
//echo '<input type="hidden" name="id" value="' . $row["postid"] . '" />';
echo '<input type="submit" value="enter comments" />';
//Also, if you're opening a form tag in this loop, be sure to close it
echo '</form>';
}
Some other things to note:
When you use double quotes to wrap your string, and you have double quotes inside your string, you must escape them (using a \). Notice name="id" became name=\"id\"; and
When referencing an item in an array within a string, you can either use string concatenation to ensure the full variable is interpreted correctly (value=\"" . $row["postid"] . "\"), or you can leave the variable in place and wrap it in curly brackets - which is my preference and is what is used above. If you're going to use the concatenation method, then you can keep the single quotes wrapping everything else - there are no variables to parse.
When echoing a variable value, you don't need to wrap it in anything - notice I removed the quotes from the first echo.
Here is PHP's documentation on strings, including single and double quoted strings: http://php.net/manual/en/language.types.string.php.
And here is PHP's documentation on string operators: http://php.net/manual/en/language.operators.string.php.
Try adding a conditional at the start of your file like this just to be sure the form is actually submitted properly:
<?php
if(isset($_POST['submit_form'])) {
$ha=$_POST['id'];
echo $ha;
}
with your button like this
<input type="submit" value="enter comments" name="submit_form"/>
and please close your form tag.
You can pass value as follow,
echo '<input type="hidden" name="id" value="' . $row["postid"] . '" >';
i am printing checkbox value something following by php
<input type='checkbox' ng-false-value='' ng-true-value='$row->option'>
i am looping this dynamically,
but getting following error
https://docs.angularjs.org/error/ngModel/constexpr?p0=ngTrueValue&p1=Canel
in html this ng-true-value='$row->option' printing like ng-true-value="Canel"
is there any way to do like this ng-true-value="'Canel'", thats mean doublequte then single quote then value then single quote then double quote (something like "'Canel'")
<?php
echo "<input type='checkbox' ng-false-value='' ng-true-value=\"'$row->option'\">";
If $row->option is test it will output:
<input type='checkbox' ng-false-value='' ng-true-value="'test'">
I'm loading a variable from a database like:
$adres = $row['adres']; //(= "Hoge Filterweg")
Then using it in a echo like:
echo input type='text' name='adres' value='{$adres}'
It displays on the form only the first part of the adress ( "Hoge"), but not the whole adress.
What could I do now?
Single quotes surrounding the inline variable like value='{$adres}' dit the trick.
thanks
You need double quotes to pass params with space.
This code should help you:
echo "<input type=\"text\" name=\"adres\" value=\"{$adres}\" />"
I have inserted the following TEXT value into mysql..
$_POST['groupname'] = "Linda's Group";
$groupname = $addslashes($_POST['groupname'];
then retrieve it like this..
$groupname = $row['groupname'];
when I echo it it shows up correctly as "Linda's group"
but when I put it into..
echo "<input name='groupname' type='hidden' value='$groupname' />";
it shows up as "Linda", only show text before the apostrophe
What am I doing wrong?
Whenever you want to send a string to the browser, use htmlspecialchars($string).
Replace that with:
echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname, ENT_QUOTES) . "' />";
... and remove the addslashes() call.
Also, make sure you always use mysql_real_escape_string($string) when inserting string values in a MySQL database.
you need to escape content before displaying it on a web page. your markup reads:
try:
htmlspecialchars($dataToEscape, ENT_QUOTES, 'UTF-8' false)
without this you are vulnerable to XSS.
consider Linda'><script src='evil.js'></script>s Group this example:
<input name='groupname' type='hidden' value='Linda'><script src='evil.js'></script>s Group' />
You need to escape your single quote before you use it in your HTML. This is because your attribute values are surrounded by single quotes.
If you didn't escape the quote, the generated HTML is:
<input name='groupname' type='text' value='Linda's group' />
This is not valid. What you need is:
<input name='groupname' type='text' value='Linda's group' />
You can get that by calling htmlspecialchars:
echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname) . "' />";
This also prevents XSS attacks. Otherwise someone could enter '/><script type="text/javascript">alert("omg hax!")</script><br' for example, and you would get an alert on your page.
Basically I'm developing a (very) simple search engine. You can enter a search term and you are taken to the results page - which works fine. However on the results page, I have a button that will take you to the next 10 results: where $term is the $_POST['term'] value.
echo "<input type='hidden' name='term' value='" . $term . "'>";
This causes the following problem with the term is for example "aidan's".
When the next 10 button is clicked, the term becomes aidan\ and no further results are found.
I am not doing anything to $term.
I usually use Java, but am required to use PHP for this uni assignment!
Any help would be greatly appreciated.
It could be your PHP that escapes your data, check out http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc and / or http://php.net/manual/en/function.addslashes.php these should help you to identify the porblem
Try looking after addslashes() et stripslashes()
http://php.net/manual/en/function.addslashes.php
Regarding your issue, I think you should try to add something like this :
$search = stripslashes($_POST['term']);
If you use double quotes, you don't have to break your string when using a variable. You can also use various options, such as those mentioned already or htmlentities() or urlencode(). I would use the later, just cuz. So you would end up with:
$term = urlencode($term);
echo "<input type='hidden' name='term' value=\"$term\">";
You need to htmlspecialchars() every single bit of data you output to your page. A set-up like yours is the reason that so many XSS vulnerabilities exist around the world, and you should not contribute to them.
echo "<input type='hidden' name='term' value='" . htmlspecialchars($term) . "'>";
Once you have that, you will need no obscure addslashes/quote escaping/whatever anymore.
To make that easier throughout your code, define
function h($s) { htmlspecialchars($s); }
echo "<input type='hidden' name='term' value='" . h($term) . "'>";
The function you are looking for is htmlspecialchars(). However to make it work, you must use quotation marks to wrap the parameter.
Plus, if there are slashes involved, the stripslashes() function may be needed.
So:
$term = htmlspecialchars( stripslashes( $term ) );
echo '<input type="text" name="term" value="' . $term . '" >';
Always use GET method for the search, not POST.
Either turn magic quotes off or strip slashes manually
Use htmllspecialchars with ENT_QUOTES parameter to encode form's field value.
Consider to print out HTML as is, not using PHP echo, to get rid of all this quotes craze
Most important part. If you quote your term for the database search, don't use quoted variable in your form.
so
if (isset($_GET['term'])) {
if (get_magic_quotes_gpc()) $_GET['term'] = stripslashes($_GET['term']);
//$term=mysql_real_escape_string($_GET['term']);
//perform search here.
//
$term = htmlspecialchars($_GET['term'],ENT_QUOTES); //from $_GET again
?>
<input type="hidden" name="term" value="<?php echo $term?>">
<?
}
I think the easiest way is not to put $term as a hidden field at all. For pagination, you can keep memory of the searched term in the session.