I am trying to get some data(varchar) from my database and show them in my html in the right encoding because it contains german special characters.
The database is in latin1_german2_ci(cp1252), my html
<input type="text" id="owner" name="owner" value="<?=get_owner() ?>" class="form-control">
function get_owner()
{
$owner = htmlentities($text_I_got_from_db, ENT_COMPAT, 'cp1252');
return $owner;
}
This gives me, ie. Kälte in my <input>, but I want Kälte.
I know that htmlentities() turns special chars to htmlcode. How do I do that it stay that way in html and not "converted back"?
if you want to print text in page 'as is' you may use code like this
$owner = htmlentities('Kälte', ENT_COMPAT, 'UTF-8');
echo htmlspecialchars($owner);
Related
Sounds very simple, but I'm kinda confused at the moment.
I have this DB object which includes some values that I want to output in an html form.
Simplified Problem:
$result is my db object and this is the html input where I want to output some text which can include double or single quotes.
<input class="someclass" name="desc" id="descID" type="text" value="<?=$result['desc'];?>" placeholder="<Description>" />
So if $result['desc'] contains text like this: 'Did you hear about "foobar"?'
everything after the first double quote gets cut off and ends up like this: 'Did you hear about '.
What i have tried already without success:
htmlspecialchars like this value="<?=htmlspecialchars($result['desc']);?>" or like this value="<?=htmlspecialchars($result['desc'], ENT_QUOTES);?>"
addslashes
Note: My DB(mssql) saves the string properly. Only have the problems in my html.
I would be glad if you could help me out here. Thanks.
Thanks for the help so far, but i managed to find a solution to this:
<?$descEscaped = str_replace('"', '"', $result['desc']);?>
<input class="someclass" name="desc" id="descID" type="text" value="<?= htmlspecialchars($descEscaped);?>" />
htmlspecialchars replaces quotes with """.
I am using my simple function htmlliteral:
function htmlliteral($s){
return '"'.htmlspecialchars($s).'"';
}
With this function you can use:
$descEscaped = htmlliteral($result['desc']);
print "<input class=someclass name=desc id=descID type=text value=$descEscaped />";
Morning,
I have created a small form to store some information to a database.
I have magic_quotes_gpc turned off on my server.
If i enter a " or a £ sign in the box is stores into the database without a worry.
When i echo it back with php it displays, but if i use the value in an input form field the " close the value field.
<input type="text" name="variable" value="<?php echo $row[variable]; ?>" />
I have now used htmlspecialchars around the input value and it works.
<input type="text" name="variable" value="<?php echo htmlspecialchars($row[variable]); ?>" />
But i have looked at open cart source as a reference and they do not use htmlspecialchars but store the data in a different way.
I tried using the urlencodes method they have used :
urlencode(html_entity_decode($_POST[variable],ENT_QUOTES, 'UTF-8'));
but this seems to store as a lot of numbers and + signs which did not display back correctly.
I would rather encode the update database instead of using the method i am with htmlspecialschars.
But not quite sure which way would be best?
Thank You
you may use
htmlentities() function in php
Perhaps try mysqli_real_escape_string($dblink, $string) instead of htmlspecialchars
For storing the HTML Character change the charters and then store them:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
To get back the correct HTML Character do the decoding as:
<?php
$str = "<p>this -> "</p>\n";
echo htmlspecialchars_decode($str);
// note that here the quotes aren't converted
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>
For more information refer to http://www.php.net/manual/en/function.htmlspecialchars.php
I use ckeditor in admin panel but in user submit form use simple textbox so user can input text and submit. Problem is when user enter text in textarea with Line Breaks it saves as it in SQL. I want to add BR after each line in sql.
For Example User Submits:
![F.R.I.E.N.D.S.:
(F)ight for you.
(R)espect you.
(I)nvolve you.
(E)ncourage you.
(N)eed you.
(D)eserve you and
(S)tand by you.][1]![SCREENSHOT oF DB SAVE][2]
got saved in DB as it with next line showing in output. But I want to save in DB as:
F.R.I.E.N.D.S.:<br />
(F)ight for you.<br />
(R)espect you.<br />
(I)nvolve you.<br />
(E)ncourage you.<br />
(N)eed you.<br />
(D)eserve you and<br />
(S)tand by you.
I use nl2br but its not working on user submit form If I use nl2br on admin processing form then on those fields already added with ckeditor it adds two BR tags.
Code used on user submit form is:
<textarea name="content" id="content" cols="60" rows="10" class="span7"><?php if(isset($content)) { echo $content; } ?></textarea>
$content = trim($_POST["content"])
$content = mysql_real_escape_string($content);
$content = nl2br($content);
No processing is used on admin approval form where ckeditor used on textarea. Text output from DB appears without Line Breaks in a single line in ckeditor.
if I use nl2br while output on this form it works but adds double BRs on earlier text posted through ckeditor.
also tried $content = preg_replace("/\r\n|\r/", "<br />", $content); as suggested by some one on stackoverflow on similar question
pls suggest me some function for this problem.
also suggest If I need to use some function like htmlentities or stripslashes to process content before Inserting into SQL.
Just replace the new line \r\n, \r first, then trim it.
$content = preg_replace("/\r\n|\r/", "<br />", $_POST["content"]);
$content = trim($content])
Or:
$content = nl2br($_POST["content"]);
$content = trim($content)
Good luck.
You need to use nl2br for displaying the value, whenever you need it, not for saving it.
My question is similar to this question but I'm not using code igniter. I'm echoing variables obtained from a database into the value attribute of a text input. The variables may contain ' or " or any other special chars.
I tried:
<input type="text" name="myTextInput" value="<?= htmlspecialchars($dbValue, ENT_QUOTES); ?>" />
but it outputs quotes as " or ' which is not what I want. I want the text input to actually contain the quotes as typed by the user.
should I be using a php function or a javascript function to escape the string? if I don't escape it I get a javascript error because the quotes inside the $dbValue string are interacting with the value attribute quotes.
That's exactly what you DO want, however. e.g.
if your inserted data is
Davy "Dead Pirate" Jones
and you insert that into an input field literally, you'd end up with
<input type="text" name="..." value="Davy "Dead Pirate" Jones" />
which will be interepreted as follows:
<input> field with attributes:
text -> 'text'
name -> '...'
value -> ' ' (a single space)
Dead ->
Pirate ->
" ? danging quote
Jones ->
" ? -> another dangling quote
By comparion, after doing an html_entities, you'd have
Davy "Dead Pirate" Jones
and that can be inserted into the <input> field without issue.
If the input field's value contains a literal " that's visible to the user, then you've got some double-encoding going on.
You'll want to use html_entity_decode. Here's an example for the documentation:
<?php
$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // I'll "walk" the <b>dog</b> now
echo $b; // I'll "walk" the <b>dog</b> now
?>
Reference: http://www.php.net/manual/en/function.html-entity-decode.php
Your looking for the opposite of htmlspecialchars, try using html_entity_decode.
Here is your code using html_entity_decode.
<input type="text" name="myTextInput" value="<?= html_entity_decode($dbValue, ENT_QUOTES); ?>" />
Here is a link to the manual -> http://www.php.net/manual/en/function.html-entity-decode.php
If you have any problems using this you might want to check out this question, which has a common encoding problem -> https://stackoverflow.com/a/4638621/1065786
To display single, double quotes and html tags as text field value try to use:
<?php
$formVal = htmlspecialchars($dbValue, ENT_COMPAT, 'utf-8');
// or this:
// $formVal = htmlspecialchars($dbValue);
?>
<!-- html -->
<form>
<input type="text" name="myTextInput" value="<?php echo $formVal; ?>" />
</form>
http://www.sitepoint.com/form-validation-with-php
https://www.inanimatt.com/php-output-escaping.html
I want to save html-formatted text to database, but when I do that it is don't save html-symbols like < / > ' and others
This is how I read article from database for editing:
<p class="Title">Англійський варіант:</p>
<textarea name="EN" cols="90" rows="20" value="<?php echo htmlentities($articleArr['EN'], ENT_QUOTES, "UTF-8"); ?>" ></textarea>
after this generates such html-code:
<p class="Title">Англійський варіант:</p>
<textarea name="EN" cols="90" rows="20" value="<p class='Title'> привыт </p>" ></textarea>
So, I expect that this text will appear in my text field, in html-code of this page it is, but in text area is no.
In database I save it as:
<p class="Title"> Hello </p>
So how can I do the follow:
Read from database
html-formattedtext.
Show it in textarea element.
Edit and save it back to database.
Help me please, how can I save such texts properly, Thanx!
Try using htmlspecialchars() on the string to put into the DB, and then, when pulling it back out, use htmlspecialchars_decode(). Might make a difference.
Save it to a nvarchar(max) field.
Make sure you use parameterized queries for security. Read
http://www.aspnet101.com/2007/03/parameterized-queries-in-asp-net/
http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
with little changes to Sql , you can apply to Mysql aslo
there is no problem with save your html code in database. and no need for filter data before save .
but when you want to show it again in textarea you shoud Escape it.
in php you can use this code to escape html codes:
PHP Function
see doc: htmlspecialchars
$cotnent = htmlspecialchars( $cotnent );
Wordpress Functions:
see doc: format_to_edit
$cotnent = format_to_edit( $cotnent , false );
OR
see doc: esc_textarea
$cotnent = esc_textarea( $cotnent );