I have a php variable $username and following script:
<?php
echo ''.$username.'';
?>
If $username contains something <b it bolds text. How can I prevent that?
Use htmlspecialchars
echo ''.htmlspecialchars($username).'';
See documentation: http://php.net/manual/en/function.htmlspecialchars.php
echo ''.htmlentities($username).'';
like that:
<?php
echo ''.htmlspecialchars($username).'';
?>
http://php.net/manual/fr/function.htmlspecialchars.php
the echo in PHP returns the HTML of whatever you tell it should. So if you use e.g.
echo "This is my text which should be displayed as it is <b>";
the browser will translate it into the according HTML Text (every browser has built in mechanics to "repair" malformed HTML), which will be
<b>This is my text which should be displayed as it is</b>
This is not only wrong, but also a security risk. Imagine someone uses an extremely long name which would translate into javascript once the browser renders it. Your server would turn into a spambot machine.
To prevent this from happening, you have to use the according php function, which is htmlspecialchars() (or htmlentities();
So your code will be:
echo ''.htmlspecialchars($username).''
and it will display the name as intended.
You need to strip (remove) HTML tags from the string.
echo '' . strip_tags($username) . '';
http://php.net/manual/en/function.strip-tags.php
Related
How would one go about showing PHP code on user end. Sort of like w3School does?
Having lets say a grey area div, and then showing the code in there without activating it?
You can use html entities <?php in the html it will be rendered as <?php
You can use htmlspecialchars to encode your code to use html entities.
Use <pre> or <code> tags to wrap your code.
Take a look at http://php.net/manual/en/function.highlight-string.php to further see how you can make the code look pretty.
Since passing a large block of code to highlight_string() can be messy, you may want to look at output buffering in combination with highlight_string to output colorized php code.
Something like:
<?php
ob_start();
?>
phpinfo();
echo "this echo statement isn't executed";
<?php
$code = ob_get_clean();
highlight_string($code);
?>
Simply you can use following code to display php code on webpage.
highlight_string("<?php print('This is php code.'); ?>");
It will give output like
<?php print('This is php code.'); ?>
The first step is to not wrap that code in PHP tags. So instead of this:
<?
var sample = "code";
?>
You would have this:
var sample = "code";
It's not the code itself which triggers the server-side compile from the PHP engine, it's the tags which indicate to that engine what blocks of the file are code and what are not. Anything that's not code is essentially treated as a string and output to the page as-is for the browser to interpret.
Once you're outputting the code, it's then a matter of formatting it. The old standard is to wrap it in pre tags to get rid of HTML-ish formatting:
<pre>
var sample = "code";
</pre>
You can also apply CSS style to the pre tags (or any other tags you want to use for displaying code, such as div) as you see fit.
There are also very useful code syntax highlighting plugins and tools to make the code a lot "prettier". Google-code-prettify often comes highly recommended.
Typically this is done by showing code within <pre> or <code> tags.
You can use this template........
######################################################################
echo "<h2><br>Source Code of ".basename((string)__FILE__) . "</h2><hr>";
show_source(__FILE__);
echo "<hr>";
echo "<h2>Output of ".basename((string)__FILE__) . "<hr></h2>";
#######################################################################
It will show the source code and output following.
use the header function of php, this will rea
<?php
header("content-type: text/plain");
?>
The PHP code will just be a string that you can echo or print onto the page, no different than any other data you want PHP to display for you. If you want to keep the formatting (ex. the indentation), put it inside a <pre><code> block.
Ex:
$php_code = '<?php $foo = bar; ?>';
echo "<pre><code>$php_code</code></pre>";
Please help me with this problem.
<?php echo $userRow2['description']; ?>
It seems that the PHP variable is incompatible with html link :(
so I want to know what is the proper method.
TIA...
echo those variables there like the following.
<?php echo $userRow2['description']; ?>
Please use a template engine for these kinds of things...
Use one of:
smarty
twig
mustache
php-view
These will brighten up your day and remove the complexity out of your html files
You can also pass all your GET params in an associative array, and use:
http_build_query($params)
so:
or in your way:
<?php echo $userRow2['description']; ?>
You can also build html/php mix with heredoc:
http://www.hackingwithphp.com/2/6/3/heredoc
it seems that the php variable is incompatible with html link
Well, PHP runs server-side. HTML is client-side. So there's no way for client-side code to interpret PHP variables.
You need to enclose server-side code in <?php ?> tags in order for it to execute on the server (like you already do elsewhere). Otherwise the server just treats it as any other HTML and returns it to the browser. Something like this:
<?php echo $userRow2['description']; ?>
As you can see, that gets a bit messy. But you can put the whole thing in one echo statement:
echo "$userRow2[description]";
Notice how the double-quotes needed to be escaped in that one, but since the whole thing was a double-quoted string the variables contained therein would expand to their values.
There are readability pros and cons either way, so it's up to you how you want to present it.
you should use this
<?php echo $userRow2['description']; ?>
or
<?=$userRow2['description']?>
You can also use Here Doc Syntax
<?php
//test variables
$inst_id = 1;
$description = "Test 1";
$eof = <<<EOF
$description
EOF;
//test output
echo $eof;
http://php.net/manual/en/language.types.string.php#language.types.string.syntax.heredoc
What happen if i use the following?
<?php echo "<?php echo date('Y'); ?>"; ?>
i could not find an answer anywhere, and when i try it myself, i get:
<?php echo date('Y'); ?></td></tr></table>
However, it does not show up on front browser, only source.
So my question is, does this affect the html/browser/server in any way?
as i do not want to end up creating a security issue should user post their
own php code in a html only format, like a bio page etc.
It's because of the chevrons ('<' and '>'), because the browser interprets them as tags.
There are 2 ways you could get round this.
Either use the codes for special characters, so you would do:
<?php echo "<?php echo date('Y'); ?>"; ?>
Or, an easier way, use the htmlspecialchars() function:
<?php echo htmlspecialchars("<?php echo 'hi'; ?>"); ?>
More info on the htmlspecialchars() function can be found at http://www.php.net//manual/en/function.htmlspecialchars.php
It is not a security problem and will not have any effects on browser or server, at least not because of PHP code. Even if the string contains PHP code it will just be sent to the client which will not attempt to execute it.
The real problem when echoing user-defined HTML is the risk of attacks such as XSS. Users could include arbitrary scripts or images or scramble the rest of the page by inserting arbitrary tags. In other words: Users could modify the whole page with a single line of HTML.
In general, it's a bad practice to allow such arbitrary input. Have a look at strip_tags which provides a very basic level of protection.
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
Okay so I have a php script and I need to somehow view the value of one of my variables. The thing is this variable is a very long string of XML that got returned from a server. I know it has an error message in it but I need to actually see what it is saying. If I try and Print or echo the value it only displays part followed by a ... or if I use var_dump it does the same. I've even gone as far as trying to echo a javascript alert with the value but that fails because there are single and double quotes in the xml causing the alert quotes not to be recognized correctly. I just need to see the value of this variable. Any advice? Thanks.
Edit:
Actually said that wrong. Echo and print don't display the value correctly because the tags are in <> brackets so it is recognizing as an html tag.
You can use htmlentities to output the XML string so that you can get a plaintext view of it in a browser.
<?php echo htmlentities( $xml_string); ?>
Alternatively, you can parse the XML string to reveal the error message, but this may be more complicated than what you need.
Try echo htmlentities($var, ENT_COMPAT, 'UTF-8')
i always use this:
echo "<pre>". htmlentities($s) . "</pre>";
Try this:
echo '<pre>'.$xml_string.'</pre>';
See also:
CDATA - (Unparsed) Character Data
i usaly use:
echo nl2br(str_replace('<', '<', $xml));
as its only the < that are a problem
You could just save the XML string to a file. If it's well-formed XML, you can view it with every browser (and expand/collapse nodes ^^).