’ this kind of apostrophe ruins my input which is saved to database. I've tried
$GeneralChangeDescriptions[$ChampionNumber+1][$indexGeneral+1]=str_replace("’", "'",
$GeneralChangeDescriptions[$ChampionNumber+1][$indexGeneral+1]);
So changing ’ to ' with no results I still get empty field.
This value with apostrophe is shown just fine but after sending it with
<input type="hidden" name="GeneralChangeDescriptions" value="'.htmlspecialchars(json_encode($GeneralChangeDescriptions)).'">
it no longer is visible the whole input is blank is there any way to fix this?
Update:
After fiddling a bit with code I found out that json_encode completely wipes my input after sending are there any easy solutions?
Related
I'm trying to output the name of a project i.e. "David's Project" in a form, if a user does not correctly input all data in the form, to save the user having to input the name again.
If I var_dump $name I see David's project. But if I echo $name I see David"'" Project. I realise that ' (single quote) becomes "'"; but I have tried using ENT_NOQUOTES and ENT_COMPAT to avoid encoding the single quote but neither works.
$name = trim(filter_input(INPUT_POST, 'name0', FILTER_SANITIZE_STRING));
<form method="post" class="form" />
Title: <input type="text" name="name0" value="<?php echo
htmlspecialchars($name, ENT_NOQUOTES); ?>">
Am I doing something wrong or should the ENT_NOQUOTES work? I tried using str_replace to replace with ' with an \' but this didn't work either.
The only way round this I have found is to use this:
htmlspecialchars_decode(htmlspecialchars($name, ENT_NOQUOTES));
Is that acceptable?
Sorry I realise this is probably a really stupid question but I just can't get my head around it.
Thanks for any replies.
You can accept a simple answer if it solves your problem BUT you should really understand that what you have delved into is a much larger issue you or someone has created for you.
Databases should not contain HTML encoded characters unless they are specifically meant for storing HTML. I highly doubt this is the case as it very rarely is.
Someone is inserting HTML into your database (html encoding data on insert). This means if you ever want to use a mobile app that is not HTML based, or a command line, or anything at all that might use the data and isn't HTML based, you are going to run into a weird problem where the HTML encoded characters have to be removed on output. This is typically kind of the backwards way to do it and can often cause issues.
You rarely need to "sanitize" your inputs. If anything, you should reject input that is not allowed OR simply escape it in the proper way while inserting it into the database. Sanitizing is only a thing in very special circumstances, which you don't appear to have right now. You're simply inputting and outputting text.
You should pretty much never change users input
My suggestion, if possible, is to fix your INSERT code first so it isn't html encoding data. This html encoding should happen when you output the data TO AN HTML FORMAT. You would use htmlspecialchars() to do this.
When a post is edited, the text will save and be cut off at the apostrophe, the character for apostrophe does not appear too. The weird thing is if you go to add event page, the info will not be saved in database if the text includes apostrophe. I tried set charset utf8 but that had no effect (This method get from forum).
Can anyone suggest a solution for allowing the character for apostrophe? Following is part of my code, I will provide any info if you need.
<textarea class="text-input textarea wysiwyg_mini" name="description" style="height:220px"><?php echo $page['description']; ?></textarea>
Any guidance would be appreciated.
Solved this by using mysql_real_escape_string to escape special characters in a string for use in an SQL statement. The example code is shown below
$description=sanitize_html(mysql_real_escape_string($_POST['description']));
I have a rich text editor (tinyMCE specifically) in a textarea and I'm saving the HTML contents of that textarea into a PHP variable, as well as saving it in a hidden input field. I'm wondering how I can make this both secure and functional, especially with apostrophes or quotation marks that conflict with my hidden input.
I've tried using htmlspecialchars and htmlspecialchars_decode, but it's not fully working as sometimes I'll get random backslashes in the output (thus it's not properly functioning.) However, this does seem to prevent issues with apostrophes or quotation marks conflicting with the HTML of the hidden input field.
Is there a perfect solution? I'm thinking about TryIt Editor, and how it can display html elements as well as apostrophes or quotation marks with no problems (as far as I know). How can I do something like that in my rich text editor?
I was on the right track thinking to use htmlspecialchars, I just needed to take it one step further and also use stripslashes. This removed the backslashes I were getting from htmlspecialchars.
So something like:
$content = htmlspecialchars($_POST["textarea"]);
And then when I needed to output it, something like this:
$htmlcode1 = "<html> \n <body>";
$htmlcode2 = "</body> \n <html>";
$somecontent = htmlspecialchars_decode(stripslashes($htmlcode1.$content.$htmlcode2));
Hope this helps someone else out in the future!
Trying to keep new lines and unescaped values intact in a textarea being repopulated with data during a PRG cycle. At what point do you assign the variable correctly so that new lines are recognized?
I've tried double quotes, nl2br, htmlentities, stripslashes but I can't seem to get it. Some attempts:
Assigning during the intial prg $_SESSION array:
$_SESSION['prg']['textarea'] = "$textarea";
When passing from prg array to var:
$textarea = htmlentities($_SESSION['prg']['textarea']);
When echoing into the textarea:
<textarea name="textarea"><?php if(isset($textarea)) echo nl2br($textarea); ?></textarea>
And various combinations of the above, including the initial $_POST, directly after sanitizing.
Also, in case anyone asks: the escaping works as intended, db insert results are fine. It's just the form repopulating that's throwing things off.
I'm sure this is just a symptom of amateur hour... Looking for php/html solution only. Thanks in advance.
I don't think you want to be calling nl2br when you populate the text area if you want to keep the newlines showing up properly in the textarea. The htmlentities part is good though.
while storing the data use addslashes($_POST['textarea']) and while displaying use stripslashes($textarea)
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.