I am fetching value from DB and assigning value to textbox on same page
<input type='text' name='sr1' value='<?php echo $row['value']?>'>
On next page trying to fetch the value from same textbox .
$sr1 = $_POST['sr1'];
when I print the variable using echo, value is getting printed as 'Yes'.
but when start comparing it in 'if condition' always else is getting executed.
if($sr1=='Yes')
echo 'Yes';
else
echo 'No';
So var_dump($sr1) is giving output as string(6)"Yes" that means value in you db contains white spaces. Either you need to trim white spaces before storing value into db or use trim() while comparing value.
$sr1 = trim($_POST['sr1']);
It will remove white spaces around $_POST['sr1'] & gives you string Yes & your comparison will get work.
My html is not displaying quotes correctly inside of a value attribute in an input field. I have a form that shows the current value of a field stored in a database, and lets users edit that field.
below is what I have stored in a mysql database
'sarah' said "hello"
below is my retrieval and decoding from the database using PDO and htmlentities:
$questionId = intval($_GET['questionID']);
...
$sql = 'SELECT title from questions q WHERE q.id = :questionId';
$stmt = $dbh->prepare($sql);
$stmt->execute(array(':questionId' => $questionId));
...
$row = $stmt->fetch();
$questionTitle = htmlentities($row["title"], ENT_NOQUOTES);
...
echo <<<END
Question Title: <input type="text" id="questionTitle" name="questionTitle" placeholder="Enter question title here" maxlength="74" value="$questionTitle" required>
END;
What the page displays is the following:
Question Title:[['sarah' said "hello"]]
where [[ ]] indicates an input box.
How do I get the input box display the quotes rather than the html entities? I want it to display the following
Question Title: [['sarah' said "hello"]]
If I do not use the htmlentities function to sanitize the output, then the question title displays as I want it to (with the quotes). But from what I understand, not escaping my HTML output would leave me vulnerable to an XSS injection. See this: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
How do I display these quotes in the value attribute of my input field without being vulnerable to XSS injection?
It looks like they're being returned as html entities. From the php manual:
string htmlspecialchars_decode ( string $string [, int $flags = ENT_COMPAT | ENT_HTML401 ] )
You've got htmlentities up there, so that could be why you're returning them. Try adding _decode to that and see what happens (or take that out entirely). So your line would look like this:
$questionTitle = $row["title"];
This is my php code. For an example:
<?php
while($row=sqlsrv_fetch_array($result))
{
$ItmName = $row['ItemName'];
}
?>
This is my html:
<input type="text" id="ItmName" name="ItmName" value="<?php echo $ItmName; ?>" />
If the data is as such 3" FILE which have double quotes, in the textbox field it will only be displayed as:
3
which it supposed to be
3" FILE
but IF the data is 3' FILE which is a single quote, it will be displayed as 3' FILE. So there's no problem. So my question is, how to display the data with the double quotes in a HTML input's value.
Always always always escape output that you don't trust.
Use htmlspecialchars (or htmlentities) to escape strings so they are safe to use in HTML.
My site has some PHP generated content which echoes HTML elements. Some of these elements are responsive to javascript events...for one input element, the relevant event is onmouseout, but I can't seem to escape this properly.
$sql = mysqli_query($cxn, "SELECT stuff1, stuff2, stuff100, tags FROM myTable WHERE user_id = 'myID'");
while ($row = mysqli_fetch_assoc($sql)) {
$Tagstring = $row['tags'];
//lots of code
echo "<div class='myClass1 myClass2'>
<input type='text' name='myInput' value='".$Tagstring."' onmouseout='ajaxFunction(\"myString\", this.value.trim().replace(/,\s|\s,/g, ","))'>
</div>";
//more code
}
$Tagstring is a comma-separated string of text substrings. If a user edits his/her tags, I am trying to prevent the following:
$Tagstring = 'tag1,tag2'; //from database table
//User edits to 'tag1, tag2';
//Pointless ajax call and access of server, since if user input = original $Tagstring, this will return false as I have set up the ajax call, but if user input !== $Tagstring, then ajax function proceeds
I am not new to PHP and Javascript, so I know in PHP about str_replace or exploding the user input on "," and then trimming each member of the explode array. Alternatively, I could use Javascript to split on "," and then trim the pieces in a for loop (or something similar).
Can anyone tell me how to properly escape the following argument in my echoed function call?
this.value.trim().replace(/,\s|\s,/g, ",")
I tend to echo my output opposite of the way you have done it, which I feel is easier to control. Single quotes on the outside, and double quotes on the inside.
echo '<div class="myClass1 myClass2">
<input type="text" name="myInput" value="'.$TagString.'" onmouseout="ajaxFunction("myString", this.value.trim().replace(/,\s|\s,/g, ""))">
</div>';
What is the error you are seeing?
Fixed it...it seemed to be an escaping issue. This worked :
onmouseout='ajaxFunction(\"AStringNotAVariable\", this.value.trim().replace(/,\s|\s,/g, \",\"))'
whereas
//.replace(/,\s|\s,/g, ",") and .replace(/,\s|\s,/g, ',') and .replace(/,\s|\s,/g, \',\')
led to errors such as Uncaught SyntaxError: Unexpected token ILLEGAL
I have a contact form with Name, CompanyName and Enquiry. When I submit form with html entities in Enquiry field (say Link Or <script>alert('Hello World!');</script>). It appears in the mail like, Link Or <script>alert(\'Hello World!\');</script>. Here both the quotes are escaped. How can I remove that escaping slashes?
I'm attaching snippet below.
//I have used htmlspecialchars() to get the html entities in mail as it is.
$senderName = htmlspecialchars($_REQUEST['contactName'],ENT_QUOTES);
$senderCompany = htmlspecialchars($_REQUEST['contactCompany'],ENT_QUOTES);
$senderEnquiry = htmlspecialchars($_REQUEST['contactEnquiry'],ENT_QUOTES);
Either You should set the content type of the header as text/html or please check the value while posting i think it is because of double quotes and single quotes problem.
For example see the below code:-
$new = htmlspecialchars("<script>alert(\'Hello World!\');</script>", ENT_QUOTES);
echo $new; // This will print output as <script>alert(\'Hello World!\');</script>
but if you will change the code as with double quote see below:-
$new = htmlspecialchars("<script>alert(\"Hello World!\");</script>", ENT_QUOTES);
echo $new; // This will print output as <script>alert("Hello World!");</script>
So please check if there is single and double quote problem while post
ing value via form