I know that urlencoding is used for url's but in the case I need to use it for a post value.
The problem that I am having is when I try encoding it inside the value attribute it doesn't do the encoding.
But when I encode the variable outside the value attribute and then just use the variable it works.
I am really confused on why that's working but when I use urlencoding in the value attribute its not working.
Here is my code. Any help would be really appreciated.
Not encoding
<input type="hidden" name="proj" value="<?php echo urlencode($encrypted_params); ?>">
Encoding
urlencoding($encrypted_params);
<input type="hidden" name="proj" value="<?php echo $encrypted_params; ?>">
Related
Is there a difference where I place my strip_tags and htmlspecialchars tag's? I read that Example 2 is better than Example 1.
But I don't understand how that can be the case, aren't these the same thing? I don't know if it also makes a difference that I am setting it back into a $_POST[] variable.
In my case, it's much easier to use Example 1, because no matter where I use $_POST['test'], I know it's safe... while I need to find ever instance that I echo $_POST['test'] and put the tags around it for Example 2.
Is one truly version safer against XSS Leaks?
Example 1:
<?php
$_POST['test'] = htmlspecialchars(strip_tags($_POST['test']));
// other code
<form action="" method="POST">
<input type="hidden" name="test" value="<?=$_POST['test']?>" />
</form>
?>
Example 2:
<?php
// other code
<form action="" method="POST">
<input type="hidden" name="test" value="<?=htmlspecialchars(strip_tags($_POST['test']))?>" />
</form>
?>
Both examples are equal (in output).
The problem I can see is that example #1 overwrites the $_POST data.
I would advise against doing so because you cannot restore the original data at a later point in the script (e.g. if you wish to save the data into a database or output it in a non-HTML context).
I somehow misunderstood the question, but this part of my old answer is still applicable.
They are two different functions.
In your case you should only use htmlspecialchars() since this function is meant to escape special HTML characters (<, >, ").
strip_tags() on the contrary strips HTML tags (and some other stuff, see the docs). Do you really want this behavior? I doubt that. Stripping HTML tags differs from escaping them insofar that it really removes the tags. Escaping only "escapes" them so that the browser renders them as normal text.
This part of code prevent XSS perfectly.
<?php
$myVar = htmlspecialchars($_POST['test']);
// other code
<form action="" method="POST">
<input type="hidden" name="test" value="<?php echo $myVar; ?>" />
</form>
?>
I use it like this
$this->message = htmlspecialchars(strip_tags($this->message));
If you have to use $_POST['test'] in multiple spots I would use example 1 since you wont have to process the other functions (strip_tags, htmlspecialchars) over again sanitizing the same data you already have.
I'm building a website that store json data to hidden input element with php
<input type='hidden' class='json_data' name='json_data' value='".json_encode($data[0])."'>
with that code, I have this result:
<input class="json_data" type="hidden" value="[{"ALBUM_ID":"1234","PHOTOS_ID":"1234578"}]" name="json_data">
but when I try to get the value with jquery.val and trying to show ALBUM_ID, i get this {
anything wrong with my way of putting json into html correctly?
and then get it with jquery / javascript ?
thanks
First go ahead at this open console and see the result. Ctl+Shift+j.
http://jsfiddle.net/techsin/Q2MHA/
You need to do two things fix. ' and "'
Second just this code
JSON.parse($('.json_data').val())[0]
you need [0] because for some reason your json object is wrapped in []..you would know why.
Your html should look like this
<input ... value='[{"ALBUM_ID":"1234","PHOTOS_ID":"1234578"}]'...>
You need to correctly handle entities in your input's value. If you populate it with PHP, use htmlspechalchars() and use result from this function
inspect the following line carefully.
<input class="json_data" type="hidden" value="[{"ALBUM_ID":"1234","PHOTOS_ID":"1234578"}]" name="json_data">
As you see you have used " for your string enclosement. The json string also includes " which breaks your string enclosement. Use ' to enclose the string.
<input class="json_data" type="hidden" value='[{"ALBUM_ID":"1234","PHOTOS_ID":"1234578"}]' name="json_data">
Try to escape the " with addslashes or htmlspecialchars
or encode the string with base64 and decode it with JS before parsing the string as JSON
This may be a quite simple question but I can't figure it out. I need to store some value that contains special characters into HTML hidden fields using PHP such as 5' 5'' indicating the height of a person.
The value is stored into MySql database. I tried something like this
echo "<input type='hidden' id='ed_your_height' name='hd_your_height'
value=".html_entity_decode($your_heigth)."/>";
and
echo "<input type='hidden' id='ed_your_height' name='hd_your_height'
value=".htmlentities($your_heigth)."/>";
but it gives me the value 5' instead of 5' 5'' in both the cases. I need to display these values in drop down and perform some comparisons.
How can I store values with the special characters into HTML hidden field then (retrieving from database)?
Use htmlentities() and html_entity_decode() with the proper flags.
On the client-side
<input type="text name="fieldname" value="<?php echo htmlentities($string, ENT_QUOTES, 'utf-8'); ?>">
On the server-side:
$string = html_entity_decode($_POST['fieldname'], ENT_QUOTES, 'UTF-8');
Use htmlspecialchars.
value="<?=htmlspecialchars($string)?>"
Assuming short_open_tag is on (bad) or you are using PHP 5.4 (good). Otherwise, use the full <?php echo form.
PS: The reason you were having a problem in the first place is because you were not quoting your attributes - if you used the browser's View Source option you'd see the output is value=5' 5'' so it is interpreted as a value of '5 and a custom boolean attribute called 5''.
I tried the following, and it shows an empty text area, the value isn't displayed:
<input type="textarea" class="class1" name="name1" placeholder="<?= $val1?>" />
Any thoughts on what should be done so it will work?
Update: It is now working, the value was empty, therefore text area didn't show anything. The code can be used safely.
<input type="textarea" class="class1" name="name1" placeholder="<?php echo $val1; ?>" />
There is no such input type attribute as textarea.
Do you mean:
<textarea class="class1" name="name1" placeholder="<?php echo $val1; ?>"></textarea>
if $val1 is not null, i think the problem is short tag (<?= ?>).
You can override this config, at the top of file, put this line to enable short tag:
ini_set('short_open_tag',1);
Make sure that $val1 actually contains a non-empty value. If it does, your code should create a non-empty placeholder attribute.
Check whether the variable is empty (as #Asaph suggested in his comment).
Entered a value and now it is working just fine.
If you encode something using javascript's encodeURI() method, how do yo get the decoded string in PHP?
I have string name= "salman mahmood" which I'm sending via POST message to my server. When I alert() the string at client side it gives me "salman%20mahmood" after encoding.
At server side I'm decoding it using urldecode() but the result I'm getting is "salman". Do I need a different method to decode? the rawurldecode isnt working either; I just need the value with the space restored back.
Edit: thanks every one for the suggestions but im writing the code as follows and it still doesnt work!!
<input type="text" id="chapterNumber" value=<?php echo rawurldecode("chapter%20Two"); ?> disabled="disabled">
it only prints "chapter"
Put it into quotes ' '
<input type="text" id="chapterNumber" value='<?php echo rawurldecode("chapter%20Two"); ?>'disabled="disabled">