When a post is edited, the text will save and be cut off at the apostrophe, the character for apostrophe does not appear too. The weird thing is if you go to add event page, the info will not be saved in database if the text includes apostrophe. I tried set charset utf8 but that had no effect (This method get from forum).
Can anyone suggest a solution for allowing the character for apostrophe? Following is part of my code, I will provide any info if you need.
<textarea class="text-input textarea wysiwyg_mini" name="description" style="height:220px"><?php echo $page['description']; ?></textarea>
Any guidance would be appreciated.
Solved this by using mysql_real_escape_string to escape special characters in a string for use in an SQL statement. The example code is shown below
$description=sanitize_html(mysql_real_escape_string($_POST['description']));
Related
I'm trying to output the name of a project i.e. "David's Project" in a form, if a user does not correctly input all data in the form, to save the user having to input the name again.
If I var_dump $name I see David's project. But if I echo $name I see David"'" Project. I realise that ' (single quote) becomes "'"; but I have tried using ENT_NOQUOTES and ENT_COMPAT to avoid encoding the single quote but neither works.
$name = trim(filter_input(INPUT_POST, 'name0', FILTER_SANITIZE_STRING));
<form method="post" class="form" />
Title: <input type="text" name="name0" value="<?php echo
htmlspecialchars($name, ENT_NOQUOTES); ?>">
Am I doing something wrong or should the ENT_NOQUOTES work? I tried using str_replace to replace with ' with an \' but this didn't work either.
The only way round this I have found is to use this:
htmlspecialchars_decode(htmlspecialchars($name, ENT_NOQUOTES));
Is that acceptable?
Sorry I realise this is probably a really stupid question but I just can't get my head around it.
Thanks for any replies.
You can accept a simple answer if it solves your problem BUT you should really understand that what you have delved into is a much larger issue you or someone has created for you.
Databases should not contain HTML encoded characters unless they are specifically meant for storing HTML. I highly doubt this is the case as it very rarely is.
Someone is inserting HTML into your database (html encoding data on insert). This means if you ever want to use a mobile app that is not HTML based, or a command line, or anything at all that might use the data and isn't HTML based, you are going to run into a weird problem where the HTML encoded characters have to be removed on output. This is typically kind of the backwards way to do it and can often cause issues.
You rarely need to "sanitize" your inputs. If anything, you should reject input that is not allowed OR simply escape it in the proper way while inserting it into the database. Sanitizing is only a thing in very special circumstances, which you don't appear to have right now. You're simply inputting and outputting text.
You should pretty much never change users input
My suggestion, if possible, is to fix your INSERT code first so it isn't html encoding data. This html encoding should happen when you output the data TO AN HTML FORMAT. You would use htmlspecialchars() to do this.
I have a really silly problem, but i cannot find a way to solve it,
I programming a helpdesk system, with support Tickets
I have a form in my website like
<form action="somepage.php" action="post">
<input id="reply" type="textarea">
<button id="replyButton" type="submit">Submit</button>
</form>
but when the user submits the text, and i show it in the website as the conversation between the user and the support assistant, it doesnt recognize the line breaks, i dont know if its putting \n\r or #10#13, or even nothing...
i've tested and when i press enter in the text area and click submit, when i get that same text from my database i get EMPTY SPACES where the linebreaks should be...
BTW> before displaying the text im using utf8_enconde($text) because people are typing speciales characters like letters with acute and ñ
In HTML you use the
<br>
tag for line breaks. Replace all line breaks (newline characters) with said tag and you should be fine. You can "convert" line breaks (newline characters) to that tag using nl2br() (it really only insert such tags after line breaks (newline characters).
Escape all special characters before storing it into the database. For instance in MySQL, you can use mysql_real_escape_string. This escapes all special characters while storing in the Database.
mysql_real_escape_string : http://php.net/manual/en/function.mysql-real-escape-string.php
Then use nl2br() while displaying back the content from Database.
nl2br() : http://php.net/manual/en/function.nl2br.php
I have a rich text editor (tinyMCE specifically) in a textarea and I'm saving the HTML contents of that textarea into a PHP variable, as well as saving it in a hidden input field. I'm wondering how I can make this both secure and functional, especially with apostrophes or quotation marks that conflict with my hidden input.
I've tried using htmlspecialchars and htmlspecialchars_decode, but it's not fully working as sometimes I'll get random backslashes in the output (thus it's not properly functioning.) However, this does seem to prevent issues with apostrophes or quotation marks conflicting with the HTML of the hidden input field.
Is there a perfect solution? I'm thinking about TryIt Editor, and how it can display html elements as well as apostrophes or quotation marks with no problems (as far as I know). How can I do something like that in my rich text editor?
I was on the right track thinking to use htmlspecialchars, I just needed to take it one step further and also use stripslashes. This removed the backslashes I were getting from htmlspecialchars.
So something like:
$content = htmlspecialchars($_POST["textarea"]);
And then when I needed to output it, something like this:
$htmlcode1 = "<html> \n <body>";
$htmlcode2 = "</body> \n <html>";
$somecontent = htmlspecialchars_decode(stripslashes($htmlcode1.$content.$htmlcode2));
Hope this helps someone else out in the future!
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I created a form where users can enter html code and it outputs their code in another textarea. The problem is that if the html the user enters has a textarea in the code, the in their code breaks my textarea form. I see other sites display any html correctly so how is this done without breaking the form and allowing the user to copy it so that it still remains as and not some converted code so they can paste it on their webpage?
Ah crap yeah I figured it out, in fact the problem wasn't with the htmlspecialchars code alone I forgot to add a return to one of my functions haha. Thanks guys.
Represent characters that have special meaning in HTML using entities. Since you are using PHP, use htmlspecialchars
There are millions and millions of ways to do this. The easiest is to use htmlspecialchars or htmlentities on the user's input. This will make a visual </textarea> in the textarea box without closing it. This actually turns it into </textarea>. htmlspecialchars transforms less characters than htmlentities and usually makes more sense to use in a situation like this, but do your research.
strip_tags() is also a possibility.
You can also use a regular expression with PCRE, or even str_replace() or other string manipulation functions to strip off the textarea, convert the special characters, etc.
PECL also as a BB code extension you can use if you still want your users to be able to enter some for of tags to style their output.
<textarea><?php echo htmlentities($code); ?></textarea>
You have to transform the html code into symbols, so it is not treated as html.
Use the function htmlentities() on the textarea content before echoing it.