I have the following code:
<input type="text" name="nr_p_vac" value="<?php echo htmlspecialchars($row['nr_p_vac']); ?>">
where $row['nr_p_vac'] is test ' " / /n /t <>.
When I'm not using htmlspecialchars in the input there's only test ' (of course, because " is not escaped).
When I'm using the htmlspecialchars function the input has the correct value ' " / /n /t <> (because now ' and " are properly escaped).
But shouldn't the content of the input be transformed into something like test ' '"' etc.?
Is it ok to use htmlspecialchars in this case?
You can look the page source and you will see that the value is
' " / /n /t <>
It is ok to use it in your case
Already answered here:
How to properly escape html form input default values in php?
Related
I have some var containing ', "
$var = "Hello \" World '";
<input type="text" value="<?= $var ?>" >
when browser render this code above we will see input element containing only 'Hello'.
how solve this problem without using special symbols like ” in Db strings must contain ', "
how solve this problem without using special symbols like ”
You don't, although rdquo is the wrong character reference to use in this case.
Run text through htmlspecialchars() to turn it into HTML before you insert it into an HTML document.
<input type="text" value="<?= htmlspecialchars($var) ?>">
HTML Entities is what you need.
This is similar to htmlspecialchars but if you require all input substrings that have associated named entities to be translated, use htmlentities() instead.
Here's Char html codes!
$var = "Hello \" World '";
I use html special char:
" - special html char - "
$var = "Hello " World '";
Result:
Hello " World '
I have comment box. If i type in something like this
aa #Martins <aabb>
In database I save it like:
aa <span class="highlight" contenteditable="false">#Martins Vilskersts</span> <aabb><span></span>
And for now i use this, to show it:
$str = strip_tags(htmlspecialchars_decode(html_entity_decode($my_string_from_database)), '<br><br/>');
//here is some replace for links functionality
$replace = '<a href="javascript:;" class="..." id="..." ></a>';
$str = str_replace($link->tag, $replace, $str);
echo $str;
And i get result like this:
aa #Martins
But i want to see it like this:
aa #Martins <aabb> -[with # functionality, but with some random <aaa><bbb> tags as plain text. Any idea?]
USE THIS:
just replace < by < and > by >
Keep this in mid as well :
'&' (ampersand) becomes &
'"' (double quote) becomes " when ENT_NOQUOTES is not set.
"'" (single quote) becomes ' only when ENT_QUOTES is set.
'<' (less than) becomes <
'>' (greater than) becomes >
If you just literally output the string as stored in the database, without using htmlspecialchars_decode, strip_tags, html_entity_encode, etc, then it'll come out properly.
You have already saved the parts you want to see as encoded characters, and the parts that should work as raw html in your database.
This question already has an answer here:
PHP $_Server Not Working Properly [duplicate]
(1 answer)
Closed 8 years ago.
$a="something";
echo ' <div id="content">$a, but not sure how to do it</div>'
How can I print $a's value inside echo?
echo " <div id=\"content\">$a, but not sure how to do it</div>";
Please read the difference between single and double quotes in PHP.
echo "<div id=\"content\">" . $a . ", but not sure how to do it </div>";
The \'s are escape sequences that allow you to have quotation marks within strings (otherwise they would terminate the string). The .'s are concatenation.
there are many ways
1) use " instead of '
echo " <div id='content'>$a, but not sure how to do it</div>"
2) use {} with " if you are want to print something complex and want your editor to format it correctly. most of the time i use it with arrays or when calling a function ex. {$arr['a']} instead of $arr['a'].
echo " <div id='content'>{$a}, but not sure how to do it</div>"
3) just do this
echo ' <div id="content">' . $a . ', but not sure how to do it</div>'
Currently I'm using the below snippet, which indent the resulting HTML by using several space characters:
add_filter('get_search_form', 'filter_search_form');
function filter_search_form($form) {
$form = ' <form role="search" method="get" id="searchform" action="' . home_url('/') . '"><input type="text" placeholder="' . __('Search') . '" value="' . get_search_query() . '" name="s" id="s"><input type="submit" id="searchsubmit" value="' . esc_attr__('Search') . '"></form>' . "\n";
return $form;
}
Now I've been reading some about whitespace characters (\t for tab, \n for newline, etc.), but I'm not entirely sure how to implement this in this situation.
I've tried using \s for a single space, but without any luck thusfar.
Being relatively new to PHP, I hope you could assist (preferably without using a 'regular' space character).
According to http://php.net/manual/en/regexp.reference.escape.php, the general hexadecimal escape sequence \x20 should work, as should \040 (octal).
Personally, though, I don't see much (if any) benefit to ever specifying spaces in this manner, as it would make your code less readable, IMHO. Just stick literal spaces inside your single- or double-quotes (like you have now) and be done with it.
Alternatively, if you're trying to use whitespace to indent the resulting HTML code (as it seems you are), doing so in units of \t isn't the end of the world.
Characters like \t and \n need to be in double quotes...
$string = "\t" . '<form></form>';
If you want to insert a tab before it you could use:
$string = "\t" . '<form>....';
(don't forget the double quotes, the single ones don't work with \t, \n and friends!)
If you want spaces, just use spaces!
$string = " " . '<form>....';
It's html code, so they will be present in the source code of your page. They won't ‘collapsed’ into a single space.
I am have troubles trying to print out < > symbols in HTML using PHP.
I am appending a string "<machine>" to a variable.
Example:
$output .= " <machine> ";
echo $output;
I tried using escapes, but that didn't help. Any advice?
> = >
< = <
Or you can use htmlspecialchars.
$output .= htmlspecialchars(" <machine> ");
If you are outputting HTML, you cannot just use < and > : you must use the corresponding HTML entities : < and >
If you have a string in PHP and want to automatically replace those characters by the corresponding HTML entities, you'll be interested by the htmlspecialchars() function (quoting) :
The translations performed are:
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not
set.
"'" (single quote) becomes ''' only when ENT_QUOTES is
set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
In your case, a portion of code like this one :
$output = " ";
echo htmlspecialchars($output, ENT_COMPAT, 'UTF-8');
Would get you the following HTML code as output :
<machine>
And, just in case, if you want to encode more characters, you should take a look at the htmlentities() function.
Your trouble is not with PHP, but rather with the fact that < and > are used in HTML. If you want them to display in the browser, you probably want to print out their escaped entity versions:
< is <
> is >
You can also use the htmlspecialchars() function to automatically convert them:
echo htmlspecialchars("<machine>");
You need to turn them into e.g. < and > - see the htmlentities() or htmlspecialchars() functions.
echo htmlentities($output);
or
echo htmlspecialchars($output);
If you don't want to bother manually going through your string and replacing the entities.
use "htmlspecialchars_decode()"
e.g.
<?php
$a= htmlspecialchars('<?php ');
$a=$a.htmlspecialchars('echo shell_exec("ipconfig"); ');
$a=$a.htmlspecialchars('?>');
echo htmlspecialchars_decode($a);
?>
The < and > symbols should be shown in the HTML source but the "<machine>" is interpreted as XML tag. Use htmlentities() to convert all special characters in the String into their HTML-equivalents, or use "<machine>"
Solution:
$output .= " <machine> ";
$output = htmlentites($output);
echo $output;