This is my php code. For an example:
<?php
while($row=sqlsrv_fetch_array($result))
{
$ItmName = $row['ItemName'];
}
?>
This is my html:
<input type="text" id="ItmName" name="ItmName" value="<?php echo $ItmName; ?>" />
If the data is as such 3" FILE which have double quotes, in the textbox field it will only be displayed as:
3
which it supposed to be
3" FILE
but IF the data is 3' FILE which is a single quote, it will be displayed as 3' FILE. So there's no problem. So my question is, how to display the data with the double quotes in a HTML input's value.
Always always always escape output that you don't trust.
Use htmlspecialchars (or htmlentities) to escape strings so they are safe to use in HTML.
Related
If it has a single quote in it, any string that I try to enter into my HTML input box is truncated in the input box once it is submitted. Its POST value comes thru unchanged, but the string shows as truncated in the input box, whether I use htmlspecialchars() or not. A noobie question, no doubt, but I've tried hard to figure it out and run out of ideas. Thanks for any help.
<!DOCTYPE html>
<body><title> Self-inserting input_box_SO.php </title>
<?php
// POST form initiation.
ECHO "<form action='input_box_SO.php' method='post'>";
// GET POSTed value and escape it for HTML use
$Caption_htmlspecialchars=$_POST['Caption_htmlspecialchars'];
$Caption_htmlspecialchars=htmlspecialchars($Caption_htmlspecialchars);
ECHO "The echo of the variable <em> \$Caption_htmlspecialchars </em> looks like this:<br>";
ECHO "<b> $Caption_htmlspecialchars </b><br>";
ECHO "But in the input box, \$Caption_htmlspecialchars is truncated by a single quote: <br>";
// ETA: Bad old line that caused the problem, now commented:
// ECHO "<input type='text' name='Caption_htmlspecialchars' size=100 value='$Caption_htmlspecialchars' maxlength = 100 required /><br><br>";
// ETA: Newly added line that fixes the problem:
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
// SUBMIT button. Submits back to the same page: input_box.php
echo "<b><input type='Submit' name='submit' value='Submit'/></b></br></br>";
?>
</body></html>
Here is what Inspect Elements > Elements shows for the input element:
input_box_SO.php
The echo of the variable $Caption_htmlspecialchars looks like this: test with special chars. & " < > and a single quote ('), which causes truncation in the input box. But in the input box, $Caption_htmlspecialchars is truncated by a single quote: and a single quote (" ),="" which="" causes="" truncation="" in="" the="" input="" box.="" '="" maxlength="100" required="">
With the Source looking like this: value='test with special chars. & " < > and a single quote ('), which causes truncation in the input box. '
You need to change your sequence of single quotes nad double quotes to display string. change your echo <input as below
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
Try to use the addslashes and do it like
$Caption_htmlspecialchars = addslashes($Caption_htmlspecialchars);
i am struggling to get a whole string to be the value of an input tag
this is my code thus far but am not sure what is wrong with it
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
but when i check the value in javascript or something it just outputs the first word You any help would be appreciated as i am stuck
There are at least two problems in your code:
echo "<input id='message' style='display: none;' value={$message}>$message</div>";
The HTML generated by the line above looks like this:
<input id='message' style='display: none;' value=You have completed ...>
There are no quotes around the value of HTML attribute value. While the quotes are optional if the attribute value is a single word, they are needed when the value of the attribute contains many words; otherwise the value of attribute "value" is You and have, completed etc. are other HTML attributes of the input element.
The second problem of the code comes from the fact that you put some text there without correctly encoding the HTML special characters. For example, if the value of $offername is O'Brian, the generated HTML code (after the value of the "value" HTML attribute is correctly quoted) becomes:
<input id='message' style='display: none;' value='You have completed O'Brian [...] and received ...'>
and it is still invalid. Use the PHP function htmlspecialchars() to properly encode the HTML special characters to get their literal value in the final HTML page.
Another minor notice (not a show stopper) is the quoting character. It's better to use quotes (") for quoting of the attribute values in HTML. Apostrophes (') are allowed but not recommended.
All in all, a better way to write the code is:
$message = "You have completed {$offername} [{$offerprovider}] and received {$offerpayout}";
$encodedMsg = htmlspecialchars($message);
printf('<input id="message" style="display: none;" value="%s">%s</div>',
$encodedMsg, $encodedMsg);
Remember that everything you put in the HTML should be properly encoded or the browser might correct and interpret it in a different way than you intended.
Try this
echo "<input id='message' style='display: none;' value='{$message}'>$message</div>";
The attributes values must enclosed with single or double quotes otherwise it will split the text with space. it will print out like this.
<input id="message" style="display: none;" value="You" have="" completed="" and="" received="">
I am saving double quotes that need to be saved in the database, then later shown on the screen.
$in = '2" to 2.33"';
$in = mysqli_real_escape_string($db, $in);
echo $in; // Shows with backslashes
$results = $db->query("UPDATE store_item_brims SET BrimSizeIn='$in' WHERE ID=2");
// Later I query the database and load to an array
// print_r of the array shows with no backslashes
// echoing into text input field does not work
When I view the data in PHPMyAdmin, it saves in the database without any visible backslashes. When I load the data to an array and print_r the array, it is shown in the array. However, when I try to echo it out in an input text field for the user to update, it only shows 2 and cuts off as soon as the first double quote is reached.
How do I fix this?
when you echo it in to a HTML input the quotes mess up the quotes the HTML input uses as deliminators so short answer:
<input type="text" value="<?php echo htmlentities($YOUR_VALUE); ?>" ...
reference: htmlentities
My question is similar to this question but I'm not using code igniter. I'm echoing variables obtained from a database into the value attribute of a text input. The variables may contain ' or " or any other special chars.
I tried:
<input type="text" name="myTextInput" value="<?= htmlspecialchars($dbValue, ENT_QUOTES); ?>" />
but it outputs quotes as " or ' which is not what I want. I want the text input to actually contain the quotes as typed by the user.
should I be using a php function or a javascript function to escape the string? if I don't escape it I get a javascript error because the quotes inside the $dbValue string are interacting with the value attribute quotes.
That's exactly what you DO want, however. e.g.
if your inserted data is
Davy "Dead Pirate" Jones
and you insert that into an input field literally, you'd end up with
<input type="text" name="..." value="Davy "Dead Pirate" Jones" />
which will be interepreted as follows:
<input> field with attributes:
text -> 'text'
name -> '...'
value -> ' ' (a single space)
Dead ->
Pirate ->
" ? danging quote
Jones ->
" ? -> another dangling quote
By comparion, after doing an html_entities, you'd have
Davy "Dead Pirate" Jones
and that can be inserted into the <input> field without issue.
If the input field's value contains a literal " that's visible to the user, then you've got some double-encoding going on.
You'll want to use html_entity_decode. Here's an example for the documentation:
<?php
$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // I'll "walk" the <b>dog</b> now
echo $b; // I'll "walk" the <b>dog</b> now
?>
Reference: http://www.php.net/manual/en/function.html-entity-decode.php
Your looking for the opposite of htmlspecialchars, try using html_entity_decode.
Here is your code using html_entity_decode.
<input type="text" name="myTextInput" value="<?= html_entity_decode($dbValue, ENT_QUOTES); ?>" />
Here is a link to the manual -> http://www.php.net/manual/en/function.html-entity-decode.php
If you have any problems using this you might want to check out this question, which has a common encoding problem -> https://stackoverflow.com/a/4638621/1065786
To display single, double quotes and html tags as text field value try to use:
<?php
$formVal = htmlspecialchars($dbValue, ENT_COMPAT, 'utf-8');
// or this:
// $formVal = htmlspecialchars($dbValue);
?>
<!-- html -->
<form>
<input type="text" name="myTextInput" value="<?php echo $formVal; ?>" />
</form>
http://www.sitepoint.com/form-validation-with-php
https://www.inanimatt.com/php-output-escaping.html
I'm trying to create a form where the user can input their id (username) and it will be appended as a variable in a url that is used in my php script. This is what I have.
<?php
if(isset($_POST['submit']))
{
$id = $_POST['id'];
echo 'http://example.com/default.asp?action=data&id=$id';
}
?>
<form method="post" action="<? echo $_SERVER['PHP_SELF']; ?>">
<input type="text" name="id"><br>
<input type="submit" name="submit" value="Submit Form"><br>
</form>
It collects the user's id properly, and if i just echo $id, it outputs the proper value, but when I try to echo the url, it just outputs $id instead of the actual value of the $id variable. What am I doing wrong?
echo "http://example.com/default.asp?action=data&id=$id";
^---wrong quotes ^--- ditto
single-quoted strings do not interpolate variables.
Single quotes won't interpolate the variable, either use double quotes or use string concatenation.... Three options:
echo "http://example.com/default.asp?action=data&id=".$id;
or
echo "http://example.com/default.asp?action=data&id=$id";
or
echo 'http://example.com/default.asp?action=data&id='.$id;
This line:
echo 'http://example.com/default.asp?action=data&id=$id';
Should be
echo 'http://example.com/default.asp?action=data&id='.$id;
If you are using single quotes in PHP with a string it will print whatever is inside the string without evaluating anything (ie no variables are evaluated). So you can either use double quotes or append the variable like I did above.