Thanks again for the help with a similar question earlier. I have one more similar, but I think more complicated.
It looks like this in HTML:
<input type="button" class="formButtonDeleteButton" value="" onclick="document.getElementById('WADADeleteRecordID').value=<?php echo($row_WADAactivities2['ActivityID']); ?>;document.getElementById('WADADeleteRecordName').innerHTML='<?php echo($row_WADAactivities2['Activity']); ?>';document.getElementById('deleteBox').style.display = 'block';document.getElementById('deleteMessage').style.display = 'table';" />
I get so far with it, but just get a bit lost, e.g.:
echo '<input type="button" class="formButtonDeleteButton" value="" onclick="document.getElementById('WADADeleteRecordID').value=' . rawurlencode($row_WADAactivities2['ActivityID']) . ;document.getElementById('WADADeleteRecordName').innerHTML=' . rawurlencode($row_WADAactivities2['Activity']);';document.getElementById('deleteBox').style.display = 'block';document.getElementById('deleteMessage').style.display = 'table';" \"/>";
This is pretty much the last bit of something I've been looking at that needs tidying up.
Thanks again.
You need to escape all the single-quote characters that are inside the single-quoted string:
echo '<input type="button" class="formButtonDeleteButton" value="" onclick="document.getElementById(\'WADADeleteRecordID\').value=' . rawurlencode($row_WADAactivities2['ActivityID']) . ;document.getElementById(\'WADADeleteRecordName\').innerHTML=' . rawurlencode($row_WADAactivities2['Activity']);';document.getElementById(\'deleteBox\').style.display = \'block\';document.getElementById(\'deleteMessage\').style.display = \'tabl\e';" \"/>";
I strongly recommend against writing such long strings of inline Javascript. Move it out into a Javascript function, and use onclick="functionName(...)".
See, you should always decide on whether or not its necessary to even echo something like this, or instead just use short tags like <?=$someVar?> directly in your view section of the code. Why? Because its much easier to deal with NOT escaping quotes :D Anyway, the way you should choose your quotes single or double, is if you're planning on NOT having any variables inside the string, use single quotes..if you're planning on using variables in the string use double quotes to avoid having to concatenate. Since you've used single quotes, you don't have to escape doubles, but you do have to escape other single quotes inside:
echo '<input type="button" class="formButtonDeleteButton" value="" onclick="document.getElementById(\'WADADeleteRecordID\').value=' . rawurlencode($row_WADAactivities2['ActivityID']) .' ;document.getElementById(\'WADADeleteRecordName\').innerHTML=' . rawurlencode($row_WADAactivities2['Activity']).';document.getElementById(\'deleteBox\').style.display = \'block\';document.getElementById(\'deleteMessage\').style.display = \'table\';" />';
Related
I have a very simple issue which I don't know how to fix.
Basically, I have this string:
$variable = '<input type="button" value="something" onclick="location.href = 'my-page.php';" />';
the issue is the onclick="..." on the button.
when i run my code, it kills the entire page without any errors.
Could someone please let me know if there is a way to sort this out?
You need to escape the apostrophes:
$variable = '<input ... onclick="location.href = \'my-page.php\';" />';
Sounds very simple, but I'm kinda confused at the moment.
I have this DB object which includes some values that I want to output in an html form.
Simplified Problem:
$result is my db object and this is the html input where I want to output some text which can include double or single quotes.
<input class="someclass" name="desc" id="descID" type="text" value="<?=$result['desc'];?>" placeholder="<Description>" />
So if $result['desc'] contains text like this: 'Did you hear about "foobar"?'
everything after the first double quote gets cut off and ends up like this: 'Did you hear about '.
What i have tried already without success:
htmlspecialchars like this value="<?=htmlspecialchars($result['desc']);?>" or like this value="<?=htmlspecialchars($result['desc'], ENT_QUOTES);?>"
addslashes
Note: My DB(mssql) saves the string properly. Only have the problems in my html.
I would be glad if you could help me out here. Thanks.
Thanks for the help so far, but i managed to find a solution to this:
<?$descEscaped = str_replace('"', '"', $result['desc']);?>
<input class="someclass" name="desc" id="descID" type="text" value="<?= htmlspecialchars($descEscaped);?>" />
htmlspecialchars replaces quotes with """.
I am using my simple function htmlliteral:
function htmlliteral($s){
return '"'.htmlspecialchars($s).'"';
}
With this function you can use:
$descEscaped = htmlliteral($result['desc']);
print "<input class=someclass name=desc id=descID type=text value=$descEscaped />";
Is it possible to add a value to a dynamically created input field?
Im trying something like this: echo "<input value="$row['test']">" but that gives me a syntax error. It has to be in my php file since im calling it via ajax and want to keep my html and php seperate.
Im getting content via ajax and I need to set many field names as there are records in the database.
You can do it like this:
echo '<input value="' . $row['test'] . '">';
Alternatively escape the " (not recommended if not needed, because it is hardly readable):
echo "<input value=\"" . $row['test'] . "\">";
Otherwise you’re mixing quotation marks, which is a syntax error. The . is to combine strings with variables (in this case).
You can also Use:
<input value="<?php echo htmlspecialchars($row['test']); ?>" >
OR
echo "<input name='test' value=".$row['test'].">";
OR
echo "<input name='fred' value='{$row['test']}'>";
Reference
When using certain php values within a quoted string, such as the array syntax in the question, you should either escape from the quotes or encapsulate the variable in curly braces. Also, as the string was quoted with double quotes you should use single quotes around attributes and values.
echo "<input name='fred' value='{$row['test']}'>";
<input type="text" name="post_title" class="form-control" value="<?php
if(isset($post_title))echo $post_title;
?>">
If you want to add it into the HTML
I cannot get my addslashes function and html option value to play nice together. My initial problem was the single quote in the option but by solving that I seem to have created another issue whereby $titleunit_name only comes through with the first word.
This is what I want to come out:
baroffice=O'Fallon & Highway K&N
titleunit_name=O'Fallon & Highway K&N
cleantitleunit_name=O\'Fallon & Highway K&N
This is what I get:
baroffice=O'Fallon
titleunit_name=O'Fallon & Highway K&N
cleantitleunit_name=O\'Fallon & Highway K&N
I don't know if it matters but the values are normally coming from and being sent back to ms sql.
<form method="post" action="formtest.php?" id="searchform" target="" autocomplete="off">
<div id="office">
<font style="font-size:12px; font-weight:bold;" color="#002EB8" face="Verdana">
Closing Office:</font>
<select name="baroffice" style="width:90px">
<?php
$titleunit_name= "O'Fallon & Highway K&N";
$cleantitleunit_name=addslashes("$titleunit_name");
echo "<option value=$cleantitleunit_name name= '$titleunit_name'>";
echo "$titleunit_name</option>";
?>
</select></div><br>
<br><Br>
<input type="submit" name="submit" value="submit" style="position:relative;z-index:3">
<br><Br>
</form>
<?php
$baroffice = str_replace("\'","'",($_POST['baroffice']));
if (isset($_POST['submit']))
{
echo "baroffice=$baroffice<br>";
echo "titleunit_name=$titleunit_name<br>";
echo "cleantitleunit_name=$cleantitleunit_name<br>";
}
else
{echo "";
};
?>
Thanks for any help in advance.
First of all, you don't need double quotes around variables. Just $titleunit_name is correct, not "$titleunit_name".
Second, never use addslashes. If you're escaping content to go into MySQL use the more robust mysql_real_escape_string function. addslashes misses cases and leaves your script every bit as open to attack as if you hadn't used it at all.
And finally, slashes do not belong in HTML output. You're looking for the htmlspecialchars function, which prepares a string to be written into an HTML document.
echo '<option value="' . htmlspecialchars($titleunit_name) . '" name="' . htmlspecialchars($titleunit_name) . '">' . htmlspecialchars($titleunit_name) . '</option>';
Note that all uses of $titleunit_name (or any other variable) must be escaped in this way before writing them out to the page.
Now, I'm guessing from context that you have "magic quotes" turned out, so PHP is automatically performing an addslashes on incoming POST data. If so, turn off magic quotes, and when it's time to insert a string into the database perform the appropriate escaping then. If this is not possible, then use stripslashes to strip the slashes from all POSTed data at the beginning of the script execution so that you're getting the data as submitted.
Basically I'm developing a (very) simple search engine. You can enter a search term and you are taken to the results page - which works fine. However on the results page, I have a button that will take you to the next 10 results: where $term is the $_POST['term'] value.
echo "<input type='hidden' name='term' value='" . $term . "'>";
This causes the following problem with the term is for example "aidan's".
When the next 10 button is clicked, the term becomes aidan\ and no further results are found.
I am not doing anything to $term.
I usually use Java, but am required to use PHP for this uni assignment!
Any help would be greatly appreciated.
It could be your PHP that escapes your data, check out http://www.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc and / or http://php.net/manual/en/function.addslashes.php these should help you to identify the porblem
Try looking after addslashes() et stripslashes()
http://php.net/manual/en/function.addslashes.php
Regarding your issue, I think you should try to add something like this :
$search = stripslashes($_POST['term']);
If you use double quotes, you don't have to break your string when using a variable. You can also use various options, such as those mentioned already or htmlentities() or urlencode(). I would use the later, just cuz. So you would end up with:
$term = urlencode($term);
echo "<input type='hidden' name='term' value=\"$term\">";
You need to htmlspecialchars() every single bit of data you output to your page. A set-up like yours is the reason that so many XSS vulnerabilities exist around the world, and you should not contribute to them.
echo "<input type='hidden' name='term' value='" . htmlspecialchars($term) . "'>";
Once you have that, you will need no obscure addslashes/quote escaping/whatever anymore.
To make that easier throughout your code, define
function h($s) { htmlspecialchars($s); }
echo "<input type='hidden' name='term' value='" . h($term) . "'>";
The function you are looking for is htmlspecialchars(). However to make it work, you must use quotation marks to wrap the parameter.
Plus, if there are slashes involved, the stripslashes() function may be needed.
So:
$term = htmlspecialchars( stripslashes( $term ) );
echo '<input type="text" name="term" value="' . $term . '" >';
Always use GET method for the search, not POST.
Either turn magic quotes off or strip slashes manually
Use htmllspecialchars with ENT_QUOTES parameter to encode form's field value.
Consider to print out HTML as is, not using PHP echo, to get rid of all this quotes craze
Most important part. If you quote your term for the database search, don't use quoted variable in your form.
so
if (isset($_GET['term'])) {
if (get_magic_quotes_gpc()) $_GET['term'] = stripslashes($_GET['term']);
//$term=mysql_real_escape_string($_GET['term']);
//perform search here.
//
$term = htmlspecialchars($_GET['term'],ENT_QUOTES); //from $_GET again
?>
<input type="hidden" name="term" value="<?php echo $term?>">
<?
}
I think the easiest way is not to put $term as a hidden field at all. For pagination, you can keep memory of the searched term in the session.