This question already has answers here:
How can I properly escape HTML form input default values in PHP?
(3 answers)
Closed 8 years ago.
http://pastebin.com/Jti6DWU6 <--
This is a script in which there are 3 forms and i want to prevent special chars in the first field to prevent iFrame Injection...
I suck at programming
Can anyone help me with this?
You may use htmlspecialchars, that's what that function is for.
Check the manual.
Here's an example from the manual:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
Just add the string to the 1st argument of the function. The 2nd will tell the function how to handle quotes. In the example above, it will convert both double and single quotes.
Classical protection that google could have provide you in a few seconds...
htmlspecialchars or htmlentities is the way to go.
https://php.net/htmlspecialchars
https://php.net/htmlentities
Related
This question already has answers here:
Escaping quotation marks in PHP
(7 answers)
How can I prevent SQL injection in PHP?
(27 answers)
Closed 5 years ago.
I have a php variable referring to a string that contains apostrophes, but when I quote this variable, it thinks I am trying to end the string. My variable is reading from an array of table data, so I can not go in and put a "\" before every apostrophe in the table. If $foo contains the string "don't", how do I correctly say '$foo' without it trying to end the string. Thanks.
You are correct in thinking that you need to add escape characters ("\") before the apostrophes.
To do this on the fly with the database data you can use the php function addslashes.
so:
$escapedString = addslashes($string);
You could also do this with the string replace function for higher precision:
$escapedString = str_replace("'", "\'", $string);
You can use PHP's addslashes PHP Manual - Add slashes
$foo = addslashes($foo);
This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 8 years ago.
I have a string which is a path and is a variable in which I have to save in my database. But the path is
C:\foldera\folderb\folder1\folder2
and obviously I need it to be
C:\\foldera\\folderb\\folder1\\folder2
for the insertion in database of mysql.
Please help me find the solution. I tried str_replace but it won't work.
Thanks in advance.
The function you are looking for is addslashes($string); This function adds the slashes to turn your string into the string you are looking for. But if you are planning on using it as a parameter in an SQL statment you want to use mysqli_real_escape_string()
Also use single quotes in the string in order for addslashes() to work properly. double quotes will parse it as \f not just '\'.
This question already has answers here:
How do I escape special characters in MySQL?
(8 answers)
Closed 8 years ago.
i was wondering how can i include everything written on my textbox to be inserted in mysql database
for example:
textbox = "{\buildrel{\lim}"
but what happens is the \ (backslash) remove 'b' and 'l' and the data inserted to my database will be
{uildrelim} somewhat like this, it might come up removing the { } as well
so is there any techniques or method you can advise? so that everything i put in my textbox will be inserted to my database as it is.
I found this solution:
i just need to use the str_replace() method to replace single \ with double \\
$textbox = str_replace('\\\','\\\\\\\',$textbox);
where {\buildrel{\lim} will be {\\\buildrel{\\\lim}
No, You dont use str_replace(), you have addslashes() and stripslashes(), those two are the two functions you are looking for.
Changing a string with str_replace functions isnt a smart thing to do. Those functions aren't created with this in mind, the add/striposlashes are. You might forget a character which you needed to str_replace with a slash.
Also, that whole battery of slashes and escaping slashes doesnt make your code very readable :P
This question already has answers here:
php parameter with apostrophes
(2 answers)
Closed 2 years ago.
Part of my PHP code includes the construction of a URL string as follows:
$msg = $_REQUEST["msg"];
$content = 'action=sendmsg'.
'&user='.rawurlencode($username).
'&password='.rawurlencode($password).
'&to='.rawurlencode($destination).
'&text='.rawurlencode($msg);
When $msg happens to contain an apostrophe, it get sent as "\'".
What do I need to do to make sure the backslash is not inserted by PHP?
You probably want to check out stripslashes: http://php.net/manual/en/function.stripslashes.php
Assume you want to send the $content variable instead of just stripping the backslashes, Consider to use urlencode() instead of rawurlencode(). Also, you can use the function once for your $content variable.
$content = urlencode($content);
UPDATE: both urlencode and rawurlencode may not fit your case. Why don't you just send out the $content without URL encode? How do you send our the query string? If you are using cURL, you do not need to encode the parameters.
You can try
Stipslashes
or put the string in "" and add ' where you want.
This question already has an answer here:
Closed 11 years ago.
Possible Duplicate:
replace & for &
For a wordpress page to be validated, all & should be replaced with &
I know java but i do not know PHP. So how do i do this in wordpress?
Use htmlspecialchars before printing:
$text = htmlspecialchars($text)
You can escape ampersands & as well as quotes and brackets using the htmlspecialchars() function.
Like the others said, htmlspecialchars() works. Also check out htmlentities() which has a broader range of characters to replace for further scrubbing of the string.