UPDATE
(I could just delete this question - but I might as well leave it as a reminder to everyone that sometimes the error is somewhere else than where we look...)
I am very sorry that I made you ponder this question: the reason for the "Actual result" was in a completely different location and has nothing to do with htmlentities.
Thanks to everyone who tried to help.
Why is this code not working in my PHP 5.4.32 site?
Code:
$returnValue = htmlentities(urldecode('//echo \'<textarea name="comments" id="comments">$theData</textarea>\';'), ENT_QUOTES, 'UTF-8');
echo '<textarea>' . $returnValue . '</textarea>';
Expected result:
A textarea with the exact string
//echo '<textarea name="comments" id="comments">$theData</textarea>';
Actual result:
A textarea with the exact string
//echo '<textarea name="comments" id="comments">$theData
(the "" in the original string actually closes the html textarea.)
In the same way, scripts can be injected (which is the reason why I originally used the htmlentities).
The very strange thing:
If I simply add the above example code to the beginning of my php file, it works as expected. So there must be some reason why it does not work further down the page. And I have no clue, see no possible reason in the code.
What's wrong?
btw: using htmlspecialchars doesn't change the effect.
Dollar sign $ isn't interpreted in single quotes.
Choose and use one of these:
echo '<textarea name="comments" id="comments">' . $theData . '</textarea>';
echo "<textarea name='comments' id='comments'>$theData</textarea>";
echo "<textarea name='comments' id='comments'>" . $theData . "</textarea>";
echo "<textarea name=\"comments\" id=\"comments\">$theData</textarea>";
You shouldn't use urldecode() in this case. urldecode() will give you the original value of an url-encoded string (in PHP the return value of urlencode()). You're not working with url-encoded strings here.
The following should give you the expected result:
$returnValue = htmlentities('//echo \'<textarea name="comments" id="comments">$theData</textarea>\';', ENT_QUOTES, 'UTF-8');
echo '<textarea>' . $returnValue . '</textarea>';
There is nothing wrong with this code. Works perfectly - the error was somewhere else in my php file...
Related
Am echoing php variables which works fine but when i tried to output image, nothing seems to work
working.php
echo ("addMarker($lat, $lon,'<b>$name</b>$address<br><br>$desc');\n");
not_working.php
for image display, i added
<img src='http://localhost/services/status/" .$pic. "'>
hence
echo ("addMarker($lat, $lon,<img src='http://localhost/services/status/" .$pic. "'>,'<b>$name</b>$pic<br><br>$desc');\n");
Any Help
The php documentation about strings should clarify your issue, i hope. In simple words, variables are not expanded (parsed) in single quotes.
Best solution is to use sprintf:
sprintf('<img src="http://localhost/services/status/%s">', $pic);
OK solution:
echo '<img src="http://localhost/services/status/' . $pic . '">'
Not so ok solution:
echo "<img src=\"http://localhost/services/status/$pic\">"
Im new to learning PHP as you might have guessed. I have the contents of a .txt file echoed but I would like it to stand out more, so I figured I would make it a different colour.
My code without colour:
<?php
$file = fopen("instructions.txt", "r") or exit("Unable to open file");
while(!feof($file))
{
echo fgets($file);
}
fclose($file);
?>
I have researched this and seen suggestions to others to use a div style, however this didn't work for me, it gave me red errors all the way down the page instead! I think its because I'm using 'fgets' not just a variable? Is there a way to colour the echo red?
The code I tried but doesn't work:
echo "<div style=\"color: red;\">fgets($file)</div>";
(In general) You need to separate the actual PHP code from the literal portions of your strings. One way is to use the string concatenation operator .. E.g.
echo "<div style=\"color: red;\">" . fgets($file) . "</div>";
String Operators
Other answer already told that you can't use a function call in a double quoted string. Let additionally mention that for formatting only tasks a <span> element is better suited than a <div> element.
Like this: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/span
You should try:
<div style="color: red;"><?= fgets($file);?></div>
Note: <?= is an short hand method for <?php echo fgets($file);?>
This version does not need to escape double quotes:
echo '<div style="color:red;">' . fgets($file) . '</div>';
You can do this with the concatenate operator . as has already been mentioned but IMO it's cleaner to use sprintf like this:
echo sprintf("<div style='color: red;'>%s</div>", fgets($file));
This method comes into it's own if you have two sets of text that you want to insert a string in different places eg:
echo sprintf("<div style='color: red;'>%s</div><div style='color: blue;'>%s</div>", fgets($file), fgets($file2));
I have this php line which works fine:
echo "<p>" . $post['message']. "</p>";
But I want to change it so it will link to my page (not to a single post). So it should look like that.
echo "<p>" . $post['message']. "</p>";
I have tried a lot many proposition gathered on different website, but each time I am getting an error.
Any idea ?
Thanks a lot!
Using single and double quotes, you avoid escaping issues. Try this:
echo '<p>'. $post['message']. '</p>';
i see that you didn't escaped from double quote that closes href attribute:
echo "<p><a href=\"https://www.facebook.com/rscmovement\" target=\"_blank\">"
I guess You have missed the back slash () before " after www.facebook.com/rscmovement.
"https://www.facebook.com/rscmovement\" "\"target=\"_blank\">" will
I'm trying to populate a form with some data that contains special characters (e.g. single quote, double quote,<,>,?,","".~,,!##$%^&*()_+}{":?<<>,./;'[.] etc) :
<input type="text" name="message" size="200" maxlength="200"
value =<?php echo $message;?>>
However, $message, which comes from a MySQL table, isn't displayed correctly - any HTML output that should be in $message is broken.
How do I do this properly?
This will prevent your tags from being broken by the echo:
<?php echo htmlentities($message); ?>
If you want to display it
echo htmlspecialchars($messge, ENT_QUOTES, 'UTF-8');
That's what I usually do.
Since the answers are difference:
htmlentities-vs-htmlspecialchars is worth checking out.
I normally use the following code, see htmlspecialchars
<?php echo htmlspecialchars($videoId, ENT_QUOTES | ENT_HTML5); ?>
whats wrong with using a constant ?
<?php
define(foo,'<,>,?,","".~,,!##$%^&*()_+}{":?<<>,./;');
$foo2="'[.]";
echo constant('foo').$foo2;
?>
you need to put the '[.]' into a variable, as a constant will break on a ' (single quote).
Output of below PHP string is not correct. It's displaying additional ( "> ) at end. Please help that what wrong I am doing?
$part2 = HTMLentities('<input type="hidden" name="custom" value="<?php print($_SESSION["muser"]."-".$_SESSION["mpass"]);?>">');
print $part2;
Thanks, KRA
If you're already in PHP mode, you should just use string concatenation instead of <?php ?> syntax; this example splits up the html creation and the escaping part.
$html = '<input type="hidden" name="custom" value="' . htmlspecialchars($_SESSION["muser"] . "-" . $_SESSION["mpass"]) . '">';
$part2 = htmlentities($html);
print $part2;
It is because there is an additional > at the end.
Try this:
$part2 = HTMLentities('<input type="hidden" name="custom" value="<?php print($_SESSION["muser"]."-".$_SESSION["mpass"]);?>"');
print $part2;
I think this is more of what you're looking for:
$part = '<input type="hidden" name="custom" value="' . htmlentities($_SESSION['user'] . '-' . $_SESSION['mpass']) . '" />';
You've got a lot of poor PHP syntax in your example.
We use <?php tags to escape out of HTML into PHP. When you have a PHP file, one way you could think about it is that you really have an HTML document - but one that you can add <?php tags to write PHP code in. In you're example you are trying to print HTML from within PHP, which can get admittedly complex. You are already in a PHP block, so you don't need to use the opening <?php tag.
When concatenating strings to store in a variable, you don't need to use the print function. The print function is used to write text to the screen. You can just use the variables name as in the example I wrote to combine the strings.
htmlentities is used to render any HTML in your string into text. We use htmlentities to keep unknown (user-entered) data from modifying our HTML. It would be a good idea to use htmlentities on the $_SESSION variables like I did above to make sure they don't break our input tag with invalid HTML. Using it on the entire string would just print your HTML as if it were raw text.
Here's a way to write it from outside of a PHP block:
<?php
// initial PHP code
?>
<input type="hidden" name="custom" value="<?php echo htmlentities($_SESSION['user'] . '-' . $_SESSION['mpass']) ?>" />
<?php
// continue PHP code
?>