I'm storing text in database like "He can't ...". But when I echo this text, as it is inside HTML markup, browser get's ' as closing of some html element's markup. Which PHP function to use before, to echo safely this type of text inside html markup?
Use htmlentities():
echo "<input type='text' value='" . htmlentities($text, ENT_QUOTES | ENT_HTML401) . "'>";
The ENT_QUOTES flag tells it to convert both single and double quotes to entities (the default is just double quotes).
Related
$playername = $_GET["playername"];
echo '<img src="https://cravatar.eu/head/SecretAgent5555"/>';
I need what SecretAgent5555 is to be $playername, plz help/
This will do what you need...
echo '<img src="https://cravatar.eu/head/' . $playername . '"/>';
This uses the PHP . string concatenation feature to 'insert' $playername into the img src tag.
You can also use string interpolation by using double quotes, but it requires you to escape the double quotes within, like this.
echo "<img src=\"https://cravatar.eu/head/$playername\"/>";
Because you have opened the string being echoed with the double quotes, to put a double quote within, you need to escape them. This is the \" part within the string.
So I've created a CMS that takes text input. This is how the data is used when I grab it from the database.
echo "<img src=" . $row['image_url'] . " alt=" . $row['caption'] . ">";
Now the problem is, whenever there's a comma or a semi colon, php treats it as part of the code and the page ends up either not rendering well or completely breaking with errors like
Parse error: syntax error, unexpected '=' in
I've tried using htmlspecialcase() when posting the data to the MySQL database but it didn't fix the problem.
EDIT: The main problem is with the alt part not the src part.
When you're using double quotes (") to create a string literal and in that string literal you want to use double quotes ("), then you may escape those double quotes (") to form a valid string.
echo "<img src=\"" . $row['image_url'] . "\" alt=\"" . $row['caption'] . "\">";
You can try like that:
<img src="<?php echo $row['image_url'];?>" alt="<?php echo $row['caption'];?> ">
I have some var containing ', "
$var = "Hello \" World '";
<input type="text" value="<?= $var ?>" >
when browser render this code above we will see input element containing only 'Hello'.
how solve this problem without using special symbols like ” in Db strings must contain ', "
how solve this problem without using special symbols like ”
You don't, although rdquo is the wrong character reference to use in this case.
Run text through htmlspecialchars() to turn it into HTML before you insert it into an HTML document.
<input type="text" value="<?= htmlspecialchars($var) ?>">
HTML Entities is what you need.
This is similar to htmlspecialchars but if you require all input substrings that have associated named entities to be translated, use htmlentities() instead.
Here's Char html codes!
$var = "Hello \" World '";
I use html special char:
" - special html char - "
$var = "Hello " World '";
Result:
Hello " World '
I ran into this code:
function input_text($elem, $val) {
print '<input type = "test" name="' . $elem .'" val="';
print htmlentities($val[elem]) . '"/>';
I m confused about the code: name="' . $elem .'" val="';
print htmlentities($val[elem]) . '"/>'
1) why put single quotes and dot inside double quotes around $elem? Can i just use double quotes like name="$elem".
2) what is the meaning of these code: val="';
print htmlentities($val[elem]) . '"/>'
1) Since the string being printed is surrounded with single quotes, variables are not expanded inside it; variables are only expanded inside double-quoted strings. So concatenation is necessary. If you change it to use double quotes, you could do variable interpolation:
print "<input type='test' name='$elem' val='";
2) There's no special meaning to it. The programmer simply chose to split up the commands to print this piece of HTML into two PHP print statements. So first he prints val=", then he prints htmlentities($val[elem]) . "">>'
The function could be rewritten as:
function input_text($elem, $val) {
print "<input type='test' name='$elem' val='" . htmlentities($val[elem]) . "'/>";
}
You have to use concatenation around htmlentities() -- only variables can be interpolated into strings, not function calls. However, you could assign the value to a variable first if you want:
function input_text($elem, $val) {
$valent = htmlentities($val[elem]);
print "<input type='test' name='$elem' val='$valent'/>";
}
BTW, $val[elem] looks like a typo, it probably should be $val[$elem].
The single quotes in this case denote a string in PHP.
$var = 'This is a String';
The reason they are used in conjunction with the double quotes is because the double quotes must be printed to get the correct HTML output of
<input type="test" name="someName" val="someValue" />
The . operator in PHP is the concatenation operator meaning combine 2 strings into 1.
$var = 'This' . ' and that'; //Evaluates to 'This and that'
I am using like
$myPage .= '<td><a href=\'javascript:editProduct('
.$row['id']
.',"'
.$row['name']
.'")\'>Edit</a></td>';
where $row['name'] has quotes in its value. it breaks. how do i solve the issue both from php side and js side...
$row['name'] is value from DB. and it will have value like pradeep's and pradeep"s also
i used like
$myPage .= '<td><a href=\'javascript:editProduct('.addslashes($row['id']).',"'.addslashes($row['name']).'")\'>Edit</a></td>';
it solves the issue of double quotes. but when i have single quotes in value the javascrit link looks like
javascript:editProduct(28,"pradeep\
it actually breaks..
And how do i strip down the slashes added by addslashes in javascript..
UPDATE - FINAL CODE
$myPage .= '<td><a href=\'javascript:editProduct('.$row['id'].',"'.htmlentities($row['name'],ENT_QUOTES).'")\'>Edit</a></td>';
and js looks like
function editProduct(id,name){
alert(name);
}
can any one solve my issues
Try:
$myPage .= "<td><a href='javascript:editProduct({$row['id']},\""
. htmlentities( $row['name'] )
. "\")'>Edit</a></td>";
htmlentities default behaviour is to convert double quotes and leave single quotes alone, if you require converting single and double quotes, then call it like this:
htmlentities( $row[ 'name' ], ENT_QUOTES )
Also, using { .. } in "..." strings is the correct way to substitute variables.
The PHP string
'<a href=\'javascript:editProduct('.$row['id'].',"'.$row['name'].'")\'>';
outputs (assuming some values)
<td><a href='javascript:editProduct(123,"abc")'></td>
Presumably it breaks if $row['name'] contains a " quote. You could replace such quotes with a \" in the string before you output it using str_replace('"', '\"', $row['name'])