I have a problem with 'hidden',
PHP:
$text = addslashes("Black Sun's zenith");
echo "<input type='hidden' value=".$text." name='saveCard[]'>";
showing the actual code is:
<input type="hidden" value="Black" sun\'s="" zenith="" name="saveCard[]">
to show the correct code is:
<input type="hidden" value="Black Sun's zenith" name="saveCard[]">
Thank all.
addslashes is a generic routine for escaping content for languages that use the \ character to start an escape sequence. HTML is not such a language, and most languages that are have a better, more specific function to handle escaping.
Use htmlspecialchars, not addslashes to escape content for HTML.
Since the attribute value contains spaces, you also need to wrap it in quote characters.
echo "<input type='hidden' value=\"".htmlspecialchars($text)."\" name='saveCard[]'>";
As a rule of thumb, try to avoid putting HTML inside PHP strings.
?>
<input
type="hidden"
value="<?php echo htmlspecialchars($text); ?>"
name="saveCard[]">
<?php
Yes, put {} around $text variable should help.
Related
To display a string from the database In the output the string is shown halfway
Like the following Sample in database
PHP is a server scripting language
The output is as follows
php
.
Code to display
<input type="radio" name=<?php echo 'answare'.$r['id_q'];?>
value=<?php echo $r['answare'];?> >
Its messy,
Please separate the 2, your view & your controller should not be mixing.
$radio = sprintf('<input type="radio" name="answare%s" value="%s" >', $r['id_q'], $r['answare'] );
Please look into template & mvcs.
Try Laravel, its an easy thing to pick up.
You should always put quotes around attributes. Otherwise, a space in the attribute will end it.
<input type="radio" name="<?php echo 'answare'.$r['id_q'];?>"
value="<?php echo htmlentities($r['answare']);?>" >
Using htmlentities() protects in case $r['answare'] contains quotes or other special characters.
I'm trying to create a textbox that will be displayed on my website. When displayed, I'd like to show some data within the text box. Here is what I have
echo "<input type=\"text\" size=\"100\" value=\"\">";
All that shows up in the text box is <a href=
And then at the end of the text box, right after the text box I see ">
I know something must be syntactically off, just not sure what.
You must encode <, ", and > chars - they can't be embedded that way. Use:
echo '<input type="text" size="100" value="'.htmlspecialchars('').'">';
You may also use urlencode() function - see which suits you better.
One more tip - use single quotes when string contains HTML-like content. This will save you adding \" everywhere.
php_code ?>
<input type="text" size="100" value="<a href="e;<?=$url;?>"e;></a>\">
<?php
php_code
maybe this will work for you
Think of what the html would look like:
<input type="text" size="100" value="">
^
|
This is where the value attribute ends!
htmlspecialchars should solve it.
You have made some mistake. Your code will result in something like that (also visible in this jsfiddle):
<input type="text" size="100" value="">
Instead you can use something like that:
echo "<input type=\"text\" size=\"100\" value=\"<a href="$url"></a>\">";
or
echo '<input type="text" size="100" value="<a href="' . $url . '"></a>">';
to receive effect visible in this jsfiddle. Is it satisfying enough?
Given the following two HTML/PHP snippets:
<input type="text" name="firstname" value="<?php echo $_POST['firstname']; ?>" />
and
<textarea name="content"><?php echo $_POST['content']; ?></textarea>
what character encoding do I need to use for the echoed $_POST variables? Can I use any built-in PHP functions?
Please assume that the $_POST values have not been encoded at all yet. No magic quotes - no nothing.
Use htmlspecialchars($_POST['firstname']) and htmlspecialchars($_POST['content']).
Always escape strings with htmlspecialchars() before showing them to the user.
htmlspecialchars would work in both cases. Have a look at the different flag options to avoid quotation marks being a problem in the input case.
Given it is kinda long I would put it in a function
<?PHP
function encodeValue ($s) {
return htmlentities($s, ENT_COMPAT|ENT_QUOTES,'ISO-8859-1', true);
}
?>
This has ENT_QUOTES to make sure single and double quotes are encoded, but it will also encode special characters (Like in José) instead of inserting an empty string.
Then you can do:
<input type="text" name="firstname" value="<?= encodeValue($_POST['firstname']) ?>" />
and
<textarea name="content"><?= encodeValue($_POST['content']) ?></textarea>
i have the following code :
<input type="text" value="<?php echo $_GET['msg']; ?>">
This input is automatically filled with the name that is writen in the previous page.
So, if the user wrote : i like "apples" and banana
The input will be broken because it will close the tag after the double quotes.
I know i can avoid that by html entiting the value, but i don't want this, is there another solution or is there an <<< EOD in html ?
Thanks
htmlentities() / htmlspecialchars() is the standard way for this. You should use it.
You can always decode the entities before you send them by E-Mail, or do something else with them using html_entity_decode().
You should use the htmlspecialchars function, to escape the output for HTML :
<input type="text" value="<?php echo htmlspecialchars($_GET['msg']); ?>">
Note : you might have to add some additionnal parameters, if you are not using ISO-8859-1 as charset ; for example, with UTF-8 :
<input type="text" value="<?php echo htmlspecialchars($_GET['msg'], ENT_COMPAT, 'UTF-8'); ?>">
One function or another will cause some kind of trouble.
I came up with the following to keep the ampersand:
<input type="text" value="<?php echo parseString($_GET['msg']); ?>">
<?php
function parseString($str) {
$result=str_replace('"','"',$str);
$result=str_replace("'","'",$result);
return $result;
}
when I have a value like this in the database ("foo")
how can I echo it without any conflict with html code
notice
<input type="text" value="<? echo '"foo"'; ?>" />
the result will be like this
<input type="text" value=""foo"" />
how can I fix it ?
use urlencode
or htmlspecialchars
link
You can use htmlentities to overcome this problem like so:
<input type="text" value="<? echo htmlentities('"foo"'); ?>" />
this will return
<input type="text" value=""foo"" />
avoiding any conflict with html.
htmlspecialchars() basically, for example
<input type="text" value="<? echo htmlspecialchars($value, ENT_QUOTES); ?>" />
The ENT_QUOTES is optional and also encodes the single quote ' .
I used $value since I'm not sure what exactly you have in the database (with or without quotes?) but it will sit in some kind of variable if you want to use it anyway, so, I called that $value.
Since the above is a bit unwieldy I made a wrapper for it:
// htmlents($string)
function htmlents($string) {
return htmlspecialchars($string, ENT_QUOTES);
}
So you can
<input type="text" value="<? echo htmlents($value); ?>" />
Not to be confused with the existing htmlentities(), which encodes all non-standard characters. htmlspecialchars() only encodes &, <, >, " and ', which is more appropriate for UTF8 pages (all your webpages are UTF8, right? ;-).
First, don't use short tags ('
Next, your HTML is malformed because you've got an extra set of quotes. Since you seem to be taking the approach of embedding PHP into the HTML, then a quick fix is:
<input type="text" value="<?php echo 'foo'; ?>" />
...although since this value is coming from your database it will be stored in a variable, probably an array, so your code should look more like:
<input type="text" value="<?php echo $db_row['foo']; ?>" />
For clarity, most programmers would try to eliminate switching between PHP parsed and non-parsed code either using a template system like smarty or....
<?php
....
print "<input type='text' value='$db_row[foo]' />\n";
....
?>
(Note that
1) when the variable is within double quotes with a block of PHP, the value is automatically substituted
2) when refering to an associative array entry within a double quoted string, the index is NOT quoted.
HTH
C.
<?php
echo "<input type='text' value='{$foo}' />" ;
?>