I have a database built and working for my music collection. I have built an entry page that only I have access to. Obviously when I have a title or artist with an apostrophe the entry fails. I've been reading and I found this syntax on a page on this site. However when I try to execute it the 'safe' stringer comes out blank.
This is the part of the code that doesn't work. I'm sure it's something stupid I've done. If anyone can point out the error of my ways I'd greatly appreciate it.
$artist=$_POST['artist'];
echo $artist . "<br>";
$safeartist = mysqli_real_escape_string($artist);
echo $safeartist . "<br>";
$title=$_POST['title'];
$safetitle = mysql_real_escape_string($title);
echo $safetitle . "<br>";
It does in fact have the data in the 'echo artist' command but does not for the second echo.
If you are trying to print the string in the DOM it might be that you are looking for htmlentities
http://www.php.net/htmlentities
mysql_* is deprecated PDO is often a more reasonable choice http://php.net/PDO
Related
I am trying to do some htmlentities. However, the hyperlinks are now broken due to them being converted to the html codes, wanting to do this as for some stupid reason the university has given us all the same password for the servers.
Last year I almost failed as someone went onto my server and filled with the javascript and css hacks, so this will prevent it, however it's not much use if the hyperlink won't work, so how do I prevent this? Here's the code I have so far for this specific area:
$sub = substr($row['content'],0,300).'.......... See full article';
echo htmlentities($sub,ENT_QUOTES,"UTF-8");
If anyone can help, it's much appreciated, thanks.
I think you're applying htmlentities() on too much of your output. Just do it like this:
<?php echo htmlentities(substr($row['content'],0,300)).
'…See full article'; ?>
Don't apply htmlentities over the whole link, but on the values you actually want to escape, like this
$sub = htmlentities(substr($row['content'],0,300), ENT_QUOTES, 'UTF-8') . '.......... See full article';
echo $sub;
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
From a form, I'm asking the user to enter some text. I will retrieve this text using $_POST['text'].
The user enters the string "It's my text!"
$newText = mysql_real_escape_string($_POST['text']);
Now on the very same page after I've inserted $newText into the database I want to display
the text to the user and also use it as the value of an input text box using PHP.
// I want to make sure the user hasn't added any unsafe html in their string
$newText = htmlentities($newText);
echo "You've entered: " . $newText . "<br />";
echo "<form action=someaction.php method=post>";
echo "<input type=text value=\"" . $newText . "\">";
echo "</form>";
The output is:
You've entered: It\'s my text!
[It\'s my text!]
How do I avoid these slashes, and should I be doing anything else with my data?
You're passing the text through mysql_real_escape_string() which, as the name suggests, escapes the string, including apostrophes. mysql_real_escape_string() is meant only for preparing the data for saving to database. You shouldn't use it when displaying data to the user.
So, the solution is simple: remove the line and use htmlentities() only. Use mysql_real_escape_string() when you're saving the string to database (and only then).
Only use mysql_real_escape_string() on the variable you want to use in the query, because it will add slashes to escape some of the characters in the string. This works great for mysql, but when want to use it on the page it will look weird.
You could make 2 variables, 1 for MySQL and 1 for displaying the raw text.
$text = $_POST['text'];
$db_text = mysql_real_escape($text);
Also note that you should use strip_slashes() on the data you get from the database later, to remove the slashes.
Hope this clear things up a little bit.
Now on the very same page after I've inserted $newText into the database I want to display the text to the user
That's what you are doing wrong.
An HTTP standard require a GET method redirect after every successful POST request.
So, you have to redirect the user on the same page, where you may read inserted data from the database and show it to the user.
As for the mistake you made - just move escaping somewhere closer to the database operations, to make sure it is used only for the purpose (YET it is used obligatory, without the risk of forgetting it!).
Ideally you have to use some variables to represent the data in the query, and some handler to process them.
So, the query call may look like
DB::run("UPDATE table SET text=s:text",$_POST['text']);
where s:text is such a variable (called placeholder), which will be substituted with the $_POST['text'] value, properly prepared according to the type set in the placeholder name (s means "string", tells your function to escape and quote the data)
So, all the necessary preparations will be done inside and will spoil no source variable.
save normally using mysql_real_escape_string()
and when you want to display it in a form:
htmlspecialchars(stripslashes($row['text_data']))
it will do the trick.
I'm current making a website with a photo album in it. The website in 2 languages, english and dutch. So I made language file like:
$lang['hello'] = 'Hallo'; //Hallo is hello in dutch
With the photo album I'm trying use the same principle like:
$lang['discription_001'] = 'photo of a house';
With showing the images I made a counter, now I want to use the same counter in the dispription like so:
echo $lang['discription_'$counter]
And $counter being 001 for photo number one. However this does not work, Could someone tell how I could get this to work, or any other method to get what I want.
Thanks in advance, Thomas de Zeeuw
P.S. I'm new in PHP, however I normally pick up things quite fast, so make some explaintion would be appreciated.
You're almost there:
echo $lang['discription_' . $counter]
The . is PHP's concatenation operator, for combining strings.
You just forgot the string concatenation operator . to concatenate 'discription_' and the value of $counter:
$lang['discription_'.$counter]
You have a typo.
echo $lang['discription_'$counter]
Should be
echo $lang['discription_' . $counter];
You could get it to work by simple repairing your code:
echo $lang['discription_'.$counter];
or
echo $lang["discription_{$counter}"];
Is $counter a string?? If so your example should work fine if you fix the parse error (You missed the concatenation operator (.).
It would be much better if you showed us actual code from your application.
echo $lang['discription_' . $counter];
As you have got answers already you forgot the concatenation operator, but better way in my mind would be to use multidimensional array.
echo $lang['descriptions'][$counter];
Am trying to pass the value hrough the URL but when i retrieve it it appears like this ' , urlencode(15.99),'
the value is correct but i have tried different things but still unable to just send the value without the urlencode or added syntax
the line of code am trying to send the value is
redirect_to("$the_file_is?subj=' . urlencode($the_price_is)' ");
This should do what you're looking for, assuming I understood it correctly:
redirect_to($the_file_is . '?subj=' . urlencode($the_price_is));
Surely just change to...
redirect_to($the_file_is."?subj=" . urlencode($the_price_is));
Almost there - just a little bit of quote confusion :)
redirect_to("$the_file_is?subj=" . urlencode($the_price_is));
It's worth noting that you can reference variables in double quotes so:
echo "hello $name"; will work, but echo "$actioned"; might need to be echo "{$action}ed"; echo $action.'ed'; depending.