i'm doing a project in php!
the problem is array is not printing properly.
Actually im trying to retrieve text data from mysql using php.
im able to retrieve the data, but while im printing in the document it is not printing as i want!!
echo "<td><p onclick=alert('".$arr[$t]."'); ><u>VIEW</u></p></td>";
$arr[$t] is text data i retrieved from database.
it should print like this(assuming $arr[$t] has data "this is a paragraph")
but the actual output is like this..
output in CHROME
<td><p onclick="alert('this" is a paragraph'); ><u>VIEW</u></p></td>
output in FIREFOX
<td><p paragraph');="" a="" is="" onclick="alert('this" ><u>VIEW</u></p></td>
i dont know why it's happening. please help me out with this..
thanks in advance :)
The syntax highlighting from your chrome output gives it away - you have a double quote nested inside your double quotes, which is invalid HTML.
You should escape all output before rendering it, using something like htmlspecialchars (http://au2.php.net/manual/en/function.htmlspecialchars.php).
Also, you should wrap your onclick handler in quotes - eg. onlick="alert('stuff stuff more stuff')" or it won't parse correctly.
Related
I'm working with Ionize - i'm trying to save text with html tags to mysqli, but i keep getting the text like this :
<p><div class="foo">foo</div></p>
while i want to get
<div class="foo">foo</div>
I've tried to replace all the htmlspecialchars methods with html_entity_decode
but it didn't worked
It's ok to have it saved like that, you just have to apply htmlspecialchars_decode on your result before printing it.
pretty new to Mysql, HTML and PHP and I can't seem to find much information on this trouble i'm having.
I Am making my own rough project manager type thing and I have a form that lets me change the contents of each individual change log, the problem I have however is that when I load the data in to the text area it start with a big indentation at the start, like 3-4 tabs inwards. I would attach an image but I need at least 10 rep to do that.
Basically, it feels like the data in the database has tabs or something at the start of it, but when I go to look in PHPmyadmin at the field, it just looks like it should do, not tabbed at all.
I've tried using strip_tags() but I think it only works on visible tags.
Does any1 know how to get rid of this or what is causing the problem?
I'll be following this question closely to see if anybody can provide an answer because I'm stumped.
Thanks,
Try to echo your php code with no blanks :
Possible tabs, bad example :
<textarea>
<?php echo $tabContent; ?>
</textarea>
Avoiding tabs :
<textarea><?php echo $tabContent; ?></textarea>
You can also try to trim your php content like that :
<textarea><?php echo trim($tabContent); ?></textarea>
Try doing var_dump and look how long your queried string is.
If it is as long as in your database you problem is within the textarea.
Is there any css you use with textarea?
I wrote a php script that pulls some data from a database and displays it in XML format. For some reason it halts output when it gets to an apostrophe in the data. This is a SELECT statement, and a simple one at that, so I don't understand why there are any issues with apostrophes or quotation marks. I've tried using addslashes() and mysql_real_escape_string(), even though my understanding is that those are for sanitizing data being inserted into the database, and it did not help. I'm stumped. Below is the code and thanks in advance for any advice!
<? if($result = $mysqli->query("SELECT * FROM ".$tbl)){
while($row = $result->fetch_object()){ ?>
<slide>
<id><?= $row->id ?></id>
<title><?= $row->title ?></title>
<chatter><?= $row->description ?></chatter>
<image><?= $row->path ?></image>
<link><?= $row->href ?></link>
<active><?= $row->active ?></active>
</slide>
<? }
}else{
echo $mysqli->error;
}
EDIT:
It turns out I have misunderstood the problem. They are not apostrophes but instead are right single quotes. If I change them to actual apostrophes the script works but I still don't understand why it doesn't simply output them though.
Try with str_replace("'", "\'", $field_to_be_replaced);
You can replace the ' char with a blank space if you prefer, just for testing.
Are you sure it halts on the output of the data, and not when the data is processed? Apostrophe's have special meaning in XML, so if they are included in your XML data you have to replace them with an entity reference. There are 5 predefined entity references in XML, for less than, greater than, ampersand, apostrophe, and one for quotation mark. Alternatively, you can mark the text as CDATA so that the XML parser doesn't try to parse it.
Try making your program output the XML data to a text file instead of to wherever it is going now. Does it still halt on the apostrophe? If not, then it's definitely because of a problem parsing the data. If your program still halts on the apostrophe even when outputting the data only to a text file, there may be a problem somewhere else in the program where that data is processed. Check all the references to the variable containing the data, and see if you can find the exact line the program breaks on.
the apostrophe (') is an invalid character for XML!
You must call $safe_string = str_replace("'","'",$string) in all your fields before
outputting the .XML file.
Check here to learn about these characters and build a more complete str_replace
EDIT:
What im using:
// save ubercart products in XML
function replace_characters_for_xml($str) {
return str_replace(
array("&",">","<","'",'"'),
array("&",">","<","'","""),$str
);
}
...
$row->title = replace_character_for_xml($row->title);
$row->href = replace_character_for_xml($row->href);
...
I'm getting data from my textarea with the following code
$about_me=mysql_real_escape_string(nl2br($_POST['about_me']));
which
1. Receives data, using $_POST.
2. nl2br makes brakes so If I echo this code to user he will see if there were new lines.
3. mysql_real_escape_string to secure code from mysql injections before entering it to database.
So if I echo this code everything works fine.
But If I edit it again through textarea, php goes to mysql gets data, puts it to textarea and I see <br> signs...
How can I get rid of them while editing my text again in textarea ?
How can I get rid of them while editing my text again in textarea ?
Stop using nl2br(), of course. It's entirely wrong here.
You use nl2br() when you want to output data that contains linebreaks to HTML, not when you want to store it in the database. Store data unchanged, format it for viewing.
If you output it into a <textarea> you don't need to use it either, since textareas display linebreaks (whereas HTML in general does not). For the textarea you need htmlspecialchars(), but apparently this is already happening - otherwise you would not see literal <br> showing up.
<?php
function br2nl($string){
$return=eregi_replace('<br[[:space:]]*/?'.
'[[:space:]]*>',chr(13).chr(10),$string);
return $return;
}
?>
Use this while getting data from database and before printing into textarea .
http://php.net/manual/en/function.nl2br.php
Check examples on this page
I am trying to format some bad html to output into a pop window. The html is stored in a field in a mysql database.
I have been performing json_encode and htmlspecialchars on the row in the php like so:
$html = htmlentities(json_encode($row2['ARTICLE_DESC']));
and calling my makewindows function, which simply takes the html as a paramter and uses it withdocument.write like so:
<p>Click for full description </p>
This works ok, as in some html code is produced, such as the following:
http://www.nomorepasting.com/getpaste.php?pasteid=22823&seen=true&wrap=on&langoverride=html4strict
pasted there because I do not know how to wrap lines in SO
The problem is that htmlspecialchars does not seem to be stripping bad html data, as no popup window is created. The error I receive with firebug is
missing ) after argument list
However the html is outside of my control.
From what I have read, I am taking the correct steps. If I am missing something out, what is it?
My full make windows function:
function makewindows(html){
child1 = window.open ("about:blank");
child1.document.write(html);
child1.document.close();
}
You shouldn't have the single quotes in the function call. It should look like this:
<p>Click for full description </p>
Then the output will look like
<p>Click for full description </p>
which is correct.
Try it the following way:
$html = htmlentities(json_encode($row2['ARTICLE_DESC']),ENT_QUOTES);
I think the single quotation marks are not escaped by default.
Nevertheless I recommend you saving the html in a JavaScript variable before opening the window.