Here is a simplified version of my code that I am having a problem with.
$variable = "{\\\"JSON" //long JSON string created in Javascript with JSON.stringify
?> <input type="text" name="somename" value="<?php echo $variable; ?>"/> <?php
The input box only contains {\
I need a way to escape the entire JSON string
Thanks
Alex
You're outputting into an HTML context, so you need html-specific escaping:
<input ... value="<?php echo htmlspecialchars(json_encode($whatever)); ?>" />
^^^^^^^^^^^^^^^^----
$val= json_encode($val);
<input type="hidden" value="<?php echo htmlspecialchars($val); ?>" name="bye">
Related
I have something like this (code simplified):
<?php
$var = 'Read "The Book"';
?>
<input type="text" value="<?php echo $var; ?>" />
The problem is that in the input looks like if it prints read and when you look at the source code you see it has <input type="text" value="Read "The Book"" /> and it doesn't work.
I can't simply replace value="<?php echo $var; ?>" for value='<?php echo $var; ?>' because $var could has any value and if I do it that way and its value is D'Artagnan it is going to try to print <input type="text" value='D'Artagnan' />.
=(
Any suggestion?
You should sanitize all your output by escaping characters with special meaning into their respective HTML entities. You can do that in the html context with htmlspecialchars.
<input type="text" value="<?php echo htmlspecialchars($var); ?>" />
So, with that, you can avoid XSS attack.
I'm using a metadata reader in php. It works great, but when I'm using it to put the values that came from the function in INPUT I get strange symbols in the inputbox.
Here is the source code:
if($fileStatus == 1){
include ("include/functions.php");
$filename=$uploaded;
$mp3file=new CMP3File;
$mp3file->getid3($filename);
$hej = "hejhejhej";
?>
<form>
<input type="text" name="hej" value="<?php echo $hej;?>">
<input type="text" name="title" value="<?php echo "$mp3file->title";?>"><br>
<input type="text" name="artist" value="<?php echo "$mp3file->artist";?>"><br>
<input type="text" name="album" value="<?php echo "$mp3file->album";?>"><br>
<input type="text" name="year" value="<?php echo "$mp3file->year";?>"><br>
<textarea name="artist"><?php echo "$mp3file->comment";?></textarea><br>
<input type="text" name="genre" value="<?php echo "Ord($mp3file->genre)";?>"><br>
</form>
<?php
}
Source code I get from the browser:
<form>
<input type="text" name="hej" value="hejhejhej">
<input type="text" name="title" value="Selene
Screenshot
Try using HTML Entities.
This might be because of UTF-8 and the browser doesn't support that encoding. May be, PHP's htmlentities might help you. Replace:
<?php echo $hej;?>
With:
<?php echo htmlentities($hej);?>
The strange characters you see are because CMP3File uses fread to get bytes from the actual MP3 file (read up on ID3 Tags if you want to know more about this). If you want to see the actual bytes as a string, use the ord function as such:
<?php
for($i = 0; $i < strlen($mp3file->title); $i++) {
echo ord($mp3file->title[$i]);
}
?>
The solution for this problem is "Trim()"
Data or value in $description from database is
<div>Henry</div>
My HTML Code
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
Output :
If the code be
<input type="hidden" id="hidden" value='<?php echo $description; ?>'/>
Its working fine !..Any one please tell me the issue ?
You are trying to have HTML code inside the value of a hidden input in a form? That doesn't sound right.
If you need to keep it as it is, you should at least use htmlentities to make it a string:
<input type="hidden" id="hidden" value="<?php echo htmlentities($description); ?>"/>
An example:
<?php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
Your code becomes like this...
<input type="hidden" id="hidden" value = "<div><a href="www.google.com" > Henry </a></div> "/>
You can divide this as...
<input type="hidden" id="hidden" value = "<div><a href="www.google.com" >
Henry
</a></div>
"/>
That's how you get Henry"/>
Here comes 2 issues,
First of all use htmlentities to convert all applicable characters to HTML entities.
htmlentities($description);
And Its fair to use Single quote instead of double quotes. Ref link
By default, SGML requires that all attribute values be delimited using either double quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39). Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa
look at the different between " and ':
if your code is :
$description = <div>Henry</div>
and
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
so it's actually means
<input type="hidden" id="hidden" value="<div>Henry</div>"/>
and the " that before the url closes the "value", so the value is actually -
value="<div><a href="
so try to use ' instead of " on the url (google) OR in the value (not both).
This is how your browser sees the code:
<input type="textbox" id="textbox" value="<div>Henry</div>
"/>
See how the double-quotes don't make sense?
If you want to keep double-quotes you need to go with htmlentities.
$description = htmlentities($description);
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
Also, your link "www.google.com" will point to a page called www.google.com RELATIVE to your directory. Be sure to use ABSOLUTE path: http://www.google.com
A simple replace in here like this
<div><a href='www.google.com'>Henry</a></div>
or like this
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value='<?php echo $description; ?>'/>
but not both should do the trick.
http://php.net/manual/en/function.strip-tags.php
Try this:
div><a href='www.google.com'>Henry</a></div>
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value='<?php echo strip_tags($description); ?>'/>
How to add values from <input> to $var in php file?
html
<input type="text" id="align" name="align"/>
php file
<?php
$align="center";
?>
You mean you want to post it and put it in a PHP variable?
Try this:
<form action="somephpfile.php" method="POST">
<input type="text" name="align" value="center" />
<input type="submit" value="Send!" />
</form>
somephpfile.php
$align = $_POST['align'];
echo $align;
It depends on the form action.
If your form that is holding your fields has an action="post" attribute then from the php side you have to use $_POST['align']. If you have set the action to action="get" then you have to use the $_GET['align'].
<?php
$align = $_POST['align'];
// OR
$align = $_GET['align'];
?>
Just output it into the regular HTML value attribute:
<input type="text" id="align" name="align" value="<?php echo htmlspecialchars($align); ?>" />
The htmlspecialchars() call is there to escape things like quotes, to avoid problems if your variable contains quotes, and to make your mark-up more standards-compliant.
I tried $_POST['<?php echo $var ?>] but I should have known that it wouldn't be that easy.
The reason why I try to do is because I have several input boxes with values I take from a database and I'm trying to create an updation script where any of the input box values can be changed.
for example
<form action="process.php" method="post">
<?php
while($variable=mysql_fetch_array($sqlconnec))
{
?>
<input type="text" name="<?php echo $variable['col1']?>" value="<?php echo $variable['val'] ?>" />
<?php
}
?>
<input type="submit" />
</form>
Any help is appreciated.
I think that what you need is:
<input type="text" name="<?php echo $col; ?>" value="<?php echo $val; ?>" />
$_POST[$col] //this will have the input value defined above.
In process.php you have to do the same query as mentioned above. If you iterate through those results $_POST[$col] will contain the posted values.
You need to do like this:
<form action="process.php" method="post">
<?php
$variable = mysql_fetch_assoc($sqlconnec);
foreach($variable as $col => $val)
{
?>
<input type="text" name="<?php echo $col; ?>" value="<?php echo $val; ?>" />
<?php
}
?>
<input type="submit" />
</form>
Now, mysql_fetch_assoc gets you the database row in a associative array. Then, the code iterates each column in the row and displays the name/value pair for it. And yes, you were not closing the value tag correctly.
foreach($_POST as $k=>$v) {
//do something with $v or $_POST[$k]
}
I think that you want to change the name of the input to something that is constant.
For example:
<input type="text" name="testname" value="<?php echo $variable['val'] ? />
And then retrieve your variable like so:
$_POST['testname']
For example you could print the variable you sent in the input to test it like so:
echo $_POST['testname'];
You are not closing your input 'value' tag with ". Also your second php closing tag is incorrect.
<input type="text" name="<?php echo $variable['col1']?>" value="<?php echo $variable['val'] ?>" />