I am a newbie in PHP. I just want to know why every time I save a string data from textarea it's always having the <p> string </p> format inserted in the database. This is my code:
<table>
<tr>
<td>
<textarea name="event_desc" cols="40" rows="10" id="event_desc"></textarea>
</td>
</tr>
<tr>
<td> </td>
<td><input type="submit" name="Add" id="Add" value="Add event" /></td>
</tr>
</table>
And everytime i include a single quotation ('), it always appears as " & #39;" without space.This is the sample output:
input: test2 ' (and every space i made count)
<p> test2 ' $</p>
I already use mysql_real_escape_string, addslashes and stripslashes.
This is my code in saving into database:
<?php
if(isset($_REQUEST['Add']))
{
$event_title=$_POST['event_title']; $event_desc=mysql_real_escape_string($_POST['event_desc']);
$section=$_POST['section'];
$get_date=NOW;
if($event_title=="" || $event_desc=="")
{
echo'<div class="warning">Some of the fields are empty.</div>';
}
else
{
mysql_query("INSERT INTO events (`event_title`, `event_desc`,`event_date`,`event_target`) VALUE('$event_title','$event_desc','$get_date','$section')") or die(mysql_error('Error: Error in adding entries'));
echo'<div class="success">You have just added 1 event for School. You will be redirect in 5 seconds</div>';
echo "<META HTTP-EQUIV='Refresh' CONTENT='5; URL=events.php'>";
}
}
?>
Thanks you guys for the help.
my suggestion will be to use mysqli::real_escape_string with prepared statements
click mysqli::real_escape_string
You can use addslashes() while storing into db and use to retrive if it is encoded htmlspecialchars_decode
<?php
$str = "<p>this -> "</p>\n";
echo htmlspecialchars_decode($str);
// note that here the quotes aren't converted
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>
OUTPUT:
<p>this -> "</p>
<p>this -> "</p>
Ref: http://www.php.net/manual/en/function.htmlspecialchars-decode.php
Other than traditional methods mention above.
We can encode string coming from text area using "base64_encode" and then store in db...While retrieving from db decode it back using "base64_decode" function.
Note:- As per document it consume 33% more space.
Ref:- http://php.net/manual/en/function.base64-encode.php
Your saving html encoded text to your database. Punctuation are encoded when viewing in a page. So you have to decode them some how. I'm not a PHP person, but I know this is your problem.
Related
I have created a simple HTML form containing just one field. When I press submit some PHP code that I have written gets called and outputs text that would include submitted data if everything was working. But no submitted text gets printed by the PHP. The form has been created on a Godaddy HTML page and the form is as follows:
<FORM BORDER="1" action="http://www.bestpro.com.au/wordpress/PHB_action.php"
method="post" enctype="application/x-www-form-urlencoded"
eenctype="multipart/form-data" name="PHBForm" accept-charset="ISO-8859-1"
ienctype="text/plain">
<TABLE>
<TR>
<TD>First name:</TD><TD><INPUT type="text" name="firstname" id="firstname"></TD>
<TD></TD><TD></TD>
<TD> </TD><TD> </TD>
</TR>
<TR>
<TD> </TD><TD> </TD>
<TD> </TD><TD></TD>
<TD> </TD><TD><input type="submit" value="Submit"></TD>
</TABLE>
</FORM>
The PHP code output starts as follows:
This is where we end up.
Using `$_POST["firstname"]` which outputs nothing.
Using `htmlspecialchars($_POST["firstname"])` which also outputs nothing.
Question:
The PHP output doesn't include the value that I entered into the field.
Can anyone see what I am doing incorrectly?
I see nothing wrong here, so I can only assume it is something wrong with how you output it on your PHB_action.php page.
You say that you're placing $_POST['firstname'] on your page, but have you actually made sure to echo or print it to the page?
You can do this like so:
echo $firstname = $_POST['firstname']; // notice the echo placed before
or
$firstname = $_POST['firstname'];
print("$firstname");
EDIT:
I've notice you have put your post data inside of single quotation marks when echoing out to your page.
You must concatenate on your data rather than putting them inside of single quotes when echoing, like so:
echo 'Using' . $_POST['firstname']; // notice the dot in between the string and the post data.
Either that, or you have not installed PHP correctly (or at all) onto your server.
Hope this helps
So, this is pretty straight forward and I have written it up and will explain each bit as i go.
The PHP you need for this is:
<?php
if (isset($_POST['send']))
{
$fname = $_POST['firstName'];
if (!empty($fname))
{
echo "hello $fname";
} else {
echo "Please supply your first name.";
}
}
?>
$_POST['send'] is the name of your submit button, this will be the trigger for your PHP to initiate and run through the rest of the code.
$fname = $_POST['firstName']
This is just where I prefer to store the $_POST as a variable in the event you are going to re use it again it saves time writing the entire thing.
if(!empty)
if the username isn't empty (!empty meaning not empty) then perform the echo of $fname. however if it comes back as empty it will echo the else echo "please supply...;
Now for the form.
<form action="" method="post">
<table>
<tr>
<td>First Name:</td>
<td><input type="text" name="firstName"></td>
</tr>
<tr>
<td><input type="submit" name="send"></td>
</tr>
</table>
</form>
Just a straight forward form with a blank action on mine (I prefer to keep the PHP within the same file however I normally relay it back to a Class within a different file.
Each form input (First Name / Submit) must have a name="" value otherwise the PHP cannot read it and run with it.
I hope this makes sense and isn't too puzzling :)
Your input field should be inside tag and method should be post. Like:
<html>
<body>
<Form method=post>
<input id=mytextfield name=mytextfield type=text />
<input type=submit value=Submit />
</Form>
</body>
</html>
Thanks to everyone who's given me such great advice over the last several months. I'm almost done with this project and I've learned so much. But I'm kinda stumped using textarea. I've googled and googled and can't find a solution.
This is not a public facing website so I'm not worried about sql injection and my organization uses an older version of PHP so I have to use mysql_query versus mysqli_query.
My problem is I have to echo two things from my database into a form so the user can edit and then update the database with the new inputs. One is a small string of text that I display using input="text". However the other is a longer string that lists a set of instructions so I'm using because it's too much for a text box. However when I run my update query only the first letter of the textarea string gets updated into my database. The textbox string works just fine. Here's my code
getrcs.php
<html>
<form>
<body>
<?php
$q = intval($_GET['q']);
include ('database_connect.php');
$sql= "SELECT * FROM RDS_REFERENCE WHERE ID = '".$q."'";
$query_result=mysql_query($sql);
?>
<table>
<tbody>
<?php
while($row = mysql_fetch_array($query_result)) {
?>
<tr>
<td>
<label>Sub File Series Number/Title</label>
<input type="text" style="width:250px;" required="Required" name="sub_fs_num_tle1[]" value="<?php echo $row['SUB_FS_NUM_TITLE']?>/>
</td>
<td>
<label>Disposition Instructions</label>
<textarea name="disp_instr1" cols="40" rows="30" style="font-family: Arial, Helvetica sans-serif; font-size: 12px;"><?php echo $row['Disposition_Instructions'] ?></textarea>
</td>
</tr>
<?php
}
?>
</tbody>
</form>
</body>
</html>
And update_rcs.php
<?php
include('database_connect.php');
foreach($_POST['id'] as $row => $id)
{
$sub_fs_num_tle1 = $_POST['sub_fs_num_tle1][$row];
$disp_instr1 = $_POST['disp_instr1'][$row];
$rcs_reference_update1 = "UPDATE RDS REFERENCE SET
SUB_FS_NUM_TITLE = '$sub_fs_num_tle1',
Disposition_Instructions = '$disp_instr1'
";
mysql_query($rcs_reference_update1) or die("Could not update".mysql_error());
}
header('Location:rcs_maint.php');
?>
Since your input is name="disp_instr1" the $_POST['disp_instr1'] is a string, not an array. This means that $_POST['disp_instr1'][$row] will output whatever character $row is in that string.
Simple demo:
$test = 'test';
echo $test[0];
Outputs:
t
Live Demo: https://eval.in/541463
To solve the issue use:
$disp_instr1 = $_POST['disp_instr1'];
Also SQL injections aren't the only reason to use parameterized queries. If a single quote needs to go to your db it will fail as is.
Is it possible to insert an active link to an input textbox?
I tried using an <a> tag inside the value of html but its not working.
<?php $email = "example#link.com "; ?>
<input type="text" id="email" name="email" value="<?php echo $email; ?>">
It only returns the text without the hyperlink value.
A couple things are wrong here...
You're not escaping your quotes. Therefore the PHP is invalid.
You're trying to put HTML inside a attribute, which is also invalid.
The only alternative I could see being used here is an HTML element with contenteditable="true" applied. This makes it so an element (per say a <div>) can have it's content be modified.
<?php $email = "example#link.com "; ?>
<div id="fake-email" contenteditable="true"><?php echo $email; ?></div>
Then see this related question if you're doing a form.
Edit:
If you're trying to do a form, then this is one example:
document.getElementById("form").onsubmit = function(){
document.getElementById("email").value =
document.getElementById("fake-email").innerText || document.getElementById("fake-email").textContent;
}
While your form is:
<form action="..." method="..." id="form">
<div id="fake-email" contenteditable="true"></div>
<input type="hidden" id="email" name="email" />
</form>
No, it isn't possible. Input values will always be rendered as plain text. If the user doesn't need to edit the link I would just put it beside the input.
Otherwise you might want to look into WYSIWYG Editors. Links to two of the most popular below.
TinyMCE
CKEditor
You need to escape quotes when including it in your php variable.
<?php $email = "example#link.com "; ?>
You need to use a backslash when you're using double quotes.
Alternatively, you can write it as such:
<?php $email = 'example#link.com '; ?>
If you start with single quotes, then you don't need to escape the double quotes. \
I strongly suggest you read up on escaping characters when need be.
i have the following javascript code
echo ' <span style="padding-left:0px"><input type="submit" name="r" style="width: 138px; font-weight:bold; " value="Add item"/></span>
';
i am trying to execute the script from within a php script. when i click on the button to execute the java part of it, nothing happens. i then try it this way
echo ' <span style="padding-left:0px"><input type="submit" name="r" style="width: 138px; font-weight:bold; " value="Add item"/></span>
';
and got this parse error: parse error, expecting '," or';".
You have to escape apostrophes in a string in php. Instead of
echo '(...) style.display='block' (...)';
do
echo '(...) style.display=\'block\' (...)';
That being said, try to split your code over multiple lines so it is at least somewhat readable. You can also write HTML in php like this:
<?php
// php code
echo 'php';
?>
<HTML code>
<?php
// more php code
echo ' <span style="padding-left:0px"><input type="submit" name="r" style="width: 138px; font-weight:bold; " value="Add item"/></span>
';
This will not work because the single quote params in the JS echo are breaking the PHP flow. Try adding break characters before each single quotation in the echo, not sure what it is in PHP but try \'
IE:
Id('items')
becomes
Id(\'items\')
This has nothing to do with PHP.
You are using " quotes to delimit JavaScript strings inside an HTML attribute values delimited using " characters.
As a result, the first " inside the JS terminates the HTML attribute value.
The quick hack is to use " instead of " inside the attribute value.
The better solution is to use unobtrusive JavaScript
I have a javascript character counter that I use inside of a text area. It works great in normal html, but when I put the exact same code inside of a text area inside php, nothing.
Here it is in html when it works fine:
<div id="counter">
<span id="counter_airway" style="font-size:11px; color:#666666;">140 Character Limit</span>
</div>
<div id="grapvine_text">
<form name="CommentBox" method="post" action="Profile.php?id=<?php echo $prof->id; ?>">
<textarea name='airway' class='round_10px' onkeyup="limit_length(this,140,'counter_airway');"></textarea>
</form>
Here it is implemented inside my php form:
<div id="commentBoxBlog">
<form name="CommentBox" method="post" action="Profile.php?id=<?php echo $prof->id; ?>">
<?php
if($auth->id == $prof->id) {
echo "<div id='counter'>
<span id='counter_airway' style='font-size:11px; color:#666666;'>140 Character Limit</span>
</div><textarea name='airway' class='round_10px' onkeyup='limit_length(this,140,'counter_airway');'></textarea>
<input type='submit' name='commentProfileSubmit' value='Exhale' class='post'/>";
}
elseif(!$auth) {
echo "<textarea name='ProfileComment' class='round_10px' disabled>Please sign in to comment...</textarea>";
}
elseif($auth->id != $prof->id) {
echo "<textarea name='ProfileComment' class='round_10px'></textarea>
<input type='submit' name='commentProfileSubmit' value='Exhale' class='post' />";
}
?>
</form>
</div>
</div>
need to escape the quote, instead of:
onkeyup='limit_length(this,140,'counter_airway')
you can do:
onkeyup='limit_length(this,140,\"counter_airway\")'
You've got a quote nesting issue. You're surrounding the onkeyup attribute of the textarea with single quotes, but also using single quotes inside that javascript snippet. Since you're using double quotes for the PHP string, use escaped double quotes (\") within your javascript snippet.
Of course, it would be even better to separate javascript into an external file, and bind to the keyup event. You could do this easily by assigning an id to your textarea, and calling the following sometime after the DOM is ready:
var textarea = document.getElementById('myTextarea');
textarea.onkeyup = function() { limit_length(this,140,'counter_airway'); }
PHP works entirely on the server side. Your browser never sees a trace of PHP, just the HTML code generated by your PHP script. Javascript works entirely on the client side.
Whether your HTML comes from coding by hand, or a HTML script, is essentially not important. What you need to look at is the HTML that your script produced in the browser's "View Source" mode. Please post that into your question as well.
You have changed some of the double quotes to single quotes. This will cause errors, for example here:
onkeyup='limit_length(this,140,'counter_airway');'
Compare this to the original:
onkeyup="limit_length(this,140,'counter_airway');"
You need to escape the quotes rather than changing them:
onkeyup=\"limit_length(this,140,'counter_airway');\"