I have a form with a url input that I need to prevent from converting, so that I can use $_GET on the target page. I have tried urlencode, urldecode, html_entity_decode, etc, but none of it prevents the html entity conversion (parse_url did nothing but get rid of all the important stuff). This is the only thread I have found that comes close to what I am trying to achieve.
It seems like there should be a simple solution, and this is not happening anywhere else I am using a url like this...
Thanks to anyone who can help!
echo "<option value='seeArtist.php?aid=".$row[0]."&ac=".$row[1]."&img=".$row[2]."'">
(blah, blah)
<input type="submit" style="margin-left:10px" name="submit" value="Go" />';
This is the result from clicking the submit button.
seeArtist.php?art_con=seeArtist.php%3Faid%3D18%26not%3Bac%3D+(aka)+Banksy%26not%3Bimg%3D0&submit=Go
Two variables are integers, so the database content is not url-encoded.
I suspect that since this is not happening anywhere else, and this is the only place where I am putting a link in a select option, that it has something to do with the submit action. In firebug the link shows up exactly the way it is supposed to. When I submit the url gets encoded.
Regardless of the PHP, your HTML is incorrect. You need to encode the ampersands. Your code should resemble this:
echo "<option value=\"seeArtist.php?aid=" . $row[0] . "&ac=" . $row[1] . "&img=" . $row[2] . "\">\r\n";
I also took the liberty of converting single-quotes to escaped double-quotes.
Related
I am attempting to display data in a textarea, I'm using the
$row=mysqli_fetch_array($results, MYSQLI_NUM)
to extract the record. Using $row[2] displays the correct information using the p function. Using the same syntax with textarea does not display anything. The field is not blank in the database. The code does update the field properly.
I have tried changing to change the textarea to a paragraph with no success. I have change the variable by assigning to a new variable without success. I have tried escaping the column and row quotes all to no effect.
<?php
echo '<input id="title_edit" type="text" name="ppy" value="'.$row[4].'">'
works
echo '<textarea id=prop_edit cols="65" rows="4" type="text" name="ppy" value="'.$row[7].'"></textarea>' does not work.
?>
Should read the field in the database and display it on the screen. But the screen field is blank. There is data in the database.
I'd try:
var_dump($row[2]);
to make sure it actually has the data I want in it.
Since you don't show how the data is being rendered into html I'll guess it is something like this?
echo '<textarea>' . $row[2] . '</textarea>';
If so, check the "view source" option in your browser and double check that it is actually outputting what you expect. If the data in $row[2] contains any interesting characters like < or > or anything that resembles an html tag, you might have to escape the output like this:
echo '<textarea>' . htmlspecialchars($row[2]) . '</textarea>';
I have some custom meta boxes on WordPress, storing some information such as page titles and descriptions, but I am having a bit of a problem which I can't wrap my head around.
The meta input boxes need to be able to accept " and ' (Speech marks and apostrophes), and WordPress is storing the data fine, and I can display it fine on the front end, but when it is echo'd back into the <input> box, it messes up because its trying to print something like this:
E.g: <input value="Hello we're called "example" and we suck" />
So no matter how I go about it, it's being printed in the page edit screen (once I save) like this:
or something to a similar effect. Because I need the use of both characters, I can't use either of them to wrap the attributes in as an easy fix.
I'm just having a bit of a brainfart but really can't figure out the logic behind a solution to solve this, because if I escape the characters, they will just get shown to the end user as Hello we're called "example" and we suck which will confuse them even more.
Encode with esc_attr(), example from the Codex:
echo '<input type="text" name="fname" value="' . esc_attr( $_POST['fname'] ) . '">';
I'm a beginner PHP programmer, and I was wondering what was wrong with my code.
Here is the small excerpt from the affected spot:
echo "<form action='?tab=4' name='toedit5' method='get'><input value='text' onblur='edit('toedit5')' /></form>";
In Chrome's Developer Tools, the form element totally disappears, and the edit('toedit5') becomes edit(' toedit5').
The edit() function doesn't execute.
Is there anything wrong with this one line of code? Otherwise it is outside code messing with it. Sorry I didn't include it, but I don't know what to include. If you need more information, please tell me.
Thanks.
You need to escape your quotes inside your quoted echo'd statement, like this:
<?php
echo "<form action='?tab=4' name='toedit5' method='get'>";
echo "<input value='text' onblur='edit(\"toedit5\")' />"; // escaped..!
echo "</form>";
?>
It helped me to think about it like this when I was starting out: how does your browser know if the second single quote in onblur='edit('toedit5')' is closing your onblur statement or opening up the parameter? In this example, your browser will pair up the first 2 quotes it sees and assign that to the onblur attribute, i.e.: onblur='edit(' only!
Update 1:
Using the code above, I inspected a quick PHP page I created in Chrome's developer tools and was able to see the following (form available for inspection):
You really should use the more standard double quotes around the HTML properties and use single quotes around your string, with escaped single quotes within the javascript method calls. Like this:
echo '<form action="?tab=4" name="toedit5" method="get"><input value="text" onblur="edit(\'toedit5\')" /></form>';
I am developing an application and I am reading up on implementing security measures. I set up a class to automatically generate form elements and the class embeds php string variables within html to create the fields. I noticed, however, that htmlspecialchars() was not necessary as I went to implement it. So I am attempting to pseudo-maliciously turn this:
<input type="text" name="email">... rest of html
into:
<input type="text" name="email"><br><br>
However, both before and after using htmlspecialchars(), my browser gives me this when I try to edit the frontend html:
<input type="text" name="email"><br><br>
Is this just something that is automatically implemented? If so, is this from a PHP update (I thought I found something about it being an update in PHP 5.4)?
Furthermore, Can I abandon using htmlspecialchars()?
Thank you!
EDIT: More information requested
$this->type = 'text' //what I would normally use
$this->type = 'text" name="name"><br><br>' //my attempt to manipulate the html
$output = "<input type='$this->type' name='$this->name'";
$output .= ... close the tag, etc.
echo $output;
The use of htmlspecialchars is required whenever you take some text and insert it into some HTML as a string (unless you know that the text won't contain any characters with special meaning in HTML, but even then using htmlspecialchars is a good habit to be in).
I can't explain why your unspecified input, when run through your unspecified code and then run through a browser's parser (with error recovery features), gives you that output.
After the question was updated:
$this->type = 'text" name="name"><br><br>' //my attempt to manipulate the html
$output = "<input type='$this->type' name='$this->name'";
Your attribute value is delimited with ' characters. Your data doesn't contain any ' characters, so it isn't going to terminate the attribute value and escape.
Try this manipulation:
$this->type = 'text\' name="name"><br><br>' //my attempt to manipulate the html
It should break your HTML, because the delimiters for your attribute value are single quotes, and now they appear in your attribute text as well.
And please make sure not to use any sophisticated DOM inspectors like firebug, but to look at the pure source code that is emitted by your server.
So, I have a basic little script that takes input from an HTML form, is processes by PHP and then writes it to a text file in the form of CSS. I've already got some jerkwad trying to drop tables on the server (There is no SQL but I'd like to keep people from trying none the less) Here is the code that I have thus far, can someone help me block potentially bad input via htmlentities or something else?
The HTML Form
<html><body>
<h4>Codes Form</h4>
<form action="codes.php" method="post">
Username: <input name="Username" type="text" />
Usercode: <input name="Usercode" type="text" />
<input type="submit" value="Post It!" />
</form>
</body></html>
The PHP
<html><body>
<?php
$Friendcode = $_POST['Usercode'];
$Username = $_POST['Username'];
echo "You have recorded the following information on the server ". $Username . " " . $Usercode . ".<br />"; echo "Thanks for contributing!";
$output = ".author[href\$=\"$Username\"]:after { \n"
."content: \" ($Usercode)\" !important\n"
."}";
}
$fp = fopen('file.txt', 'a');
fwrite($fp, $output);
fwrite($fp, "\n");
fclose($fp);
?>
</body></html>
You can use htmlentities to convert html tags to their html equiv. < etc. Or you can use strp_tags to get rid of all html tags. If you are using sql use mysql_real_escape_string to make sql queries safer
Whenever you include data entered by the user in HTML code, it is always a good idea to first encode the data, by passing it into htmlspecialchars().
Think of it as a decontamination chamber. This will ensure that any of the HTML special chacters, such as "<" and ">" (deadly viruses) are properly escaped (killed) and won't show up in your page as "real" HTML tags (won't make your webpage sick).
Similarly, you must also encode user input when including it in SQL queries. The function that you use for this purpose varies depending on the database that you are using. Because of the dynamic nature of PHP, if you are a including numeric value in a SQL query, you must first check to make sure the variable contains a number by using functions such as is_numeric() and ctype_digit().
I think the best way to block HTML is to allow only the characters you think a username or a user code may have.
For example, limit the input to letters, numbers and underscores and trim the whitespaces in the beginning and the end of the string. This validation will fail whenever HTML code is provided as input.
I would suggest doing this on both client and server side, with a regex. A client-side example can be found here: jQuery remove all HTML tags EXCEPT Anchors
What happen if someone directly type the url of code.php in browser. They will get the Notice of undefined offset.
You should make at least a check if $_POST is not empty.
if(isset($_POST['submit']) && !empty($_POST))
{
//do operation
}
Validate the user name and user code for special characters and what you allow them to enter with PHP sever side
#Zer0mod: I'd use strip_tags to get rid of HTML and mysql_real_escape_string to take care of any potential SQL injections.
Use PHP to convert every symbol to HTML numbers! Head on over to htmlentities() for details about doing so.