i want to create a textarea, which will store information already inserted into the database and can be updated by a user but everytime i add elements to the query it removes the already inserted data. But when i add elements to the query, it keeps the data intact.
here is the code that keeps the data
<input name="mobile" type="text" class="field span6" rows="6" placeholder="Mobile" value="<?php echo !empty($mobile)?$mobile:'';?>"/>
and here is the code that removes it
<textarea name="mobile" type="text" class="field span6" rows="6" placeholder="Mobile" value="<?php echo !empty($mobile)?$mobile:'';?>"></textarea>
i am really puzzled as to why the textarea elements removes the data, keeping the textarea elements with the data still in tact will be a great help.
Thank you.
You are mis-using the textarea tag. Unlike inputs it requires an opening and closing tag with the value of the textarea defined between the tags rather than through a value attribute.
Try:
<textarea
name="mobile"
class="field span6"
rows="6"
placeholder="Mobile"><?php echo !empty($mobile)?$mobile:'';?></textarea>
Also, unless you're checking the value of $mobile elsewhere, I'd recommend outputting it with htmlentities() to prevent HTML injection.
Related
i want to keep my input type=date value after onchange form submit
Current HTML code
<input type="date" id="Date" name="Date" placeholder="Date" value=”<?php echo $_POST['Date'];?>” onchange="this.form.submit();">
So after onchange, I want the value of the date remain same. I tried many ways but it didn't work. Thanks for helping
Please check with this, I am seeing issue with quote as well in your HTML, so copy below code to see.
<input type="date" id="Date" name="Date" placeholder="Date" value="<?php echo isset($_REQUEST['Date'])?date("Y-m-d",strtotime($_REQUEST['Date'])):'';?>" onchange="this.form.submit();">
You're not using standard double quotes ", but a curly variant, which are not part of the HTML standard:
value=”<?php echo $_POST['Date'];?>”
Replacing those curly quotes by straight ones will fix your problem.
I have an easy HTML form
<form method="post" action="process.php">
<label>First Name</label>
<input type="text" name="first_name" />
<br />
<label>Last Name</label>
<input type="text" name="last_name" />
<br />
<label>Department</label>
<input type="text" name="department" />
<br />
<label>Email</label>
<input type="text" name="email" />
<br />
<input type="submit" value="Add Employee">
</form>
When I click submit this will write the input to the DB.
I was always testing with very short names (a few letters). It works so now I tried some longer strings and it fails. I don't see an error but no data is written to my DB.
I can write 25 characters inside the box. So everything till 25 chars is inside the DB, all what is longer isn't.
This is not a HTML problem, as HTML does not behave like that (well, unless you use maxlength for the input).
This has to be a database issue. Your table probally has a VARCHAR(25) in it's structure. When you enter a longer string than it can contain, it truncates the remainder of the string. Thats why you do see the first 25 chars.
You can check this via your database management, like PHPmyAdmin. Go to the matching table, click 'structure'. You can also edit it here to a more appropriate length.
It's not a problem from HTML. Please check your php code and database table structure.
Might be there is input length defined for the field i.e. 25.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
What are the best practices for avoiding xss attacks in a PHP site
I have a form that user can fill in their personal information. The user submits the form and A web service will process these information and store the information in mysql database.
But what if users enter html tag, php code, or javascript in the input field. I would like to prevent that. I know in javascript there's a method call escapehtml, in php it's strip_tags.
I just want to know the correct way of disabling the abilities to type html, php, script from input field. Do I use strip_tags for all input I received?If I use strip_tags, how to disable script? Or there is away to do it in mysql?
Thank you
This is the form:
<div>
<label class='info-title whitetext' for="name">Full Name: </label>
<input type="text" name="name" id="name" size='25' maxlength="100" required />
</div>
<div>
<label class='info-title whitetext' for="phone">Phone: </label>
<input type='text' pattern='\d+' name='phone' id='phone' size='25' maxlength='12' />
</div>
<div>
<label class='info-title' for="email">Email: </label>
<input type="email" name="email" id="email" size='35' maxlength="60" required />
</div>
<div>
<label class='info-title' for="address">Address: </label>
<input type="text" name="address" id="address" size='45' maxlength="50" required />
</div>
Try htmlspecialchars($string);
That will encode all the HTML tags to character codes (<div> would become <div>, which will be displayed without being parsed as html) This way, script tags cannot be created as well.
Be sure to clean the content before supplying it to a database though, for example by escaping with mysqli_escape_string() (others will probably advice you to use prepare statements).
It is most likely not best practice to put HTML character encoded strings into the database, as it simply increases the string size unnecessarily. (And it doesn't provide protection against SQL injection on its own)
Personally, I just like to do $out = str_replace("<","<",$in). It provides the least possible disruption for the user, and they are most likely to get out what they typed in.
If the user input may end up in an HTML attribute (for whatever reason), you should also replace " with ".
Never put user-supplied content into a <script> tag, and never save it to a file without first performing the replacements.
You cannot disable "the abilities to type html, php, script from input field", unless you check users' input in real time and specifically block them when you detect that a tag is entered. Yet I don't see a reason why anyone would want that, the proper way is to properly process users' input when submitted.
For html tags or php codes or things like that you can definitely use escapehtml or strip_tags, but if you are later putting the content into mysql, I have to remind you of sql injection attack.
If you are not familiar with the term, users can type in mysql queries that interfere with your sql queries. If we blindly insert user provided content into our "INSERT" statements, those statements might be altered by sql keywords in user's input.
For ways to prevent sql injection attack, you can take a look at wiki's page for a good start: http://en.wikipedia.org/wiki/SQL_injection#Mitigation
I tried the following, and it shows an empty text area, the value isn't displayed:
<input type="textarea" class="class1" name="name1" placeholder="<?= $val1?>" />
Any thoughts on what should be done so it will work?
Update: It is now working, the value was empty, therefore text area didn't show anything. The code can be used safely.
<input type="textarea" class="class1" name="name1" placeholder="<?php echo $val1; ?>" />
There is no such input type attribute as textarea.
Do you mean:
<textarea class="class1" name="name1" placeholder="<?php echo $val1; ?>"></textarea>
if $val1 is not null, i think the problem is short tag (<?= ?>).
You can override this config, at the top of file, put this line to enable short tag:
ini_set('short_open_tag',1);
Make sure that $val1 actually contains a non-empty value. If it does, your code should create a non-empty placeholder attribute.
Check whether the variable is empty (as #Asaph suggested in his comment).
Entered a value and now it is working just fine.
Good day!
I am having a problem in showing the data that I need to Update.
For example: I have a field - NAME. And user input "John Travolta" on it and enter to save it in SQL. Then to update it, he will click the update and a textbox will appear with the name "John Travolta" with it.
The problem is I am only getting "John" and the "Travolta" does not appear on the text box.
My code is as follows:
<input name="event" type="text" id="event" size="69" value=<?php print stripslashes($row_array['event'])?>>
What can i do in order for the whole name to appear in the textbox?
Thank you in advance.
You need to put quotes before and after the PHP line so HTML can parse it as a string.
otherwise you will end with value=John Travolta when you want value="John Travolta"
Use that code:
<input name="event" type="text" id="event" size="69" value="<?php print stripslashes($row_array['event']);?>">