Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 8 years ago.
Improve this question
I'm outputting database information that contains code such as <b> or <u> or <i> but the text isn't styling. I'm using nlbr() to format it correctly and htmlspecialchars() when inputting textarea text into a database if that helps.
What am I missing?
If the input string passed to this function and the final document share the same character set, this function is sufficient to prepare input for inclusion in most contexts of an HTML document. If, however, the input can represent characters that are not coded in the final document character set and you wish to retain those characters (as numeric or named entities), both this function and htmlentities() (which only encodes substrings that have named entity equivalents) may be insufficient. You may have to use mb_encode_numericentity() instead.
htmlspecialchars — Convert special characters to HTML entities
htmlentities — Convert all applicable characters to HTML entities
http://php.net/manual/en/function.htmlspecialchars.php
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I have a form with a text field a user can edit, which will create a page on the website containing the text entered. How can I ensure the resulting page doesn't show anything malicious, no links, images or code, just raw text? Currently from php I'm using htmlspecialchars(), and when displaying the text on the page it's within xmp tags. Is that enough, or should I explicitly do things like validating against script tags etc?
edit: This question is different to the suggested question, because I'm not using sql.
edit 2: I accepted strip_tags. I'm now validating user input from php with htmlspecialchars(strip_tags("input")), and wrapping in xmp tags when displayed.
You can use strip_tags - it will remove everything in tags. http://php.net/manual/en/function.strip-tags.php
First of all: use prepared statments for your database storing, updating etc etc...
Second: You should escape the output using htmlspecialchars() function, It will just convert special characters to HTML entities, so if you put a script tag in there, It will not run.
Unless you want your users to post code just like here in StackOverflow, you can just use strip_tags() function as #user2182349 pointed out.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
I am doing my project and I am using php and MySQL
My program is reading a data from textarea as a list of people, I use the explode function to separate the list and then I generate a for loop to insert them to MySQL database
till this part I don't have any problems
The problem is when I query the database with a where condition specifying a name from the list it does not recognize it
My question does the explode function change any thing to the names in the list or add any special characters
because I use the same functionality with specific name and it goes smoothly
Thanks in advance
It should not. PHP explode will not change your text and the WHERE query should operate correctly.
Are the characters all utf8 encoded? Check the database and see what you are querying for actually exists the same way you are sending it.
Like the others said, if you can provide us an example of the following it would be great:
Actual textarea input (not exploded).
DB Dump of what is inserted.
Your QUERY to select
Additionally, it could be a space issues, use trim before you insert the data or in your query instead of field = '$a' do a field LIKE '%$a%'
I don't think explode() will modify anything. try to use trim() in your foreach loop before inserting. Might be some characters that can not be seen.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question appears to be off-topic because it lacks sufficient information to diagnose the problem. Describe your problem in more detail or include a minimal example in the question itself.
Closed 8 years ago.
Improve this question
I have a field that users can enter whatever hey want, And I would allow them for decoration using special characters. but Now I really face with a big problem!
Special characters are like this: ♥♦☻NAME☻♦♥
And my really problem is 'alt+255' characters. it's like space and there are so many special characters like space. by the way My links are disabled and no one could select it.
There is a mandatory to enter more than only 1 character,
I want to know how to prevent this problem. my exact mean How can I let users enter special characters but still my links are clickable
If you are including the text in URLs then you really have two options. The most common approach is to strip out everything except for letters, numbers, dashes, and underscores (i.e. don't allow any special characters at all). You could use a simple regular expression replacement to do that.
Alternatively, you could allow all special characters, but escape them for use in links. You will find PHP's urlencode() and urldecode() useful for that.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions concerning problems with code you've written must describe the specific problem — and include valid code to reproduce it — in the question itself. See SSCCE.org for guidance.
Closed 9 years ago.
Improve this question
I have a PHP script which exports data from database to different formats, including as an Excel document. If a text field contains such a value as 123123123123, Excel, by default converts it to 1.23123E+11. Is it possible to prevent this absolutely unnecessary behaviour?
If your goal is to store the number as text (and not do math on it later) and the PHP is exporting as a CSV, a simple solution would be to export the number as a CONCATENATE function.
=CONCATENATE(123123123123) renders as 123123123123 in text format when the CSV is opened in Excel (this is for Excel 2010).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
I am simply inserting the text that you write in the textarea in mySQL without using any extra method to protect my site... Actually i just made a test wrote the html code that creates a input textbox to the textarea and saved it into mysql, which prints me the component on the page...
How can i make it write secure content on textarea that does not allow you to write html tags or smth, I just wanna increase the security of my site.
Thanks
if $textarea contains your textarea value,you can do $db_value = mysql_real_escape_string(strip_tags(trim($textarea))) and insert $db_value to the database.
strip_tags strips the text of html tags and mysql_real_escape_string encodes special characters and makes it safe to insert into a database...
for mysql_real_escape_string: check http://php.net/manual/en/function.mysql-real-escape-string.php
for strip_tags check: http://www.php.net/manual/en/function.strip-tags.php
Try to use Prepared Statements
http://php.net/manual/de/mysqli.quickstart.prepared-statements.php
And remove all unwanted chars from the given text and finally use mysql_real_escape_string
to escape the string for MySQL.