I'm trying to create a facebook share button in each of my post, and the share content will be dynamic, which mean I will be able to customize its thumbnail, title and description for each of the post.
below is the code that I use(I'm using advance custom field plugin in wordpress by the way):
<a onClick="window.open('http://www.facebook.com/sharer.php?s=100&p[title]=<?php the_field(videotitle); ?>&p[summary]=<?php the_field(video_description); ?>&p[url]=<?php echo get_permalink(); ?>&p[images][0]=http://img.youtube.com/vi/<?php the_field(youtube_thumb); ?>/maxresdefault.jpg','sharer','toolbar=0,status=0,width=548,height=325');" href="javascript: void(0)" rel="nofollow"></a>
///////////////////////////////////////////////////////////////////////////////////////////////////////
Below is the php that will echo out my content from my CMS:
<?php the_field(videotitle); ?>
<?php the_field(video_description); ?>
<?php echo get_permalink(); ?>
The code works fine, but I noticed when I enter the the title/description too long or use special characters in my post the button stop working.
How should I overcome this? I'm still very new to php, please explain in layman's term if possible and thank you in advance.
The problem is most likely caused by passing in unescaped special characters into a direct javascript call.
Right now, you have the following javascript executing when the link is clicked:
window.open('http://www.facebook.com/sharer.php?s=100&p[title]=<?php the_field(videotitle); ?>&p[summary]=<?php the_field(video_description); ?>&p[url]=<?php echo get_permalink(); ?>&p[images][0]=http://img.youtube.com/vi/<?php the_field(youtube_thumb); ?>/maxresdefault.jpg','sharer','toolbar=0,status=0,width=548,height=325');
You are passing in several PHP variables, which may alter the format of your javascript. For example, let's say the_field(videotitle); returns Maria's Video. If you note, your string has a quote in it due to Maria's.
Now, you if pass this title into your javascript, you're going to have an un-escaped quote, causing a JS error, because it will output like this:
... [title]=Maria's Video ...
To address this, you must format out PHP output to ensure that it will not affect the JS code. In my example, you can encode the outputted strings using the urlencode function included with PHP, like this:
<?php urlencode(get_the_field(videotitle)); ?>
Just remember that passing PHP variables into javascript CAN alter the syntax of your javascript function. If the final javascript function contains syntax errors caused by the PHP output, it will not run.
You can see the javascript errors on the page you are debugging by hitting F12 in your browser and viewing the Console tab.
Related
I am using ckeditor in a simple cms i build with the following configuration.
<script>
if ($("#editor").length) {
CKEDITOR.replace('editor', {
language: 'en',
allowedContent: true,
});
CKEDITOR.config.protectedSource.push(/<\?[\s\S]*?\?>/g);
}
</script>
It works great if go to the source tab on the editor and type some php code like the following:
<?php echo "hello"; ?>
it gets saved on the database as <?php echo "hello"; ?>
so far so good
Now my problem is when getting that from the database and displaying it on the browser it does no appear.
I did a var_dump on the variable that has the code and i see the following:
...modules\pages\views\base.php:38:string '<?php echo "hola"; ?>' (length=21)
So the value does exist and its reaching the view, i dont undestand why it is not showing up on the page.
the page is template.php
if i look at the source code my php code is beingg commented
<!--?php echo "hola"; ?-->
and this is how i am trying to display the code
if i do the following
<div class="article-content-container">
<?php echo $this->security->xss_clean($content); ?>
</div>
it is displayed like
<div class="article-content-container">
<?php echo "hola"; ?><!--?php echo "hola"; ?-->
</div>
if i displayed like this
<div class="article-content-container">
<?php echo $content; ?>
</div>
it gets commented.
I hope i was clear,any help would be appretiated.
Thanks guys-
Browsers don't interpret PHP code, and they don't know the slightest thing about it. They never have and they never will. PHP code is executed on the server; from there it produces some output that is echoed to the client's browser, usually HTML, but can also be CSS or JavaScript, images or other downloadable files.
If you output PHP code, the most the visitor can do with it is manually save it to a local file, install their own PHP software, and run it in that. It's never going to magically run in the browser, no matter what you do.
If you want to run some code in the browser, it must be JavaScript. If you want to run some PHP code on the server, don't echo it, eval it:
<div class="article-content-container">
<?php eval($content); ?>
</div>
Note that eval treats its input as already having a PHP open tag, so you would pass echo "hello"; to it rather than <?php echo "hello"; ?>. You can still use ?> within the eval'd code to drop back to HTML+PHP mode if you need to.
Either PHP or JavaScript code could trivially be designed to be hostile, and so submitting any markup or code for execution on your website must be treated as a privileged action. You must make sure not to allow anyone who is not an authenticated administrator of your website to do it. There are ways to sandbox or purify such code if you really have to allow random people to run it, but that is more complex. CodeIgniter's xss_clean is an incomplete attempt to stop XSS, and is certainly not designed for executing user-submitted code safely, although it will mangle code and make it annoying to write.
In general:
If you need to execute submitted PHP then use eval($content);.
If you need to output submitted HTML, which may include executable JavaScript, then use echo $content;.
If you need to output submitted plain text (which is the only form where it is normally safe to allow input from users), then use echo htmlspecialchars($content);.
If you don't save your php tags in the database, you could use eval() for running the saved code:
eval($this->security->xss_clean($content));
Only when the saved bit is not surrounded by <?php and/or ?>
EDIT: Letting people run code from a database or even saving code in a database is a potential risk. It could be exploited.
I am using Editor to change the Code Design, But when I retrieve the Code using PHP, it disturbing the Complete page Design.
<p><?php echo substr($postData['short_description'],0,POST_DESCRIPTION_LENGTH); ?>....Read More.</p>
How can i resolve this.?
It could be that the data your are getting through the $postData variable has html elements in it. You should wrap it with the method htmlspecialchars() to sanitize it. This will also protect you from possible XXS-attacks.
I've been trying to retrieve the contents of a webpage (http://3sk.tv) using file_get_contents. Unfortunately, the resulting output is missing many elements (images, formating, styling, etc...), and just basically looks nothing like the original page I'm trying to retrieve.
This has never happened before with any other URLs I have tried retrieve using this same method, but for some reason, this particular URL (http://3sk.tv) refuses to work properly.
The code I'm using is:
<?php
$homepage = file_get_contents('http://3sk.tv');
echo $homepage;
?>
Am I missing anything? All suggestions on how to get this working properly would be greatly appreciated. Thank you all for your time and consideration.
Thats normal behaviour, as you are only grabbing the file, and not related images, stylesheets etc...
I have one quick workaround to fix relative paths
http://www.w3schools.com/tags/tag_base.asp
Just add to your code <base> tag.
<?php
$homepage = file_get_contents('http://3sk.tv');
echo str_replace(
'<head>',
'<head><base href="http://3sk.tv" target="_blank">',
$homepage
);
?>
It's should help.
This is to be expected. If you look at the source code, you'll notice many places which do not have a full URL (ex lib/dropdown/dropdown.css). This tells the browser to assume http://3sk.tv/lib/dropdown/dropdown.css. However, on your website, it will be YOURURL.COM/lib/dropdown/dropdown.css, which does not exist. This will be the case for much of the content.
So, you can't just print another website's source and expect it to work. It needs to be the same URL.
The best way to embed another website is usually to just use an iframe or some alternative.
The webpage is not completely generated server-side, but it relies heavily on JavaScript after the HTML part loads. If you are looking for rendering the page as it looks in browser, you may need a headless browser instead - see e.g. this binding to PhantomJS: http://jonnnnyw.github.io/php-phantomjs/
I am trying to use an image as a button to refresh pages on a website. The footer (a php include) is currently using this code to refresh each page:
<img src="/images/refresh.png">
which of course works. BUT I would like to improve it. Essentially, it would be something like this:
onClick="javascript: window.location.href='abcd.html';"
BUT I need it to work dynamically because I'm using php pages. So I was thinking this would work:
<img src="/images/refresh.png">
But it doesn't work. Any ideas? I'm using <? php $_SERVER['REQUEST_URI'] ?> wrong (obviously), so, any ideas for assistance? Thank you for any help!
Problem noticed is you have a space between <? and php in the following line:
<img src="/images/refresh.png">
Also you want to echo out the value for $_SERVER['REQUEST_URI']. You are just calling $_SERVER['REQUEST_URI']. Also as #NickCoons pointed out when using the echo construct you need to add a semi-colon i.e. echo $_SERVER['REQUEST_URI'];.
Try the following:
<img src="/images/refresh.png">
Sorry for the vague title but it's hard to describe what I mean in a few words.
I made my own cms and use it for all my personal projects. On some pages I want to include a php script in the content area. I load the content simply by echoing the variable that holds the content.
The template file looks like this:
<div id="content">
echo $content;
</div>
In my CRUD I make a post containing a php snippet.
<?php echo "My name is ".$var.""; ?>;
Then I save it and load the page and this is what happens:
<div id="content">
echo <?php echo "My name is ".$var.""; ?>;
</div>
But what I want is that the php code get's executed instead of getting echoed.
Something like the Wordpress plugin Exec-PHP. Can anybody explain to me how to achieve this?
Thanks in advance!
You could use the PHP eval() function to execute PHP code. Be aware though, if you ever allow users to insert text that may at some point be run through eval(), you could end up with some serious problems.
The php website says:
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
You can try php eval() func. But it is considered evil.
Rather than use PHP instructions, why don't you output to HTML, and use Javascript to execute what is displayed? There is no danger to your server that way. Others have already warned about the dangers of eval() in PHP.