I have an issue with the special characters. For ex. In the database is written "A & A" (database is set on utf8-unicode-ci).
I am retrieving in autosugest list the values correctly with:
while ($row = mysql_fetch_array($result)) {
$keywords = htmlspecialchars($row['name']);
echo "<keywords>". $keywords ."</keywords>";
}
When I click to select the "A & A" in the input field is filled as A & amp; A
the header is set on :<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
Can you please let me know how to display the special character?
If you want to convert from A & A to A&A, use htmlspecialchars_decode on the text.
If you want to convert from A&A to A & A use htmlspecialchars.
In your case removing htmlspecialchars operation on the text pulled from your database will do.
Since your issue appears to be with the & character being replaced with &, maybe running something like $text = str_replace("&", "&", htmlspecialchars($text)); will work better for you, and prevents XSS.
If you have "A & A" in the database, htmlspecialchars will do that.
Remove htmlspecialchars.
Its better use rawurlencode before you inserting the value to database. Then whenever you fetching the value, use rawurldecode. I think it may solve your problem.
rawurldecode($row['name']);
Check this http://php.net/manual/en/function.rawurlencode.php
Related
I have some text that I will be saving to my DB. Text may look something like this: Welcome & This is a test paragraph. When I save this text to my DB after processing it using htmlspecialchars() and htmlentities() in PHP, the sentence will look like this: Welcome & This is a test paragraph.
When I retrieve and display the same text, I want it to be in the original format. How can I do that?
This is the code that I use;
$text= htmlspecialchars(htmlentities($_POST['text']));
$text= mysqli_real_escape_string($conn,$text);
There are two problems.
First, you are double-encoding HTML characters by using both htmlentities and htmlspecialchars. Both of those functions do the same thing, but htmlspecialchars only does it with a subset of characters that have HTML character entity equivalents (the special ones.) So with your example, the ampersand would be encoded twice (since it is a special character), so what you would actually get would be:
$example = 'Welcome & This is a test paragraph';
$example = htmlentities($example);
var_dump($example); // 'Welcome & This is a test paragraph'
$example = htmlspecialchars($example);
var_dump($example); // 'Welcome & This is a test paragraph'
Decide which one of those functions you need to use (probably htmlspecialchars will be sufficient) and use only one of them.
Second, you are using these functions at the wrong time. htmlentities and htmlspecialchars will not do anything to "sanitize" your data for input into your database. (Not saying that's what you're intending, as you haven't mentioned this, but many people do seem to try to do this.) If you want to protect yourself from SQL injection, bind your values to prepared statements. Escaping it as you are currently doing with mysqli_real_escape_string is good, but it isn't really sufficient.
htmlspecialchars and htmlentities have specific purposes: to convert characters in strings that you are going to output into an HTML document. Just wait to use them until you are ready to do that.
Im having a problem displaying certain data with PHP from the database.
How its currently showing - "SSA's"
How it should show "SSA's"
HTML Meta Tag
meta charset="UTF-8">
PHP Code
$article_title = html_entity_decode(mb_convert_encoding(stripslashes($r->ArticleTitle), "HTML-ENTITIES", 'UTF-8'));
You can decode by using these two methods html_entity_decode() or htmlspecialchars_decode()
Basic Example:
$string = html_entity_decode("SSA's");
echo $string; // result SSA's
$string = htmlspecialchars_decode("SSA's");
echo $string; // result SSA's
Remove the html_entity_decode function, as you are double encoding HTML-ENTITIES
And as #ChrisBanks pointed out, you also don't need stripslashes
You need to call html_entity_decode again because the data is being stored as double encoded and remove the stripslashes.
$article_title = html_entity_decode(html_entity_decode(mb_convert_encoding($r->ArticleTitle, "HTML-ENTITIES", 'UTF-8')));
You might want to investigate how the data is being stored in the database as double-encoded in the first place. Perhaps htmlentities is being called twice somewhere.
To add on to the comment:
You shouldn't store data HTML encoded unless for some reason you really and truly need to (there might be some cases you're required to). It is only on output and rendering on a webpage do you want to use htmlentities.
You can visit this link for an example of my promlem : http://jflaugher.mystudentsite.net/cmweb241/cmweb241_lab2.html
Everything is working correctly, except that I am having problems utilizing the htmlspecialchars in my echo. I am wanting the entity to show up in the echo and not the html character. I have tried placing the htmlspecialchars within the echo, but then the paragraph tags shows up. How do I utilize the htmlspecialchar in the echo, and display the echo in a paragraph tag? I have been at this for some time and have gotten no where, as I am very new to PHP.
For example, when I enter a '&', I get that echoed back. Instead of the '&', I want the entity & to be echoed.
<?php
$username = htmlspecialchars(str_replace(array("'", "\""), "", $_POST['username']));
$password = htmlspecialchars(str_replace(array("'", "\""), "", $_POST['password']));
$comment = htmlspecialchars(str_replace(array("'", "\""), "", $_POST['comment']));
echo "<p> Your Username is: $username .</p> ";
echo " <p>Your Password is: $password . </p>";
echo " <p>Your Comment was: $comment . </p>";
?>
Say you enter &.
htmlspecialchars will turn this into &.
& is the HTML entity for &, so viewing the result in a browser displays &.
This is the normal purpose of htmlspecialchars, it preserves the visible character by escaping it for the medium (HTML) appropriately.
If you want & to turn into a visible &, the browser will need to receive &. Apply htmlspecialchars twice to do that:
htmlspecialchars(htmlspecialchars($_POST['username']))
Maybe The Great Escapism (Or: What You Need To Know To Work With Text Within Text) helps you to understand the topic better.
I'm not sure what this means:
I am wanting the entity to show up in the echo and not the html character.
Are you saying that you want the entity to be displayed in your web page? htmlspecialchars is converting the characters to entities, but a browser will display those entities as the characters they represent.
If you want to actually see the entities in your browser, you can double-escape the values:
$username = htmlspecialchars(htmlspecialchars(str_replace(array("'", "\""), "",
$_POST['username'])));
But I don't really think that's the purpose of the exercise you're doing.
If you want to display the entities, you could apply htmlspecialchars() twice and it will turn all the & in & to & and thus the entity itself will be displayed.
Another method is wrapping the output in <pre></pre> tags.
Try this approach:
<?php
$string = "<tag>&";
$string = htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
print $string;
It will print:
<tag>&
How to prevent XSS with HTML/PHP?
I have a link stored in my database, lets say it's
http://somedomain.com/page.php?username=tom&surname=smith
When I bring this back to html, I get an xhtml error because of the &
How do I convert the & to an &
Also, I have some links in the database which already have & instead of &
So, how do I convert & when required, but not convert & to &
Don't store escaped/encoded text. You never know what format the text will be required to be in when you retrieve it. If you store it URL-encoded, but you have to insert it into an HTML document,then you have to undo the url encoding and switch to HTML encoding. Which is a waste. Best to store it in 'raw' format and convert as needed at the time you need it.
Use htmlspecialchars() to escape/encode the XML/HTML metacharacters prior to inserting into your XML document.
You can use htmlentities.
The easiest way would be do replace all & to &, and then all & to $#38;, such as
$content = str_replace("&", "&", $content);
$content = str_replace("&", "$#38;", $content);
But you should not store data like that in your database.
I am retrieving data from my SQL database...
data exactly as it is in the DB = (21:48:26) <username> some text here. is it ok?
when i try and echo $row['log']."<br>";
it displays it as = (21:48:26) some text here. is it ok?
i assume this is due to the <> brackets making it think its an HTML opener... would this be the case? and if so how would one echo a string that contains HTML?
Use htmlspecialchars() to translate HTML control characters into their entities:
echo htmlspecialchars($row['log'])."<br>";
You need to escape the characters so it is not recognized as an HTML element, but as text:
echo htmlentities( $row['log'] ) . '<br/>';
i assume this is due to the <>
brackets making it think its an HTML
opener...
Yes, any construction in <> brackets is treated by web browser as HTML tag. So, you should use either htmlspecialchars() or htmlentities() or some similar custom function to convert "<" and ">" symbols to "<" and ">" strings, which are displayed to user as brackets.
Some more comments:
ALL text data displayed to user must be passed through htmlspecialchars() funciton (or through other function with similar behavior), since "some text" may also contain tags, etc.
Probably it would be better to store date/time, username and "some text" in separate table columns in DB, in order to satisfy relational database constraints. This may require some additional input data parsing.