I'm trying to populate a form with some data that contains special characters (e.g. single quote, double quote,<,>,?,","".~,,!##$%^&*()_+}{":?<<>,./;'[.] etc) :
<input type="text" name="message" size="200" maxlength="200"
value =<?php echo $message;?>>
However, $message, which comes from a MySQL table, isn't displayed correctly - any HTML output that should be in $message is broken.
How do I do this properly?
This will prevent your tags from being broken by the echo:
<?php echo htmlentities($message); ?>
If you want to display it
echo htmlspecialchars($messge, ENT_QUOTES, 'UTF-8');
That's what I usually do.
Since the answers are difference:
htmlentities-vs-htmlspecialchars is worth checking out.
I normally use the following code, see htmlspecialchars
<?php echo htmlspecialchars($videoId, ENT_QUOTES | ENT_HTML5); ?>
whats wrong with using a constant ?
<?php
define(foo,'<,>,?,","".~,,!##$%^&*()_+}{":?<<>,./;');
$foo2="'[.]";
echo constant('foo').$foo2;
?>
you need to put the '[.]' into a variable, as a constant will break on a ' (single quote).
Related
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 6 years ago.
I know is a stupid question but well i am trying so hard but i can't figure out on where i am missing the comma i am totally confused ,The below code is giving me an error.
it would be great if someone can help me out with a referencing on comma and tips / Tricks on them :)
i tried replacing the commas in different places but still it didn't worked out.
<td><?php echo <a href="test1.php?id=<?php echo $row['ID'];?>"/>Download! ?></a></td>
Thanks :)
It has to be:
<td>
<?php
echo 'Download!';
?>
</td>
Alternatively:
<td>
Download!
</td>
<td><a href="test1.php?id=<?php echo $row['ID'];?>"/>Download!</a></td>
Try this one
One important thing to remember is that you do not have to use echo to output static HTML content, only for the dynamic part, the variable in you case. The correct version looks like:
<td><a href="test1.php?id=<?php echo $row['ID'];?>"/>Download!</a></td>
The immediate approach typically would be that:
<td>Download!</td>
Often it can be shortened, depending on your php configuration:
<td>Download!</td>
To me the second form is more readable, thus my personal preference.
There is one redundant echo with opening/closing php tags, also you wrongly self-close the a tag.
In your html template it is sufficient to write:
<td>
Download!
</td>
Code between <?php and ?> is php code which is "injected" in html.
$row is array and with $row['ID'] you get value of specific key from array which is ID. You can access the value on this key also with double quotes like $row["ID"] there is no difference, because you want to access the key which is referenced by string with value ID. You can embrace string with single or double quotes.
More on strings in php manual: http://php.net/manual/en/language.types.string.php
When you want to use same quotes in string you have to escape it like
<?php
echo "This is double quote: \"."; //result: This is double quote: ".
?>
same with single quote:
<?php
echo 'This is single quote: \'.'; //result: This is single quote: '.
?>
You can echo some other string with value from array for example:
<?php echo "this row has id: " . $row["ID"]; ?>
so you concatenate string and value with the period/dot.
Or you can access value of variable in string like:
<?php
$rowId = 1;
echo "this row has id: $rowId"; //result: this row has id: 1
?>
But it is hard to spot it and many IDE's will not highlight it. Better can be to concatenate it with period (echo "this row has id: " . $rowId;).
You can also specify value from array, but you have to enclose it with {} so the php engine know that it is array variable no the literal
<?php echo "this row has id: {$row["ID"]}"; ?>
or object property:
<?php echo "this row has id: {$row->id}"; ?>
But it can also be hard to spot it when you write it like this.
When you want to literally write all this code you can enclose it by single quotes:
<?php
echo '<?php echo "this row has id: {$row["ID"]}"; ?>'; //result: <?php echo "this row has id: {$row["ID"]}"; ?>
?>
or escape all double quotes and dollar sign $ and the result will be same:
<?php
echo "<?php echo \"this row has id: {\$row[\"ID\"]}\"; ?>";
?>
How to get the link of .html after the .$obj->product_name. ?
I have tried it as bellow. But it only shows the link of http://.com/forbiden insted of http://.com/forbiden rice.html where it cuts the rice.html
echo '<span class="product-name"><a href=products/'.$obj->product_name ."html". 'target=_blank>'.$obj->product_name.'</a></span></br>';
Try with urlencode($obj->product_name)
Hope that helps :)
Attribute values containing spaces must be quoted in HTML (and it is good practise to always quote your attribute values).
The space between forbiden and rice is terminating the attribute value.
URLs aren't allowed to have spaces in them anyway, so you should run the string through urlencode too.
You'll find it easier to deal with the quotes if you break out of PHP mode to output HTML instead of trying to mash it together in strings.
Also note that you should escape text content for HTML with htmlspecialchars as a defence against XSS.
$url = "products/" .urlencode($obj->product_name) . ".html";
?>
<span class="product-name">
<a
href="<?php echo htmlspecialchars($url); ?>"
target="_blank">
<?php echo htmlspecialchars($obj->product_name); ?>
</a>
</span>
<br>
UPDATE
(I could just delete this question - but I might as well leave it as a reminder to everyone that sometimes the error is somewhere else than where we look...)
I am very sorry that I made you ponder this question: the reason for the "Actual result" was in a completely different location and has nothing to do with htmlentities.
Thanks to everyone who tried to help.
Why is this code not working in my PHP 5.4.32 site?
Code:
$returnValue = htmlentities(urldecode('//echo \'<textarea name="comments" id="comments">$theData</textarea>\';'), ENT_QUOTES, 'UTF-8');
echo '<textarea>' . $returnValue . '</textarea>';
Expected result:
A textarea with the exact string
//echo '<textarea name="comments" id="comments">$theData</textarea>';
Actual result:
A textarea with the exact string
//echo '<textarea name="comments" id="comments">$theData
(the "" in the original string actually closes the html textarea.)
In the same way, scripts can be injected (which is the reason why I originally used the htmlentities).
The very strange thing:
If I simply add the above example code to the beginning of my php file, it works as expected. So there must be some reason why it does not work further down the page. And I have no clue, see no possible reason in the code.
What's wrong?
btw: using htmlspecialchars doesn't change the effect.
Dollar sign $ isn't interpreted in single quotes.
Choose and use one of these:
echo '<textarea name="comments" id="comments">' . $theData . '</textarea>';
echo "<textarea name='comments' id='comments'>$theData</textarea>";
echo "<textarea name='comments' id='comments'>" . $theData . "</textarea>";
echo "<textarea name=\"comments\" id=\"comments\">$theData</textarea>";
You shouldn't use urldecode() in this case. urldecode() will give you the original value of an url-encoded string (in PHP the return value of urlencode()). You're not working with url-encoded strings here.
The following should give you the expected result:
$returnValue = htmlentities('//echo \'<textarea name="comments" id="comments">$theData</textarea>\';', ENT_QUOTES, 'UTF-8');
echo '<textarea>' . $returnValue . '</textarea>';
There is nothing wrong with this code. Works perfectly - the error was somewhere else in my php file...
I'm trying to format a PHP value from my script with a CSS style so it look the same then my html text preceding it.
Here is my code:
<p>Your surname is: </p><?php echo "<div id='php'>" $surname; "</div>" ?>
what i'd like to get is
Your name is Remi
all formatted the same way, what I get now is just an error and my PHP page does not show at all.
You have to use . (a dot) to concatenate your strings:
<p>Your surname is: <?php echo "<span id='php'>" . $surname . "</span>"; ?></p>
edit: you should use a span tag, not a div, to enhance your php output.
Your error is that you have a space between your string literal and your variable.
There is no need to echo the div tags from PHP, so don't.
You also shouldn't echo out raw text into the page, convert it to HTML first.
<p>Your surname is: </p>
<div id='php'><?php echo htmlspecialchars($surname); ?></div>
<p>Your surname is: <span id="php"><?php echo $surname; ?></span></p>
You could also go for the shorter notation:
<p>Your surname is: </p>
<div id='php'><?= $surname ?></div>
The semi-colon ends the statement. So PHP thinks that "</div>" after the semicolon is another PHP command. That causes an error and prevents the page from appearing. Move the semicolon so it's just before the ?>, and it should work.
Someone correct me if I'm wrong: Using a might cause some layout issues. I don't believe that "Your surname is" and the $surname value will appear on the same line.
PHP echo function is not outputing strings in the format of html tag like <something. somethong_else>, may be because it is like HTML tags, is there any way to display it?
echo 'hi<h.i>';
Eg : this displays as
echo 'hi';
try using
<?php
echo htmlentities('hi<h.i>');
?>
You need to encode the string if you what the text to appear
echo htmlentities("hi<h.i>");
There is a thing called HTML. Where strings in <something.somethong_else> format have some meaning. Go figure.
PHP can echo out tags.
Example
<?php
echo '<p>Hello World</p>';
?>
Keep in mind, the PHP will echo where it is called. So you can also do this
<p>
<?php echo 'Hello World'; ?>
</p>
UPDATE
Since new information is sent. You can make < into < and > into > Look at HTML entities.
You probably need to use htmlentities(), try this:
echo htmlentities('hi<h.i>');