I am using smarty for template.
I am fetching one issue with rendering. i have one variable value of that variable is
this is text" data
but when i print this value in tpl file it prints only this is text except the
this is text" data
Why this is happening? please help
Thanks in advance
In smarty you can escape the data using {$variable|escape:'format'}
In this case a format of html should do the trick
{$variable|escape:html}
ref: http://smarty.net/docsv2/en/language.modifier.escape.tpl
You shouldn't be using quotes in HTML text-nodes anyway (it's invalid). Use " (escaped) instead.
So for your example:
this is text" data
If your text is coming from your DB, use htmlspecialchars() to properly escape it:
$val = htmlspecialchars($val);
Related
I am trying to display a data into textarea which is fetched from tables that i have submitted via another form. The issue comes up when a new line is entered.
The data getting displayed in the textarea is as
lin1\r\nlin2
it should be like
lin1
lin2
I have tried nl2br but it does not work as expected.
How can i make things optimized. Thanks
This problem can be solved using stripcslashes() when outputting your data.
Please note that the method above is different from stripslashes() which doesn't work in this case.
I tried using nl2br but it wasn't sufficient either.
I hope str_replace saves you.
<?php
$str='lin1\r\nlin2';
$str=str_replace('\r\n','<br>',$str);
echo $str;
OUTPUT:
lin1
lin2
This is a common question and the most common answers are ln2br or str_replace.
However this is just creating unnecessary code.
In reality the problem is pretty much always that you have run the data through a mysql escape function before displaying it. Probably while you were in the process of saving it. Instead, escape the data for saving but display an unescaped version.
<?php echo str_replace('\r\n', "\r\n", $text_with_line_breaks); ?>
See single quotes & double quotes this is a trick.
A perfect solution for newbies.
you overdo quote in insert/update statement
This problem in you case you can solve doing next
<?php
$str = 'lin1\r\nlin2';
$solved_str = str_replace(array("\\r","\\n"), array("\r","\n"), $str);
var_dump($str,$solved_str);
But you need to check insert/update statement on over quotation escape symbols
I would recommend using double quotes for \r\n such as "\r\n". I've never had it work properly with single quotes.
For non- textarea use this function
function escapeNonTextarea($string){
$string=str_replace(array('\n','\r\n','\r'),array("<br>","<br","<br>"),$string);
return $string;
}
For text area use this function
function escapeTextarea($string){
$string=str_replace(array('\n','\r\n','\r'),array("\n","\r\n","\r"),$string);
return $string;
}
call appropriate function and pass argument
Trying to keep new lines and unescaped values intact in a textarea being repopulated with data during a PRG cycle. At what point do you assign the variable correctly so that new lines are recognized?
I've tried double quotes, nl2br, htmlentities, stripslashes but I can't seem to get it. Some attempts:
Assigning during the intial prg $_SESSION array:
$_SESSION['prg']['textarea'] = "$textarea";
When passing from prg array to var:
$textarea = htmlentities($_SESSION['prg']['textarea']);
When echoing into the textarea:
<textarea name="textarea"><?php if(isset($textarea)) echo nl2br($textarea); ?></textarea>
And various combinations of the above, including the initial $_POST, directly after sanitizing.
Also, in case anyone asks: the escaping works as intended, db insert results are fine. It's just the form repopulating that's throwing things off.
I'm sure this is just a symptom of amateur hour... Looking for php/html solution only. Thanks in advance.
I don't think you want to be calling nl2br when you populate the text area if you want to keep the newlines showing up properly in the textarea. The htmlentities part is good though.
while storing the data use addslashes($_POST['textarea']) and while displaying use stripslashes($textarea)
I have a HTML form value as a PHP function: value='".$item->get_title()."' (This is in an echo statement hence the single quotes.) The problem is that if the returned title contains any quotes it breaks the value function.
Example: value="Kim Dotcom lawyer blasts US government" s "pattern of delay "e;'>
As you can see it breaks at government. There is supposed to be an apostrophe after that.
Does anyone know a fix for this?
The fix: value='".htmlspecialchars($item->get_title(), ENT_QUOTES)."'
Use htmlspecialchars to escape output not meant to be rendered as HTML:
value="'.htmlspecialchars($item->get_title(), ENT_QUOTES).'"
By default, htmlspecialchars only escapes double quotes, not single quotes. If you want to escape both (and so maintain your practice of putting HTML values in single quotes), add ENT_QUOTES as the second parameter to htmlspecialchars.
try with htmlspecialchars
htmlspecialchars($item->get_title());
try:
value='".str_replace('"', '', $item->get_title())."'
I searched the site and didn't find a solution. My problem is that I've got a hidden input that I want to send via the post method that has quotes in it. I've tried using addslashes() and I get the same problem. It looks something like this right now:
<?php $value = 'I\'ve got \"some\" random text with quotes'; ?>
<input name="example" value="<?=$value?>">
And I get most of the the text showing in my form because the quotes aren't being ignored AARGH! ;) So how to I get text with quote into a hidden input?
Thanks in advance!
<?php $value = "I've got \"some\" random text with quotes"; ?>
when you output this will result in the following?
<input name="example" value="I've got \"some\" random text with quotes">
I would convert them so they validate and avoid confusion:
<?php $value = 'I've got "some" random text with quotes'; ?>
<input name="example" value="<?=$value?>">
Try to avoid using double quotes with PHP strings, as PHP will search the entire string for a variable to parse, regardless if the string contains one. They are slower than single quotes. Not so much anymore these days, but still a good practice to use single quotes for strings.
I am retrieving data from my SQL database...
data exactly as it is in the DB = (21:48:26) <username> some text here. is it ok?
when i try and echo $row['log']."<br>";
it displays it as = (21:48:26) some text here. is it ok?
i assume this is due to the <> brackets making it think its an HTML opener... would this be the case? and if so how would one echo a string that contains HTML?
Use htmlspecialchars() to translate HTML control characters into their entities:
echo htmlspecialchars($row['log'])."<br>";
You need to escape the characters so it is not recognized as an HTML element, but as text:
echo htmlentities( $row['log'] ) . '<br/>';
i assume this is due to the <>
brackets making it think its an HTML
opener...
Yes, any construction in <> brackets is treated by web browser as HTML tag. So, you should use either htmlspecialchars() or htmlentities() or some similar custom function to convert "<" and ">" symbols to "<" and ">" strings, which are displayed to user as brackets.
Some more comments:
ALL text data displayed to user must be passed through htmlspecialchars() funciton (or through other function with similar behavior), since "some text" may also contain tags, etc.
Probably it would be better to store date/time, username and "some text" in separate table columns in DB, in order to satisfy relational database constraints. This may require some additional input data parsing.