Morning,
I have created a small form to store some information to a database.
I have magic_quotes_gpc turned off on my server.
If i enter a " or a £ sign in the box is stores into the database without a worry.
When i echo it back with php it displays, but if i use the value in an input form field the " close the value field.
<input type="text" name="variable" value="<?php echo $row[variable]; ?>" />
I have now used htmlspecialchars around the input value and it works.
<input type="text" name="variable" value="<?php echo htmlspecialchars($row[variable]); ?>" />
But i have looked at open cart source as a reference and they do not use htmlspecialchars but store the data in a different way.
I tried using the urlencodes method they have used :
urlencode(html_entity_decode($_POST[variable],ENT_QUOTES, 'UTF-8'));
but this seems to store as a lot of numbers and + signs which did not display back correctly.
I would rather encode the update database instead of using the method i am with htmlspecialschars.
But not quite sure which way would be best?
Thank You
you may use
htmlentities() function in php
Perhaps try mysqli_real_escape_string($dblink, $string) instead of htmlspecialchars
For storing the HTML Character change the charters and then store them:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
To get back the correct HTML Character do the decoding as:
<?php
$str = "<p>this -> "</p>\n";
echo htmlspecialchars_decode($str);
// note that here the quotes aren't converted
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>
For more information refer to http://www.php.net/manual/en/function.htmlspecialchars.php
Related
I am trying to get some data(varchar) from my database and show them in my html in the right encoding because it contains german special characters.
The database is in latin1_german2_ci(cp1252), my html
<input type="text" id="owner" name="owner" value="<?=get_owner() ?>" class="form-control">
function get_owner()
{
$owner = htmlentities($text_I_got_from_db, ENT_COMPAT, 'cp1252');
return $owner;
}
This gives me, ie. Kälte in my <input>, but I want Kälte.
I know that htmlentities() turns special chars to htmlcode. How do I do that it stay that way in html and not "converted back"?
if you want to print text in page 'as is' you may use code like this
$owner = htmlentities('Kälte', ENT_COMPAT, 'UTF-8');
echo htmlspecialchars($owner);
Every piece of research I look up refers to replacing the ampersand with %26, when in fact I want to replace %26 in the URL with the ampersand.
At the moment each time I pass the url under the GET command I get %26 back.
For example the code I am passing in the form is as follows
<form method="get" action="<?php echo $SERVER['PHP_SELF'];?>">
<input type="text" id="stg" name="stg" size = "25" value="<?php echo '?pn=' . $sub1 .'%26'.$jrny.'&Subject='.$Subject.'&pn2='.$sub1. '&arc='.$sess.'&Table_Id='.$Table_Id; ;?>" />
When I try string replace or rawurlencode functions I still end up with %26. What am I doing wrong?
Thanks
You can use the urldecode function:
print_r(urldecode ( "%26" ));
will print out:
&
I am saving double quotes that need to be saved in the database, then later shown on the screen.
$in = '2" to 2.33"';
$in = mysqli_real_escape_string($db, $in);
echo $in; // Shows with backslashes
$results = $db->query("UPDATE store_item_brims SET BrimSizeIn='$in' WHERE ID=2");
// Later I query the database and load to an array
// print_r of the array shows with no backslashes
// echoing into text input field does not work
When I view the data in PHPMyAdmin, it saves in the database without any visible backslashes. When I load the data to an array and print_r the array, it is shown in the array. However, when I try to echo it out in an input text field for the user to update, it only shows 2 and cuts off as soon as the first double quote is reached.
How do I fix this?
when you echo it in to a HTML input the quotes mess up the quotes the HTML input uses as deliminators so short answer:
<input type="text" value="<?php echo htmlentities($YOUR_VALUE); ?>" ...
reference: htmlentities
So im trying to work out the best way to sanitize xss for safe output to the user.
More or less, when storing values from a form, im using strip_tags(); then bind_params();
And when Im about to output the data to the user Im also using htmlentities();
The data will only be shown inside <p> and <a> tags.
eg:
<p> Some data from user </p>
<a href=""> Some data from user </p>
Should this work?
Index.php
<form action="sante.php" method="post">
Name: <input type="text" name="fname">
Age: <input type="text" name="age">
<input type="submit">
</form>
And then sante.php
<?php
$name = $_POST["fname"];
$age = $_POST["age"];
$namn = strip_tags($name); // then storing into mysql with bind_param
$older = strip_tags($age); // then storing into mysql with bind_param
// before output, htmlentities
function safe( $value ) {
htmlentities( $value, ENT_QUOTES, 'utf-8' );
return $value;
}
// Now showing values
echo safe($namn). "<br>";
echo "<p>" .safe($older) . "</p>";
?>
Yes, you can use this code safely. I see you're already using bind_param (and I assume either the mysqli or PDO library), which prevents SQL injection (damage to you), and htmlentities, which prevents cross-site scripting (damage to the user).
You don't even need to call strip_tags before writing to the database, although it's a fine idea if you don't want user input to contain any JS/PHP/HTML tags at all (and also if you forget to call your safe function on output).
When you insert data to database you must use mysql_real_escape_string or use PDO,
if you display data you must use htmlspecialchars
My question is similar to this question but I'm not using code igniter. I'm echoing variables obtained from a database into the value attribute of a text input. The variables may contain ' or " or any other special chars.
I tried:
<input type="text" name="myTextInput" value="<?= htmlspecialchars($dbValue, ENT_QUOTES); ?>" />
but it outputs quotes as " or ' which is not what I want. I want the text input to actually contain the quotes as typed by the user.
should I be using a php function or a javascript function to escape the string? if I don't escape it I get a javascript error because the quotes inside the $dbValue string are interacting with the value attribute quotes.
That's exactly what you DO want, however. e.g.
if your inserted data is
Davy "Dead Pirate" Jones
and you insert that into an input field literally, you'd end up with
<input type="text" name="..." value="Davy "Dead Pirate" Jones" />
which will be interepreted as follows:
<input> field with attributes:
text -> 'text'
name -> '...'
value -> ' ' (a single space)
Dead ->
Pirate ->
" ? danging quote
Jones ->
" ? -> another dangling quote
By comparion, after doing an html_entities, you'd have
Davy "Dead Pirate" Jones
and that can be inserted into the <input> field without issue.
If the input field's value contains a literal " that's visible to the user, then you've got some double-encoding going on.
You'll want to use html_entity_decode. Here's an example for the documentation:
<?php
$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // I'll "walk" the <b>dog</b> now
echo $b; // I'll "walk" the <b>dog</b> now
?>
Reference: http://www.php.net/manual/en/function.html-entity-decode.php
Your looking for the opposite of htmlspecialchars, try using html_entity_decode.
Here is your code using html_entity_decode.
<input type="text" name="myTextInput" value="<?= html_entity_decode($dbValue, ENT_QUOTES); ?>" />
Here is a link to the manual -> http://www.php.net/manual/en/function.html-entity-decode.php
If you have any problems using this you might want to check out this question, which has a common encoding problem -> https://stackoverflow.com/a/4638621/1065786
To display single, double quotes and html tags as text field value try to use:
<?php
$formVal = htmlspecialchars($dbValue, ENT_COMPAT, 'utf-8');
// or this:
// $formVal = htmlspecialchars($dbValue);
?>
<!-- html -->
<form>
<input type="text" name="myTextInput" value="<?php echo $formVal; ?>" />
</form>
http://www.sitepoint.com/form-validation-with-php
https://www.inanimatt.com/php-output-escaping.html