I wanted to ask that in a php script of mine which I am accessing through an ajax request, I am returning json data ( converted from an array ) as such
echo json_encode($row_array);
I get this data in jquery and display it in a form. Do i need to apply htmlspecialchars / htmlentites before returning the data?
Is do then whats the correct way to do it? The following code gives me an error:
echo htmlentities(json_encode($row_array));
Thanking you
Imran
Do not apply htmlentities in this way. You should walk the array before json encoding it and escape each element, then json encode the array of safe-to-display values. In your usage json is just a transport layer for the array. You are not displaying the json array, just the element data. Don't escape transport layers--it could make the json string invalid.
Context is important.
You don't need to escape the data at all on the server side if it's going into a form input's value if you are using jQuery's val() function to populate it.
Example: http://jsfiddle.net/Y6TWv/1/
var data = '<strong>STRONG TEXT</strong>';
$('input').val(data); // output is escaped
$('p').text(data); // output is escaped
$('p').html(data); // output is not escaped
In addition, if you were to escape the data, don't do it like this:
// escapes the entire json string, not good - quotes will be broken
echo htmlentities(json_encode($row_array));
You would have to escape each item of $row_array first before json encoding it, either with array_map after the array is built, or as you're building the array.
In general, you should prefer htmlspecialchars over htmlentities, but it's not likely you need either one.
I just had a problem with single quotes in a JSON array. Chrome doesn't like single quotes in a JSON response returned via ajax. I escaped each value with htmlspecialchars(, ENT_QUOTES).
$theoptions['MemberList'] = array();
while($row = mssql_fetch_assoc($result)) {
$memberelement = array(
'Display'=> htmlspecialchars($row['FullName'], ENT_QUOTES),
'Value' => $row['ID']);
$theoptions['MemberList'][] = $memberelement;
}
header('Content-Type: application/json');
echo json_encode($theoptions);
Related
I made a post in a form converting my javascript localstorage to a post request. From there I tried to decode my json string to make an object in PHP.
How my php code looks before I echo it
$cart_items = $_POST['cart_items'];
$cart_items = json_encode($cart_items);
$array_test = json_decode($cart_items);
print_r($array_test);
What it returns in browser
[{\"id\":83494890,\"title\":\"2020 Hino 358\",\"partType\":\"Bumpers\",\"price\":100,\"stockNumber\":12313131312,\"thumbImg\":\"/jOIY91KhEby8_f.jpg\",\"permalink\":\"/part-description/?part=83494890\",\"maxQuantity\":1,\"requestedQuantity\":\"3\"}
,{\"id\":83493833,\"title\":\"2009 Freightliner 5020080\",\"partType\":\"ABS Modulator Valves\",\"price\":150,\"stockNumber\":\"P-1211111111157\",\"thumbImg\":\"/OOjQbsi6p8kX_f.jpg\",\"permalink\":\"/part-description/?part=83493833\",\"maxQuantity\":1,\"requestedQuantity\":\"1\"}]
I know that typically when seeing json data there isn't forward slashes everywhere. I tried to json_decode into an array rather than an object, then make a foreach for each object inside. But I got this error returned "Invalid argument supplied for foreach()"
How do I make this json string convert to an array of objects? Thank you
The problem I was having was when I was getting the $_POST[] it was using PHP's "magic quotes" which was giving me improper format for my json. That being said, after disabling this, it removes the slashes.
It looks like $_POST['cart_items'] already contains JSON. So you just need to decode it, not encode it first.
$array_test = json_decode($_POST['cart_items'], true);
print_r($array_test);
But it's actually encoded twice, that's why it has escaped quotes, so you need to call json_decode() twice. But it's missing the double quotes around the whole thing, and the embedded newline is not valid.
The following works:
<?php
$cart_items = '"[{\"id\":83494890,\"title\":\"2020 Hino 358\",\"partType\":\"Bumpers\",\"price\":100,\"stockNumber\":12313131312,\"thumbImg\":\"/jOIY91KhEby8_f.jpg\",\"permalink\":\"/part-description/?part=83494890\",\"maxQuantity\":1,\"requestedQuantity\":\"3\"},{\"id\":83493833,\"title\":\"2009 Freightliner 5020080\",\"partType\":\"ABS Modulator Valves\",\"price\":150,\"stockNumber\":\"P-1211111111157\",\"thumbImg\":\"/OOjQbsi6p8kX_f.jpg\",\"permalink\":\"/part-description/?part=83493833\",\"maxQuantity\":1,\"requestedQuantity\":\"1\"}]"';
$array_test = json_decode(json_decode($cart_items));
print_r($array_test);
I suggest you find the code that's sending the cart_item POST parameter and fix it so it doesn't do all this extra encoding.
consider the following url
index.php?json={uid:guest|10001441}
I am not able to decode the data .
I need the output as {"uid":"guest|10001441"}.
The code i m using is
if (isset($_GET['json']))
{
$url_data = $_GET['json'];
$decoded_data = json_decode($url_data,true);
var_dump($decoded_data);
}
But it gives me output as NULL. What am i doing wrong?? Do i need to pass data in a different format??
It seems impossible to decode a JSON string without double quotes, as it's hard to determine whether a JSON string "{A:B:C}" is encoded from {"A":"B:C"} or from {"A:B":"C"}
You can use urlencode() to encode the JSON string or just ignore the extreme cases and add the double quotes manually to make the JSON string valid, hope this help :D
The data you're passing is not valid JSON. It doesn't have double quotes around it currently. Try this:
if (isset($_GET['json']))
{
$url_data = '"'.$_GET['json'].'"';
$decoded_data = json_decode($url_data,true);
var_dump($decoded_data);
}
Output:
string(20) "{uid:guest|10001441}"
Also, I'd suggest using POST instead of GET here.
If you pass it like this it will work: ?json={"uid":"guest|10001441"}
But I am not sure whether it is a proper method.
The JSON you have in your URL is not valid. PHP's json_decode looks for double quotes around the uid and it's value.
EDIT: Rather than storing the data in the URL as json could you not store the data as key value pairs such as
?uid=value
And then you could do something like
$data = json_encode( $_GET );
you can encode url parameter with base64_encode()
$json=base64_encode('{"uid":"guest|10001441"}');
url will look like this
index.php?json=eyJ1aWQiOiJndWVzdHwxMDAwMTQ0MSJ9
then do like this :-
if (isset($_GET['json']))
{
$url_data = base64_decode($_GET['json']);
$decoded_data = json_decode($url_data,true);
var_dump($decoded_data);
}
I have a form with fields and a text-area that allows any characters to be entered. I can't just submit the form, because the form is being recycled many times over, so the form values are being stored in associative arrays:
<form name='Theform'>
<input type="text" id="VISITOR_DETAILS_NAME" value="Joe">
<input type="text" id="VISITOR_DETAILS_SIZE" value="Large">
<textarea id='VISITOR_DETAILS_INFO'>
User can enter anything here including double " and single ' quotes
</textarea>
<input type="hidden" name="package" id="package" value="" />
</form>
The text-area value are stored in a JavaScript array along with the other form values:
myArray[0]['VISITOR_DETAILS_NAME'] = document.getElementById('VISITOR_DETAILS_NAME').value;
myArray[0]['VISITOR_DETAILS_SIZE'] = document.getElementById('VISITOR_DETAILS_SIZE').value;
myArray[0]['VISITOR_DETAILS_INFO'] = document.getElementById('VISITOR_DETAILS_INFO').value;
I end up with an array something like this:
{
VISITOR_DETAILS_NAME : "Joe",
VISITOR_DETAILS_SIZE : "Large",
VISITOR_DETAILS_INFO : "User can enter anything here including double " and single ' quotes"
};
I then pass this JavaScript array to the hidden form field using JSON.stringify and then POST this to PHP:
document.getElementById('package').value = JSON.stringify(myArray[0]);
Theform.submit();
(For now I'm just posting to an iframe to test that the JSON is passing the JavaScript arrays properly through POST).
When I get it on the PHP side - it seems good to go. It looks like the JSON.stringify has added the backslash to the double quote (\" ) - and now I want to store the values in MySQL. But I want to first test that I can send/reconstruct the JSON back to the javascript as an array - so I try this:
parent.myArray[0] = JSON.parse('<?php echo $_POST['package']; ?>');
I get an ERROR: SyntaxError: Expected token ')' OR SyntaxError: missing ) after argument list
This is strange to me - because when I try it without POSTING - It seems to work fine like this:
document.getElementById('package').value = JSON.stringify(myArray[0]);
now if I try to just pass back the stringified value back to the array
myArray[0] = JSON.parse(document.getElementById('package').value);
- it seems to work fine - no errors
QUESTIONS:
Why am I getting this error when trying to reconstruct the ARRAY from the
POSTED JSON.stringify() value?
Do I save this JSON.stringify() value in MySQL as is?
Or do I PHP json_decode() it first?
I want to grab the form data - handle it properly - store it in MySQL and then read it back into the form when I need it.
Thanks All :)
parent.myArray[0] = JSON.parse('<?php echo $_POST['package']; ?>');
Here you are are trying to convert a JSON text into an HTML representation of a JavaScript string representation of a JSON text, but you aren't doing anything to escape it for either.
If you have any ' characters in the JSON data, then they will terminate the JavaScript string.
If you have any " characters in the JSON data, then they will be represented as \", but \" is a JavaScript string representation of ". Since you don't do anything to escape the text you put in the JS string, the slash character will be consumed by the JavaScript parser and will be gone before it reached the JSON parser.
If you want to convert data for placing in a JavaScript string then you need to escape it.
However, JSON is a subset (almost) of JavaScript. So the process of converting a JSON text to a JavaScript string so it can be parsed into a JavaScript object is over-complicated. You can skip that can just go straight to:
<script>
var foo = <?php echo $json; ?>
</script>
However, since you are taking in the JSON from the client, echoing out directly will expose you to XSS attacks. In order to deal with this you should filter the data on the server.
This will:
Fail to parse any invalid JSON and so not output bad JSON (but it might output nothing, giving you a JSON syntax error, you should apply tests to see if the parse was successful and output a sensible default case if it fails).
Convert any </script> in the data to <\/script> making it safe to place in a script element (because that is how PHP's json_encode works
Such:
<!-- I don't do PHP, this is untested -->
<script>
var foo = <?php
$unsafe_json = $_POST['package'];
$data_structure = json_parse($unsafe_json);
$safe_json = json_encode($data_structure);
echo $safe_json;
?>;
</script>
Do I save this JSON.stringify() value in MySQL as is? Or do I PHP json_decode() it first?
That depends on what you intend to do with the data. In general when putting things into a database it is a good idea to extra the data from the data format and normalize it. That way you can run queries over it.
If you are only going to store the data and then retrieve it, you might be able to get away with not doing that and storing strings of JSON in the database. That loses you a lot of flexibility though and might bite you in the future.
I've been using json_encode for a long time, and I've not had any problems so far.
Now I'm working with a upload script and I try to return some JSON data after file upload.
I have the following code:
print_r($result); // <-- This is an associative array
echo json_encode($result); // <-- this returns valid JSON
This gives me the following results:
// print_r result
Array
(
[logo_url] => http://mysite.com/uploads/gallery/7f/3b/f65ab8165d_logo.jpeg
[img_id] => 54
[feedback] => Array
(
[message] => File uploaded
[success] => 1
)
)
// Echo result
{"logo_url":"http:\/\/mysite.com\/uploads\/gallery\/7f\/3b\/f65ab8165d_logo.jpeg","img_id":"54","feedback":{"message":"File uploaded","success":true}}
Can anyone tell me why json_encode adds slashes?
update
#Quentin said that something is happening between json_encode and .parseJSON and he's right.
Doing a alert(data.toSource()); gives me the dollowing result:
({response:"{\"logo_url\":\"http:\\/\\/storelocator.com\\/wp-content\\/uploads\\/gallery\\/7f\\/3b\\/71b9520cfc91a90afbdbbfc9d2b2239b_logo.jpeg\",\"img_id\":\"62\",\"feedback\":{\"message\":\"File uploaded\",\"success\":true}}", status:200})
And this is not valid JSON. It also adds the status:200 and I have no idea where this comes from.
Could it be that the Plupload bind does something to my returned data?
This is my js script:
uploader.bind('FileUploaded', function(up, file, data) {
alert(data.toSource());
$('#' + file.id + " b").html("100%");
});
Just use the "JSON_UNESCAPED_SLASHES" Option (added after version 5.4).
json_encode($array,JSON_UNESCAPED_SLASHES);
I just came across this issue in some of my scripts too, and it seemed to be happening because I was applying json_encode to an array wrapped inside another array which was also json encoded. It's easy to do if you have multiple foreach loops in a script that creates the data. Always apply json_encode at the end.
Here is what was happening. If you do:
$data[] = json_encode(['test' => 'one', 'test' => '2']);
$data[] = json_encode(['test' => 'two', 'test' => 'four']);
echo json_encode($data);
The result is:
["{\"test\":\"2\"}","{\"test\":\"four\"}"]
So, what you actually need to do is:
$data[] = ['test' => 'one', 'test' => '2'];
$data[] = ['test' => 'two', 'test' => 'four'];
echo json_encode($data);
And this will return
[{"test":"2"},{"test":"four"}]
Can anyone tell me why json_encode adds slashes?
Forward slash characters can cause issues (when preceded by a < it triggers the SGML rules for "end of script element") when embedded in an HTML script element. They are escaped as a precaution.
Because when I try do use jQuery.parseJSON(response); in my js script, it returns null. So my guess it has something to do with the slashes.
It doesn't. In JSON "/" and "\/" are equivalent.
The JSON you list in the question is valid (you can test it with jsonlint). Your problem is likely to do with what happens to it between json_encode and parseJSON.
This happens because the JSON format uses ""(Quotes) and anything in between these quotes is useful information (either key or the data).
Suppose your data was : He said "This is how it is done".
Then the actual data should look like "He said \"This is how it is done\".".
This ensures that the \" is treated as "(Quotation mark) and not as JSON formatting. This is called escape character.
This usually happens when one tries to encode an already JSON encoded data, which is a common way I have seen this happen.
Try this
$arr = ['This is a sample','This is also a "sample"'];
echo json_encode($arr);
OUTPUT:
["This is a sample","This is also a \"sample\""]
Make sure your php script has the right header or it will add the slashes
header('Content-Type: application/json');
I had a very similar problem, I had an array ready to be posted. in my post function I had this:
json = JSON.stringfy(json);
the detail here is that I'm using blade inside laravel to build a three view form, so I can go back and forward, I have in between every back and forward button validations and when I go back in the form without reloading the page my json get filled by backslashes. I console.log(json) in every validation and realized that the json was treated as a string instead of an object.
In conclution i shouldn't have assinged json = JSON.stringfy(json) instead i assigned it to another variable.
var aux = JSON.stringfy(json);
This way i keep json as an object, and not a string.
json_encode will always add slashes.
Check some examples on the manual HERE
This is because if there are some characters which needs to escaped then they will create problem.
To use the json please Parse your json to ensure that the slashes are removed
Well whether or not you remove slashesthe json will be parsed without any problem by eval.
<?php
$array = array('url'=>'http://mysite.com/uploads/gallery/7f/3b/f65ab8165d_logo.jpeg','id'=>54);
?>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js"></script>
<script type="text/javascript">
var x = jQuery.parseJSON('<?php echo json_encode($array);?>');
alert(x);
</script>
This is my code and i m able to parse the JSON.
Check your code May be you are missing something while parsing the JSON
Here's my problem. I have data being returned using JSON, AJAX from my php script to my page. The data is being stored in a variable data
Using the variable data, I'm trying to construct a div using javascript. However, if the data contains a single quote, it break my js code and the page script doesn't work.
example code with data being the variable containing data "The boy's bicycle":
var newrootcomment = $("<div id='container'>" + data + "</div>");
newrootcomment.prependTo($('#wholecontainer')).hide().fadeIn(300).slideDown(1000);
How do I solve this problem?
Are you using the json_encode function available in PHP? Are are you treating the response as JSON? jQuery.parseJSON(<json-string>).
From there you interact with it simple as an object.
var resp = {};
If you don't have jQuery, most browsers support JSON.parseJSON().
Also, make sure you use double quotes for attributes.
<div id="foo"></div>
This is normally how I use json_encode:
$resp = array(
"foo"=>"foo_value",
"bar"=>"bar_value",
"foo_bar"=>array("one","two",3),
"message"=>"AWesome"
)
return json_encode($resp)
Take a look at json_encode for PHP - it'll return a quoted string with JSON-safe characters - it'll escape entities like \n, \, ". etc
Edit
Note that a single quote in JSON is not required to be escaped since it surrounded by double quotes.
From what you said in a comment to #jbcurtin's answer, about your PHP code being echo json_encode('{ "author": "'.$author.'"}'); I'd say that that is one problem. You don't need to encode the entire string, only the author variable. That line should be echo '{"author": '. json_encode($author) . '}'; instead.