In the following code....
<td height="27" align="right" valign="middle">Social & Political</td>
And in General.php page....
<input type='text' name='category' id='category' value='<?= $_GET['category']; ?>' maxlength="25"/>
Here the value taking only 'Social', instead of 'Social & Political'. If I change this to 'Social Political', its taking perfectly. Why is that?
& has special meaning in both URIs and in HTML. In a query string, which is where you are putting it, it means "End of this key/value pair and start of the next one".
Run your string through urlencode (immediately) before inserting it into a URL.
Run your string through htmlspecialchars (immediately) before inserting it into HTML.
(urlencode shouldn't leave any HTML special characters in the string, but it is a good habit to push all data that is "not known to be HTML" through htmlspecialchars before concatenating it with HTML).
Because & is a special character.
Use PHP function urlencode() and urldecode()
use urlencode for the variables which you are passing in the query string
To complement the previous answers, this will work
a href="General.php?category=Social %26 Political"
%26 is the url code for the character &
Related
I have a value ($title) that is stored in MySQL and is being called, using PHP, to be inserted into the value of an input element. The problem is when a single or double quote is used, the value of the input field terminates at that point.
The behavior that should occur is the input field should be populated EXACTLY with the data in the $title variable, so that when the form is updated, the quotes remain intact.
Here is the PHP:
<?php
echo '<input type=text size=91 name=title value="'.stripslashes($title).'">';
?>
Now, here is a typical problem: if the value of $title
this is a test " of what occurs with a quote
and I echo the variable, it echos correctly to
this is a test " of what occurs with a quote
However, when used in an input field, it renders as:
<input value="this is a test " of what occurs with a quote">
The first " terminates the value of the field, causing the new value to be:
this is a test
I'm confused as to how to get the proper value to display and be submitted with the form, when that variable is displayed and updated.
Try using htmlspecialchars. This will escape the " in yout title.
value="'.htmlspecialchars($title).'">
Put a \ before the quote.
echo "This is a \" test";
Change this line.
<input type=text size=91 name=title value="'.stripslashes($title).'">
To
<input type=text size=91 name=title value=\''.stripslashes($title).'\'>
Why are you running stripslashes()? Running addslashes() (the opposite function) would fix this particular issue, but a better approach would be to use htmlentities($title, ENT_COMPAT, 'utf-8') everywhere you output the title (or, if your structure allows, when the data is stored).
After you perform stripslashes you should use htmlspecialchars to escape the special characters. This avoids the mess the characters like ",', etc might otherwise create.
<input type=text size=91 name=title value="'.htmlspecialchars(stripslashes($title)).'">
The above snippet will only fix it for display purpose. But when the submit happens you must use either mysql_real_escape_string() or $pdo->quote() to escape the special characters before you run the SQL query.
I am trying to do a query string in html.
String that I want to pass is "Book Cover".
But I only managed to get Book.
How should I go about doing it?
Below is my code:
<a href=book.php?category=Book Cover>Book Cover</a>
You need to encode all your query string vars, For example with rawurlencode / rawurldecode
Book Cover
And in PHP:
$category = rawurldecode($_POST['category']);
In HTML the value stops at the space:
<a href=book.php?category=Book Cover>Book Cover</a>
^
If you want to include a space inside a value in HTML you need to add quotes:
Book Cover
^ ^
In HTML both single and double quotes are allowed.
Now the value itself has a problem, too:
book.php?category=Book Cover
`- URL stops here.
This is a relative HTTP URL and as for any HTTP URL the space character is a special value. It can normally not be part of the URL, therefore you need to encode it. This can be done as with any other special character in a HTTP URL with triplet encoding / percentage-encoding replacing the binary value of the character(s) with their hexadecimal number:
book.php?category=Book%20Cover
For the space you have, historically it is even a special-case, you can also encode it with the plus sign.
The later problem is often dealt with by the user agents, but the quotes in HTML are needed otherwise the value gets cut.
And it is generally good practice to place attribute values in HTML inside (double) quotes. So I suggest you to do that.
Why not convert to UTF-8 before encoding?
urlencode(utf8_encode($string));
Looks like you are missing double quotes
Book Cover
I am accepting a preset input from another .php file
$Instructor=$_POST["Instructor"];
when I echo $Instructor, the OUTPUT is Dr. Doom (which is correct)
When i pass it through a fieldset I only get the (Dr.) and not the (Doom). I need for the entire name to get passed. Can any one please help. I am NEW TO PHP, so please try to explain in simple form. Thank you very much ahead of time.
here is the code i am using.
echo "<fieldset>
<Legend> Contact Information </Legend>
PROFESSOR: <inputname='Professor' type= 'text' value=$Instructor maxlength='35'
disabled='disabled'> </fieldset>"
Sincce you've omitted quotes on HTML attribute, only characters up to the first whitespace will be interpreted in your html. Quote the attribute, and escape it properly with htmlentities() using the ENT_QUOTES option:
echo "<fieldset ... ... value='" . htmlentities($Instructor, ENT_QUOTES) . "' ... </fieldset>";
Note that without the escaping, it is vulnerable to cross-site scripting, in addition to potentially breaking the output markup.
You need to put quotes around attribute values that contain spaces. In your case they need to be escaped, because the PHP string literal also uses them:
echo "... value=\"$Instructor\" ...";
Variable sanitization aside, you forgot to quote this:
value=$Instructor
And mind the space here:
type= 'text'
By the way, There's a nice syntax in PHP called "heredoc" if you want to use blocks of HTML text.
$str = <<<EOF
<fieldset>
<Legend> Contact Information </Legend>
PROFESSOR: <inputname='Professor' type='text' value='$Instructor' maxlength='35' disabled='disabled'>
</fieldset>
EOF;
What's nice is the text can stay human readable and still support inline variable interpolation (putting "$something like this")
I am getting this error when running my page through the W3C validator:
= in an unquoted attribute value. Probable causes: Attributes running together or a URL query string in an unquoted attribute value.
Here is the code that is causing this error:
$prevPage = "?main=men&category1=1&pagenum=$prevp"."&lowRowNum=$prev_page_low".
"&highRowNum=$prev_page_high";
print("<a class='left' href=$prevPage>".
"Previous Page</a> ");
I am not getting any error like this in any of my other PHP scripts , so I am guessing it is something specific I am doing wrong here?
Can anyone see why this code is causing this error?
I have researched this and read that it may be down to HTML special characters? I am not sure..
Thank you
Simply try:
<a class='left' href='$prevPage'>
Notice the quotes. Always try to quote your attributes in HTML. Better practice would be to:
echo '<a class="left" href="' . $prevPage . '">' //etc etc;
Try not to echo the entire HTML string as you might get confused when using single vs. double quotes.
I would suggest using a combination of printf() and htmlentities() here:
printf(
'<a class="left" href="%s">Previous Page</a>'
, htmlentities($prevPage)
);
printf() takes a string and echos it after replacing specially-formatted tokens. In the above example, there is one token in the string, represented as %s.
When printf() runs, it replaces each token with a corresponding parameter. In the above example, the %s is replaced by the result of htmlentities($prevPage).
The manual page for sprintf() goes into more detail about how the tokens work and has many more examples (sprintf() and printf() are identical except that sprintf() returns the formatted string, while printf() outputs it directly).
To ensure that entities such as & are encoded correctly for markup validation, you should also make use of htmlentities().
I want to display text in html form(text field) that comes from DB so I used following code
....
.....
<input type="text" name="txtqname" id="txtqname" value="<?=$myvar ?>"></input>
....
.....
Here $myvar is variable whose value comes form DB and that may contains single or double quotes. Because of this my text is not properly displayed in text field as I want. I tried to replace double quotes with single as
....
.....
<input type='text' name='txtqname' id='txtqname' value='<?=$myvar ?>'></input>
....
.....
but still I don't get proper text. Please help me.
Thanks in advance...
Simple, all you have to do is:
<input type="text" name="txtqname" id="txtqname" value="<?= htmlspecialchars( $myvar ) ?>"></input>
Just use htmlentities() or htmlspecialchars()
http://php.net/manual/de/function.htmlentities.php
You should use proper addslashes() and stripslashes() for formatting data.
Make sure every data is properly formatted before inserting into database. Also try this mysql_real_escape_string()
You can use htmlentities function with ENT_QUOTES,
Ex: htmlentities($myvar, ENT_QUOTES);
ENT_QUOTES Will convert both double and single quotes.