I have a database var that contains
5/8\" Cabinet Grade Plywood
the \ being added by either WP or SQL to escape the ".
when retrieving this var i use stripslashes() both in in the value of the field used to edit that table (so that the next time someone want to edit that field he/she will see whats in that input already) and in the actual website where it suppose to appear.
The weird thing is ..
in the field it cuts from 5/8\" Cabinet Grade Plywood to just 5/8
and in the website where it suppose to appear it shows normally without slashes or anything unusual.
this is how I stripslash the field:
$somevar = '<input value="'.stripslashes($currentselected['something']).'" class="niceclass" name="something" type="text" />';
and this is how I use it when it appears on page:
<td><span style="font-size: larger;"><?php echo stripslashes($goods['verygood']); ?></span></td>
it simply collides with HTML markup
<input value="'.stripslashes($currentselected['something']).'"/>
will result in
<input value="5/8" Cabinet Grade Plywood" />
take a look on those ", its broken right there, you need to escape those "
to fix this use urlencode function in php
<input value="'.urlencode(stripslashes($currentselected['something'])).'"/>
or htmlspecialchars function, it should replace quotes with
"
You could use some htmlspecialchars on the output. The " has special meaning in HTML, and in this case would actually be seen as the closing of the value attribute of the input. Thus, you should escape it (htmlspecialchars will translate " to ").
Related
I'm trying to put input value, which is called from base.
<input class=\"title\" name=\"title\" value=".$edit['title']." />
Title is : New York Welcome! But it shows just New. If i write NewYorkWelcome! it shows right, but when there are spaces - no.
I just tried to echo the $edit['title'] not in input - it shows correctly. Very strange problem. Please, any solution?
If the string is delimited by double quotes, you must escape those as you did with the previous attributes:
<input class=\"title\" name=\"title\" value=\"{$edit['title']}\" />
I have a value ($title) that is stored in MySQL and is being called, using PHP, to be inserted into the value of an input element. The problem is when a single or double quote is used, the value of the input field terminates at that point.
The behavior that should occur is the input field should be populated EXACTLY with the data in the $title variable, so that when the form is updated, the quotes remain intact.
Here is the PHP:
<?php
echo '<input type=text size=91 name=title value="'.stripslashes($title).'">';
?>
Now, here is a typical problem: if the value of $title
this is a test " of what occurs with a quote
and I echo the variable, it echos correctly to
this is a test " of what occurs with a quote
However, when used in an input field, it renders as:
<input value="this is a test " of what occurs with a quote">
The first " terminates the value of the field, causing the new value to be:
this is a test
I'm confused as to how to get the proper value to display and be submitted with the form, when that variable is displayed and updated.
Try using htmlspecialchars. This will escape the " in yout title.
value="'.htmlspecialchars($title).'">
Put a \ before the quote.
echo "This is a \" test";
Change this line.
<input type=text size=91 name=title value="'.stripslashes($title).'">
To
<input type=text size=91 name=title value=\''.stripslashes($title).'\'>
Why are you running stripslashes()? Running addslashes() (the opposite function) would fix this particular issue, but a better approach would be to use htmlentities($title, ENT_COMPAT, 'utf-8') everywhere you output the title (or, if your structure allows, when the data is stored).
After you perform stripslashes you should use htmlspecialchars to escape the special characters. This avoids the mess the characters like ",', etc might otherwise create.
<input type=text size=91 name=title value="'.htmlspecialchars(stripslashes($title)).'">
The above snippet will only fix it for display purpose. But when the submit happens you must use either mysql_real_escape_string() or $pdo->quote() to escape the special characters before you run the SQL query.
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I'm inserting the following TEXT value into MySQL using..
$groupname = addslashes($_POST['groupname'];
When getting the value from Mysql I'm using
$name = $row['groupname'];
echo $name;
And this show correctly as "Mr. Davis's Group"
but when this value in added to a form as
then I pass the value to another page, and retrieve it as
$name = $_POST['groupname'];
echo $name;
it show up as "Mr. Davis" keeping everything before the apostrophy.
??No clue why, i've tried adding stripslashes($_POST['groupname']; and same thing happens
<input name='groupname' type='hidden' value='$groupname' />
Will generate:
<input name='groupname' type='hidden' value='Mr Davis's Group' />
^----
At the indicated spot, the browser's parser will see the 'end' of the value=, followed by some unknown attribute s and a broken attribute Group '.
To embed this type of text in a form, you need to use htmlspecialchars(), which will convert any HTML metacharacters (<, >, ', ") into their character entity equivalents, so they can be safely embedded in a form.
addslashes() is a deprecated method of "safely" adding something into a database. It will not make something safe to embed in HTML.
Check the text encoding of your input webpage. Match your db charset - use utf-8.
Whenever the texts value has double-quotes, everything behind and including the double-quotes dissappear.
Ex: Nice bmw m3 with 19" wheels BECOMES Nice bmw m3 with 19 the part after the double-quotes is skipped.
Is there anyway around this?
About the code below: This is for a form on a php page, so when the form is submitted to itself the value of the input remains unchanged, so the user doesn't have to fill in everything again whenever form is submitted to self.
<input style="width:300px;" type="text" name="annonsera_headline" id="annonsera_headline" value="<?php echo #$_POST['annonsera_headline'];?>">
Thanks
Because " ends the value of the html attribute.
Use htmlentities or htmlspecialchars
value="<?php echo htmlentities(#$_POST['annonsera_headline']);?>">
It is not advisable to write values from $_POST or $_GET without using at least one of the above functions as otherwise it allows people to construct a URL that alters the HTML on your page.
You forgot to sanitize the value with htmlentities().
... value = "htmlentities(<?=$_POST['annonsera_headline']?>)"