My question is similar to this question but I'm not using code igniter. I'm echoing variables obtained from a database into the value attribute of a text input. The variables may contain ' or " or any other special chars.
I tried:
<input type="text" name="myTextInput" value="<?= htmlspecialchars($dbValue, ENT_QUOTES); ?>" />
but it outputs quotes as " or ' which is not what I want. I want the text input to actually contain the quotes as typed by the user.
should I be using a php function or a javascript function to escape the string? if I don't escape it I get a javascript error because the quotes inside the $dbValue string are interacting with the value attribute quotes.
That's exactly what you DO want, however. e.g.
if your inserted data is
Davy "Dead Pirate" Jones
and you insert that into an input field literally, you'd end up with
<input type="text" name="..." value="Davy "Dead Pirate" Jones" />
which will be interepreted as follows:
<input> field with attributes:
text -> 'text'
name -> '...'
value -> ' ' (a single space)
Dead ->
Pirate ->
" ? danging quote
Jones ->
" ? -> another dangling quote
By comparion, after doing an html_entities, you'd have
Davy "Dead Pirate" Jones
and that can be inserted into the <input> field without issue.
If the input field's value contains a literal " that's visible to the user, then you've got some double-encoding going on.
You'll want to use html_entity_decode. Here's an example for the documentation:
<?php
$orig = "I'll \"walk\" the <b>dog</b> now";
$a = htmlentities($orig);
$b = html_entity_decode($a);
echo $a; // I'll "walk" the <b>dog</b> now
echo $b; // I'll "walk" the <b>dog</b> now
?>
Reference: http://www.php.net/manual/en/function.html-entity-decode.php
Your looking for the opposite of htmlspecialchars, try using html_entity_decode.
Here is your code using html_entity_decode.
<input type="text" name="myTextInput" value="<?= html_entity_decode($dbValue, ENT_QUOTES); ?>" />
Here is a link to the manual -> http://www.php.net/manual/en/function.html-entity-decode.php
If you have any problems using this you might want to check out this question, which has a common encoding problem -> https://stackoverflow.com/a/4638621/1065786
To display single, double quotes and html tags as text field value try to use:
<?php
$formVal = htmlspecialchars($dbValue, ENT_COMPAT, 'utf-8');
// or this:
// $formVal = htmlspecialchars($dbValue);
?>
<!-- html -->
<form>
<input type="text" name="myTextInput" value="<?php echo $formVal; ?>" />
</form>
http://www.sitepoint.com/form-validation-with-php
https://www.inanimatt.com/php-output-escaping.html
Related
If it has a single quote in it, any string that I try to enter into my HTML input box is truncated in the input box once it is submitted. Its POST value comes thru unchanged, but the string shows as truncated in the input box, whether I use htmlspecialchars() or not. A noobie question, no doubt, but I've tried hard to figure it out and run out of ideas. Thanks for any help.
<!DOCTYPE html>
<body><title> Self-inserting input_box_SO.php </title>
<?php
// POST form initiation.
ECHO "<form action='input_box_SO.php' method='post'>";
// GET POSTed value and escape it for HTML use
$Caption_htmlspecialchars=$_POST['Caption_htmlspecialchars'];
$Caption_htmlspecialchars=htmlspecialchars($Caption_htmlspecialchars);
ECHO "The echo of the variable <em> \$Caption_htmlspecialchars </em> looks like this:<br>";
ECHO "<b> $Caption_htmlspecialchars </b><br>";
ECHO "But in the input box, \$Caption_htmlspecialchars is truncated by a single quote: <br>";
// ETA: Bad old line that caused the problem, now commented:
// ECHO "<input type='text' name='Caption_htmlspecialchars' size=100 value='$Caption_htmlspecialchars' maxlength = 100 required /><br><br>";
// ETA: Newly added line that fixes the problem:
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
// SUBMIT button. Submits back to the same page: input_box.php
echo "<b><input type='Submit' name='submit' value='Submit'/></b></br></br>";
?>
</body></html>
Here is what Inspect Elements > Elements shows for the input element:
input_box_SO.php
The echo of the variable $Caption_htmlspecialchars looks like this: test with special chars. & " < > and a single quote ('), which causes truncation in the input box. But in the input box, $Caption_htmlspecialchars is truncated by a single quote: and a single quote (" ),="" which="" causes="" truncation="" in="" the="" input="" box.="" '="" maxlength="100" required="">
With the Source looking like this: value='test with special chars. & " < > and a single quote ('), which causes truncation in the input box. '
You need to change your sequence of single quotes nad double quotes to display string. change your echo <input as below
echo '<input type="text" name="Caption_htmlspecialchars" size=100 value="'.$Caption_htmlspecialchars.'" maxlength = 100 required /><br><br>';
Try to use the addslashes and do it like
$Caption_htmlspecialchars = addslashes($Caption_htmlspecialchars);
This is my php code. For an example:
<?php
while($row=sqlsrv_fetch_array($result))
{
$ItmName = $row['ItemName'];
}
?>
This is my html:
<input type="text" id="ItmName" name="ItmName" value="<?php echo $ItmName; ?>" />
If the data is as such 3" FILE which have double quotes, in the textbox field it will only be displayed as:
3
which it supposed to be
3" FILE
but IF the data is 3' FILE which is a single quote, it will be displayed as 3' FILE. So there's no problem. So my question is, how to display the data with the double quotes in a HTML input's value.
Always always always escape output that you don't trust.
Use htmlspecialchars (or htmlentities) to escape strings so they are safe to use in HTML.
I am currently writing some search engine, where this page is retrieving some _GET variables from a previous page. This is working as intended.
Now I am using those variables as default value in a POST form. However, for some reason, only the first word for each of them is showing up. The form code is as follows:
<form action = "insert.php" method = 'POST'>
<Place name <input type="text" name="name" size = "30" value= <?php echo $_GET['name']; ?> />
Note that when echoing $_GET['name'] anywhere else in the page, everything is fine. Multiple words show up as expected, but when I use it as a text box default value, only the first word shows up on the textbox.
At first, I thought it had something to do with the way those $_GET variables are sent in the URL so I tried this:
$fullname = array();
$fullname = explode("%20", $_GET['name']);
$aaa = implode (' ',$fullname);
...
Place name <input type="text" name="name" size = "30" value= <?php echo $aaa; ?> />
but the result is still the same. If I echo it anywhere else in the page I get the full string, but if it's inside the form only the first word shows up.
What am I missing here?
The value attribute of the input tag needs to be in quotes:
<input type="text" name="name" size = "30" value="<?php echo $_GET['name']; ?>" />"
Otherwise, if $_GET['name'] contains spaces you'll end up with something like: value=John Smith. That will be understood as value=John with an invalid Smith attribute floating around.
Also, consider sanitizing $_GET['name'] with htmlspecialchars. Consider what would happen if $_GET['name'] was "/><script>alert(0)</script><. You'd end up embedding user-controlled code on your website, resulting in a reflected XSS.
Morning,
I have created a small form to store some information to a database.
I have magic_quotes_gpc turned off on my server.
If i enter a " or a £ sign in the box is stores into the database without a worry.
When i echo it back with php it displays, but if i use the value in an input form field the " close the value field.
<input type="text" name="variable" value="<?php echo $row[variable]; ?>" />
I have now used htmlspecialchars around the input value and it works.
<input type="text" name="variable" value="<?php echo htmlspecialchars($row[variable]); ?>" />
But i have looked at open cart source as a reference and they do not use htmlspecialchars but store the data in a different way.
I tried using the urlencodes method they have used :
urlencode(html_entity_decode($_POST[variable],ENT_QUOTES, 'UTF-8'));
but this seems to store as a lot of numbers and + signs which did not display back correctly.
I would rather encode the update database instead of using the method i am with htmlspecialschars.
But not quite sure which way would be best?
Thank You
you may use
htmlentities() function in php
Perhaps try mysqli_real_escape_string($dblink, $string) instead of htmlspecialchars
For storing the HTML Character change the charters and then store them:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
To get back the correct HTML Character do the decoding as:
<?php
$str = "<p>this -> "</p>\n";
echo htmlspecialchars_decode($str);
// note that here the quotes aren't converted
echo htmlspecialchars_decode($str, ENT_NOQUOTES);
?>
For more information refer to http://www.php.net/manual/en/function.htmlspecialchars.php
I understand how a PHP URL works - I think ... but I'm having problems getting the actual value of the variable to be passed in the example below.
Example
Note: I am adding the below form into a data cell (as part of a table being read via PHP).
$currentrowid = 1;
echo '<td>
<div class="editdelete">
<form action="phpindex.php?page=edit&thisrow=<?php echo $currentrowid;?>" method="post">
<input type="submit" value="Edit" >
</form>
</div>
</td>';
... Some other section of code to read the URL output by the form above:
$val = $_POST['thisrow'];
echo "the value is: " .$val; //Outputs "$currentrowid"
So, as you can see the code returns the actual name of the variable being passed, NOT the value of the variable being passed.
Any ideas here?
Since you are already within a PHP block, you should not wrap your variable within <?php ... ?>. This will give you an error.
To make this work, you can choose 1 of 2 options:
1) String Concatenation:
echo '... <form action="phpindex.php?page=edit&thisrow='.$currentrowid.'" method="post"> ...';
2) Wrap your string in " (double quotes) instead of ' (single quotes):
echo "... <form action=\"phpindex.php?page=edit&thisrow=$currentrowid\" method=\"post\"> ...";
Note that the second method forces you to escape all the double quotes inside of your string.
2 point.
<form action="index.php?thisrow=<?php echo $currentrowid ?>"
method="post">
You should use $_POST not $_GET to get the post value.
As what was answered above,
<form action="index.php?thisrow=<?php echo $currentrowid; ?>" method="post">
is correct.
The reason behind this is you are passing HTML and you have to use an echo from php to output to the html. Otherwise you just get exactly what you put, which is $currentrowid.
Not the easiest, but a quick way to solve your problem. Change your form method to get method="get">, then
$val = $_GET['thisrow'];