I have a HTML form value as a PHP function: value='".$item->get_title()."' (This is in an echo statement hence the single quotes.) The problem is that if the returned title contains any quotes it breaks the value function.
Example: value="Kim Dotcom lawyer blasts US government" s "pattern of delay "e;'>
As you can see it breaks at government. There is supposed to be an apostrophe after that.
Does anyone know a fix for this?
The fix: value='".htmlspecialchars($item->get_title(), ENT_QUOTES)."'
Use htmlspecialchars to escape output not meant to be rendered as HTML:
value="'.htmlspecialchars($item->get_title(), ENT_QUOTES).'"
By default, htmlspecialchars only escapes double quotes, not single quotes. If you want to escape both (and so maintain your practice of putting HTML values in single quotes), add ENT_QUOTES as the second parameter to htmlspecialchars.
try with htmlspecialchars
htmlspecialchars($item->get_title());
try:
value='".str_replace('"', '', $item->get_title())."'
Related
So I am trying to link using data I got from a function but it keeps giving me a blank value for ID. Here's my code for what I'm trying to print
<h3 style="text-align: center;">Seller: <?php $sellername =
getNameFromListingID(); $id = getIDByUsername($sellername); echo "".$sellername."";?></h3>
The functions work properly, I have tried printing both of them and it works. They're in a file called getinfo.php, which I have
Include 'getinfo.php';
At the top of my document.
The link with the name works but I always get seller.php?id=, with no value after. Any clue as to why?
You're ending the href attribute too early.
<a href=\"seller.php?id=".$id."\">
This will put the $id inside the href attribute, where it belongs.
Use single quotes in PHP, it's a good practice to get into, and it's also slightly (a teeny tiny bit) faster for PHP to process. Why? Because, when you use double quotes, you're telling PHP that your string contains variables that may need to be evaluated.
So in truth, you don't even need the quotes around variables here.
echo "$sellername";
But doing it like this would be following a best practice.
And now you don't need to escape \" double quotes that HTML uses.
echo ''.$sellername.'';
Caution: It's also a very good idea to escape special characters in anything you're outputting into HTML markup. That avoids the potential for an XSS vulnerability. See: htmlspecialchars()
echo ''.htmlspecialchars($sellername).'';
I have a hint echo'd however, i have a issue with " and ' i can echo numerical values to the string, but not words..
$hint='<a href="javascript:void(0)"
onclick="javascript:document.contactForm.musicDetailTitle4.value=5;
document.contactForm.musicDetailArtist4.value=foo;">fill form</a>'.
5 works but foo doesn't works.
UPDATE
Still not getting an output
$hint='fill form'.
Whole Code
echo $hint='fill form'.$artist."-".$title."-".$id."</a>";
Output is...
fill formTomato Soup-Heinz-0001fill formTomato Soup-Heinz-0001
You need to escape the quotes
$hint='fill form'.
It doesn't have much to do with PHP but rather JavaScript.
When passing a numeric value you just pass the number itself, but when passing strings you must wrap them in quotations otherwise the compiler will mistake "foo" for a variable named foo which may or may not exist.
As others mentioned, all you have to do is wrap your string like so:
\'foo\'
The slashes are because you don't want to close your echo which was also opened using a single quote, so you need to escape the character so when it's echoed to the user it will become 'foo'.
Try this -
$hint='fill form'.
When declaring a string value you must add quotes, and when adding it in this way you must escape those quotes using the \ key.
Alright, so there's still stuff I have yet to learn about PHP. I'm trying to retrieve data from a MySQLi database and it's all fine until I'm forced to choose between double quotes or single quotes breaking something. With real_escape_string, I can store string data that contains a single quote, and it just gets escaped with a backslash, but if I don't use stripslashes() when I insert it into the value attribute...
If my value attribute looks like this in the code: value="_" then double quotes within the string, trim any data after it because it seems to be interpretted as the end of the value attribute.
If my value attribute looks like this in the code: value='__' then if I don't use stripslashes(), I see the slashes in the output, and if I use stripslashes(), it's the same thing with the double quotes, but with any of the escaped single quotes within the string.
Hope this makes sense. I'm fairly tired right now, but with a few replies and questions asked for anyone who doesn't quite understand, I'm sure we can figure this out. :)
If you have to output data into html which might have special characters use htmlspecialchars
<input type="text" value="<?php echo htmlspecialchars('\'"&<>') ?>">
http://codepad.org/DxV3uq0L
http://jsfiddle.net/Uu29D/
I'm encountering a problem involving escaping character that I think it's not simple at all. If this is done in javascript, nothing to say but the context is using echo command (in PHP) to write javascript code like this:
echo "<script>document.getElementById('spanID').innerHTML=\"$x\"</script>";
$x is a variable in PHP environment, which can contain both single and double quotes. What I do here is:
1. Keep the $x not change, and if $x contains any double quote, the above code won't work, the text echoed may look like:
<script>document.getElementById('spanID').innerHTML="leftside"rightside"</script>;
I supposed $x = leftside"rightside, and you can see it surely won't work.
Escape the double quotes in $x (change all " to "), then the text echoed may look like this:
document.getElementById('spanID').innerHTML="leftside"rightside";
The " won't be converted to " when it is assigned to innerHTML attribute of a Span (for e.g), so instead of my want, the innerHTML of my SPAN should be leftside"rightside, it will be leftside"rightside.
If I change the " to ' in the original echo, like this:
echo "<script>document.getElementById('spanID').innerHTML='$x'</script>";
It is the same because $x here can contain both single and double quotes.
I don't find out any other ways to escape quotes in this case. Could you please help me out?
Thanks!
You need to put between the quotes a string that is a valid string of JavaScript containing valid (and safe) HTML.
Your best option is to not use innerHTML and instead use document.createTextNode which means you only need to slash-escape the content.
Otherwise, you need to HTML escape, then slash escape the content. For correctness, your slash-escaping function should escape at least double-quotes, backslashes, and all JavaScript newlines (U+A, U+D, U+2028, U+2029). I believe PHP's addslashes does not handle U+2028 or U+2029 by default but How to escape string from PHP for javascript? has some alternatives.
To put it all together:
$x_escaped = json_encode($x, JSON_HEX_TAG);
echo "<script>document.getElementById('spanID').appendChild(document.createTextNode($x_escaped))</script>"
should do it. The JSON_HEX_TAG makes sure that $x_escaped will not contain </script> or any other content that prematurely ends your script tag. </script> will instead become \u003c/script\u003e.
Let say i have a column product name and it has value Shoe's.
When i pick that value from db and use mysql_real_escape_string and placed it in html hidden input it becomes <input type='hidden' value='Shoe\'s' id='product_name'>
When i do $('#product_name').val() it return only Shoe\ truncating the s or rest of the value after that. The jQuery is assuming an escaped single quote as a closing quote for attr value.
On solution is to use value="" (enclosed in double quotes) but what if value contains a double quote? So the problem persists.
Any help is appreciated.
Thanks!
You must not use mysql_real_escape_string for HTML output. Use the appropriate htmlspecialchars instead.
In HTML, a backslash before a quote does not mean that the quote is escaped. An escaped ' in HTML is '. That's why you use the appropriate escaping method for your output target. mysql_real_escape_string is appropriate when escaping for SQL, htmlspecialchars is appropriate when escaping for HTML.