I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
Related
I'm trying to output the name of a project i.e. "David's Project" in a form, if a user does not correctly input all data in the form, to save the user having to input the name again.
If I var_dump $name I see David's project. But if I echo $name I see David"'" Project. I realise that ' (single quote) becomes "'"; but I have tried using ENT_NOQUOTES and ENT_COMPAT to avoid encoding the single quote but neither works.
$name = trim(filter_input(INPUT_POST, 'name0', FILTER_SANITIZE_STRING));
<form method="post" class="form" />
Title: <input type="text" name="name0" value="<?php echo
htmlspecialchars($name, ENT_NOQUOTES); ?>">
Am I doing something wrong or should the ENT_NOQUOTES work? I tried using str_replace to replace with ' with an \' but this didn't work either.
The only way round this I have found is to use this:
htmlspecialchars_decode(htmlspecialchars($name, ENT_NOQUOTES));
Is that acceptable?
Sorry I realise this is probably a really stupid question but I just can't get my head around it.
Thanks for any replies.
You can accept a simple answer if it solves your problem BUT you should really understand that what you have delved into is a much larger issue you or someone has created for you.
Databases should not contain HTML encoded characters unless they are specifically meant for storing HTML. I highly doubt this is the case as it very rarely is.
Someone is inserting HTML into your database (html encoding data on insert). This means if you ever want to use a mobile app that is not HTML based, or a command line, or anything at all that might use the data and isn't HTML based, you are going to run into a weird problem where the HTML encoded characters have to be removed on output. This is typically kind of the backwards way to do it and can often cause issues.
You rarely need to "sanitize" your inputs. If anything, you should reject input that is not allowed OR simply escape it in the proper way while inserting it into the database. Sanitizing is only a thing in very special circumstances, which you don't appear to have right now. You're simply inputting and outputting text.
You should pretty much never change users input
My suggestion, if possible, is to fix your INSERT code first so it isn't html encoding data. This html encoding should happen when you output the data TO AN HTML FORMAT. You would use htmlspecialchars() to do this.
I am creating an HTML form (to send a plain text email, using Swift Mailer ..but that's not important right now), using PHP server-side, where I want to display the user's text input for them to finally confirm before actually sending the email.
I use nl2br(htmlspecialchars()) to display the user's form field input safely, and then need to output that input into an <input type="hidden" ../> form field to be submitted again for actually creating the email.
The email body can obviously contain all sorts of potentially troublesome characters such as single and double quotes, ampersands, less-then and greater-than symbols.
In the context of my input field, am I right in thinking that my sole(?) problem is ensuring that the form quotes around value=".." (I usually use double quotes) and any quote characters in the input string value don't clash with each other? Is there a PHP function along similar lines to htmlspecialchars which will escape quotes as necessary? I don't want to convert anything into HTML entities as the email that I will be sending will be plain text.
You must use the function String addslashes( $str ) http://php.net/manual/fr/function.addslashes.php
After much further perusal of the PHP manual, it looks as though I can use htmlspecialchars($text, ENT_QUOTES) to safely encode my text for the form field, and then use (the "relatively" new corresponding reverse function) htmlspecialchars_decode($text, ENT_QUOTES) to convert the HTML entities safely back to normal characters again, when creating the plain text email message.
’ this kind of apostrophe ruins my input which is saved to database. I've tried
$GeneralChangeDescriptions[$ChampionNumber+1][$indexGeneral+1]=str_replace("’", "'",
$GeneralChangeDescriptions[$ChampionNumber+1][$indexGeneral+1]);
So changing ’ to ' with no results I still get empty field.
This value with apostrophe is shown just fine but after sending it with
<input type="hidden" name="GeneralChangeDescriptions" value="'.htmlspecialchars(json_encode($GeneralChangeDescriptions)).'">
it no longer is visible the whole input is blank is there any way to fix this?
Update:
After fiddling a bit with code I found out that json_encode completely wipes my input after sending are there any easy solutions?
I have a database var that contains
5/8\" Cabinet Grade Plywood
the \ being added by either WP or SQL to escape the ".
when retrieving this var i use stripslashes() both in in the value of the field used to edit that table (so that the next time someone want to edit that field he/she will see whats in that input already) and in the actual website where it suppose to appear.
The weird thing is ..
in the field it cuts from 5/8\" Cabinet Grade Plywood to just 5/8
and in the website where it suppose to appear it shows normally without slashes or anything unusual.
this is how I stripslash the field:
$somevar = '<input value="'.stripslashes($currentselected['something']).'" class="niceclass" name="something" type="text" />';
and this is how I use it when it appears on page:
<td><span style="font-size: larger;"><?php echo stripslashes($goods['verygood']); ?></span></td>
it simply collides with HTML markup
<input value="'.stripslashes($currentselected['something']).'"/>
will result in
<input value="5/8" Cabinet Grade Plywood" />
take a look on those ", its broken right there, you need to escape those "
to fix this use urlencode function in php
<input value="'.urlencode(stripslashes($currentselected['something'])).'"/>
or htmlspecialchars function, it should replace quotes with
"
You could use some htmlspecialchars on the output. The " has special meaning in HTML, and in this case would actually be seen as the closing of the value attribute of the input. Thus, you should escape it (htmlspecialchars will translate " to ").
I have a textarea, which I need to be able to take characters including / and ' as well as special characters in ASCII. It does this fine, and sends the data to a php page by the POST method.
Then I repopulate the text area simply by putting
<?php echo isset($F_Text) ? $F_Text : '' ?>
between the textarea tags ($F_Name = $_POST["F_Name"]), with the intention that the user can then alter what they typed in and resubmit.
But each time the form is repopulated two issues arise. A forward slash is added before characters such as ' and the ASCII characters are printed out as the symbol rather than the code. This basically breaks the rest of the page (the submission goes on to be processed by some javascript).
I can't think of any way to keep the ASCII codes as just that, codes, not symbols.
Also, I've just noticed that all $ signs are lost too, which I can understand, but I need them to stay!
I need the form to display EXACTLY what the user typed in originally. Any ideas?
Can you try with :
<?php echo isset($F_Text) ? htmlentities(stripslashes($F_Text)) : '' ?>
Hope this helps you :)
My guess would be that you first have to turn of magic quotes, then use htmlspecialchars to avoid that your variable messes up your html and then make sure everything is in utf8 so that all special characters are retained (depending on what you consider ASCII characters...).
Your php echo statement would be:
<?php echo isset($F_Text) ? htmlspecialchars($F_Text) : '' ?>