I have message stored in my database containing a slash: e.g. don\'t
To present the message I use this procedure. The thing is the backslash is still displayed.
How can I get rid of it.
I have tried many things, and read several postings here, but can't get it to work. Anyone here to help me and tell me what is the best way..
$msg2 = html_entity_decode($row3[comment]);
echo stripslashes(nl2br($msg2));
When storing them in the database, you should store them as mysql_real_escape_string($phpString).
Why do you use html_entity_decode for this? Just stripslashes should be sufficient here..
Related
i hope you may be able to help me out.
I am building a scrape script using simple html dom.
I have a few sites where i need to get the thumbnail path, name of the movie and some other stuffs. I have build me an admin panel where i save in plaintext the methods required to find that stuff based on the matching pattern.
Eg.
$movie_name = $result->children(0)->children(0)->innertext;
This works just like it supposed to work but when i save children(0)->children(0)->innertext in the database and then back into variable, eg,
$variable = "children(0)->children(0)->innertext";
$movie_name = $result->$variable;
it does not work.
I am pretty sure i am going horribly wrong about this, so please give me a hint how i could just save the methods in plaintext and then call them.
It must be stored in plaintext because the dom is frequently changing so i will be able to keep up with it.
Best regards.
You're looking for the PHP eval() function:
$movie_name = $result->eval($variable);
Having said that, be warned that eval is evil.
Instead, I would recommend xpath.
Hope this helps!
Got it, eval() was the answer. Since no user input is going to the eval() its pretty safe in my particular case. Just had to do some escaping and declaring the variable containing the method inside eval();
This piece of code works for me.
$res_mov_url_e = eval("\$res_mov_url = \$result->$movie_url;");
Anyway big thanks guys!
I'm making a website where im alowing my users (after that they are loged in) to Add a (car) advertisement!
I have a form where the user can submit his car information.(add-vehicle.php)
Now I want to display each new advertisement in my list-view. (car-list.php)
How can I do this?
Use urlencode /urldecode to pass variables in url's urlencode
I recommand to use urlencode('string')
and then later when get your variable with urldecode('string')
Response to your comment:
if (isset($_GET['merk'],$_GET['car_id'],$_GET['titel']) === true )
{
$merk = urldecode(trim ($_GET['merk']));
$car_id = urldecode(trim($_GET['car_id']));
$titel = urldecode(trim($_GET['titel']));
}
You're changing a space into a hyphen. If it is stored in the database as a space, it will never find it because "This Entry" is different from "This-Entry". As others said, urlencode will work better, but if you still want to replace the space with a hyphen, just make sure that it is done the same in the database as well.
First, nobody in this world will know what you have in your database to tell what's the problem! At least post an example data.
Second, you must be sure of what you have and what you are comparing to.
You are basically asking if a is equal to b and to be fair that's something that you should be able to tell if you're programming!
Third, you should implement a methodology that allows you to quickly test your code, and that's from printing your data to the browser to a fully automated test.
So I was just testing out the mysql_real_escape(); function and what that does is puts a \ before the ". The when the content is echoed back out onto the page I just get content with \'s before any ". So let's say I posted """""""""""""""""""""""""""" all I get is \"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\" echoed back.
Is there some code to remove the \ when it's echoed back onto the page?
By adding those slashes, mysql_real_escape_string just converts the string into the input format for the database. When the data comes out of the database, it should come out without any of the slashes. You shouldn't need to remove them yourself.
Using stripslashes like others are suggesting would do the opposite of mysql_real_escape_string in most cases, but not all of them, and you shouldn't rely on it for that purpose. Mind you, if you find yourself needing to use it for this, you've already done something else wrong.
stripslashes()
http://php.net/manual/en/function.stripslashes.php
You don't need to unescape, ie. remove the slashes - they don't get inserted into the DB. They are only for passing data to MySQL, they are not written to the db. When you SELECT the data, you won't see the slashes.
Do you know how mysql_real_escape() works. Hint: It allows to encode string for SQL usage. For example mysql_query('SELECT * FROM users WHERE name="'.mysql_real_escape_string($name).'"');. It can be used to insert string which won't escape the quotes for example like " or 1=1 -- " making SELECT * FROM users WHERE name="" or 1=1. You have to activate it just before inserting it database.
When you will read this data, slashes won't exist in any way.
Actually, looking at what is below, I will make this answer, not comment...
One guy tried to exploit it using this script
http://www.searchr.us/web-search.phtml?search=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29+String.fromCharCode%28105%29%29;%3C/script%3E
How do i stop it ?
And he also said that it is vulnerable to XSS and LPI...Please help me stop it.
Thanking You,
You need to HTML-encode all user-entered data that you output, including the user's search string.
To be safe, HTML-encode all values that are not explicitly meant to be HTML code.
The quick solution is to:
<?php echo htmlspecialchars($blah); ?>
instead of
<?php echo $blah; ?>
The long solution is to read a book on web site security.
Seeing as how that is a search query string, I'm guessing you're pulling the value directly from the query string and re-displaying it to the user?
Something along the lines of "Your search of 'something' returned 0 results"?
You need to encode any user entered data before displaying it.
I'm having this problem that's driving me nuts.
I've got a MySQL database in which there is a table that contains a text field. I am querying the table in PHP and trying to put the content of the text field for each row into a var.
I am doing something like this:
for ($i=0;$i<$nbrows;$i++){
$id = $data[$i]['ID'];
$description = $data[$i]['DESCRIPTION'];
$mystring .= '<div>'.$id.': '.$description.'</div>';
}
DESCRIPTION is my text field.
I'll pass on the details. The $data array is built from mysql_fetch_array($result). I also tried using objects instead, as I use mysql_fetch_object for all my other routines, but there is no change.
Anyway, the problem is this: if I do "echo $description;" then it works. I am getting my text field data as expected. The problem is that I don't want to output it directly, but add it to a concatenated string, and that is not working. What happens in that case is it seems to be taking $description for some kind of array or object. To make the above example work, I have the replace the string with:
$mystring .= '<div>'.$id.': '.$description[0].'</div>';
So in the concatenated string code, if I treat $description as an array, it works, but obviously I am getting only one letter. (it doesn't actually seem to be an array because I can't implode it).
I tried a million things but I just can't make this work unless I use echo, but that is not what I am trying to do.
There is no issue with fields that aren't text.
Thanks for any ideas!
There is nothing visually wrong with the code you pasted, maybe if you could also add the fetching function as well, we might be able to help you further.
Maybe you could post a var_dump of your $data array?
Have you tried $mystring .= "<div> $id : $description </div>";
Ack, well, you know, hours spent on this and then it becomes obvious after I decide to post for help. This is just because of text encoding/escaping and nothing else. I just didn't see well enough where the problem was actually happening.
Thanks for taking the time to read and respond!