I searched the site and didn't find a solution. My problem is that I've got a hidden input that I want to send via the post method that has quotes in it. I've tried using addslashes() and I get the same problem. It looks something like this right now:
<?php $value = 'I\'ve got \"some\" random text with quotes'; ?>
<input name="example" value="<?=$value?>">
And I get most of the the text showing in my form because the quotes aren't being ignored AARGH! ;) So how to I get text with quote into a hidden input?
Thanks in advance!
<?php $value = "I've got \"some\" random text with quotes"; ?>
when you output this will result in the following?
<input name="example" value="I've got \"some\" random text with quotes">
I would convert them so they validate and avoid confusion:
<?php $value = 'I've got "some" random text with quotes'; ?>
<input name="example" value="<?=$value?>">
Try to avoid using double quotes with PHP strings, as PHP will search the entire string for a variable to parse, regardless if the string contains one. They are slower than single quotes. Not so much anymore these days, but still a good practice to use single quotes for strings.
Related
Alright, so there's still stuff I have yet to learn about PHP. I'm trying to retrieve data from a MySQLi database and it's all fine until I'm forced to choose between double quotes or single quotes breaking something. With real_escape_string, I can store string data that contains a single quote, and it just gets escaped with a backslash, but if I don't use stripslashes() when I insert it into the value attribute...
If my value attribute looks like this in the code: value="_" then double quotes within the string, trim any data after it because it seems to be interpretted as the end of the value attribute.
If my value attribute looks like this in the code: value='__' then if I don't use stripslashes(), I see the slashes in the output, and if I use stripslashes(), it's the same thing with the double quotes, but with any of the escaped single quotes within the string.
Hope this makes sense. I'm fairly tired right now, but with a few replies and questions asked for anyone who doesn't quite understand, I'm sure we can figure this out. :)
If you have to output data into html which might have special characters use htmlspecialchars
<input type="text" value="<?php echo htmlspecialchars('\'"&<>') ?>">
http://codepad.org/DxV3uq0L
http://jsfiddle.net/Uu29D/
I am using smarty for template.
I am fetching one issue with rendering. i have one variable value of that variable is
this is text" data
but when i print this value in tpl file it prints only this is text except the
this is text" data
Why this is happening? please help
Thanks in advance
In smarty you can escape the data using {$variable|escape:'format'}
In this case a format of html should do the trick
{$variable|escape:html}
ref: http://smarty.net/docsv2/en/language.modifier.escape.tpl
You shouldn't be using quotes in HTML text-nodes anyway (it's invalid). Use " (escaped) instead.
So for your example:
this is text" data
If your text is coming from your DB, use htmlspecialchars() to properly escape it:
$val = htmlspecialchars($val);
Trying to keep new lines and unescaped values intact in a textarea being repopulated with data during a PRG cycle. At what point do you assign the variable correctly so that new lines are recognized?
I've tried double quotes, nl2br, htmlentities, stripslashes but I can't seem to get it. Some attempts:
Assigning during the intial prg $_SESSION array:
$_SESSION['prg']['textarea'] = "$textarea";
When passing from prg array to var:
$textarea = htmlentities($_SESSION['prg']['textarea']);
When echoing into the textarea:
<textarea name="textarea"><?php if(isset($textarea)) echo nl2br($textarea); ?></textarea>
And various combinations of the above, including the initial $_POST, directly after sanitizing.
Also, in case anyone asks: the escaping works as intended, db insert results are fine. It's just the form repopulating that's throwing things off.
I'm sure this is just a symptom of amateur hour... Looking for php/html solution only. Thanks in advance.
I don't think you want to be calling nl2br when you populate the text area if you want to keep the newlines showing up properly in the textarea. The htmlentities part is good though.
while storing the data use addslashes($_POST['textarea']) and while displaying use stripslashes($textarea)
I query my mySql database table and retrieve text strings that look like this:
This is a piece of a bronze artifact from the 'Bronze Age' -- it's in outstanding shape.
His amusing comment on the 3rd-century clay bowl: "Wow, she's a real piece!"
It's no secret that you 'don't mishandle old parchment artifacts, they're "very" fragile' -- yet it still happens.
THE PROBLEM -- I use php variables to hold the above strings read from the database, and use the PHP variables in my heredoc form. And I saw right away that a string got truncated when the first space in the string was encountered -- the form only showed text up to the first space.
So I put single quotes around my PHP variables in the heredoc form (see below).
Now I get truncation when the string that came from the database has single quotes.
I can put quotes around my php variables but I'm getting truncations of the text strings when single quotes, double quotes
and if I don't quote the PHP variable in the heredoc -- a space in the string truncates the string from that point on.
I'm using PHP and here is the code that gets data from the mySql query result, stores the database data into PHP variables, then uses them in a heredoc:
$row = mysql_fetch_row($result);
//var_dump($row); // the dump proves that the full string comes
// out of the database, with spaces, single and double quotes
$descriptionOfArtifact = $row[0];
$commentsAboutTheDiggingSite = $row[1];
$expertRecommendationsForRestoring = $row[2];
// output the next row from the Artifacts table...
echo <<< NEXT_ROW_HEREDOC
<input type="text" id="Description"
name="descrip" value='$descriptionOfArtifact' readonly="readonly"></input>
<input type="text" id="Comments"
name="comments" value='$commentsAboutTheDiggingSite' readonly="readonly"></input>
<input type="text" id="Experts"
name="experts" value='$expertRecommendationsForRestoring' readonly="readonly"></input>
NEXT_ROW_HEREDOC;
I need this form to display the full text string that is read from the database and stored in the above PHP variables. I thought the single quotes around the variable names would do it but I think the heredoc is messing that up (somehow).
So in a heredoc, how can I use PHP variables and be able to see:
single quotes
double quotes
spaces
html tags
any printable character, really
in a heredoc form?
You have a space between the <<< and the end-of-text keyword. That's probably causing the issue.
Also, call htmlspecialchars on $row[0], $row[1] and $row[2] when you're assigning them to variables, and use double-quotes on your value="..." attribute.
In simple Html code you need to show your value with double quote "" and if you are using php to print some html code through ECHO you need to use single quote to show you value in input box
I want to display text in html form(text field) that comes from DB so I used following code
....
.....
<input type="text" name="txtqname" id="txtqname" value="<?=$myvar ?>"></input>
....
.....
Here $myvar is variable whose value comes form DB and that may contains single or double quotes. Because of this my text is not properly displayed in text field as I want. I tried to replace double quotes with single as
....
.....
<input type='text' name='txtqname' id='txtqname' value='<?=$myvar ?>'></input>
....
.....
but still I don't get proper text. Please help me.
Thanks in advance...
Simple, all you have to do is:
<input type="text" name="txtqname" id="txtqname" value="<?= htmlspecialchars( $myvar ) ?>"></input>
Just use htmlentities() or htmlspecialchars()
http://php.net/manual/de/function.htmlentities.php
You should use proper addslashes() and stripslashes() for formatting data.
Make sure every data is properly formatted before inserting into database. Also try this mysql_real_escape_string()
You can use htmlentities function with ENT_QUOTES,
Ex: htmlentities($myvar, ENT_QUOTES);
ENT_QUOTES Will convert both double and single quotes.