I have inserted the following TEXT value into mysql..
$_POST['groupname'] = "Linda's Group";
$groupname = $addslashes($_POST['groupname'];
then retrieve it like this..
$groupname = $row['groupname'];
when I echo it it shows up correctly as "Linda's group"
but when I put it into..
echo "<input name='groupname' type='hidden' value='$groupname' />";
it shows up as "Linda", only show text before the apostrophe
What am I doing wrong?
Whenever you want to send a string to the browser, use htmlspecialchars($string).
Replace that with:
echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname, ENT_QUOTES) . "' />";
... and remove the addslashes() call.
Also, make sure you always use mysql_real_escape_string($string) when inserting string values in a MySQL database.
you need to escape content before displaying it on a web page. your markup reads:
try:
htmlspecialchars($dataToEscape, ENT_QUOTES, 'UTF-8' false)
without this you are vulnerable to XSS.
consider Linda'><script src='evil.js'></script>s Group this example:
<input name='groupname' type='hidden' value='Linda'><script src='evil.js'></script>s Group' />
You need to escape your single quote before you use it in your HTML. This is because your attribute values are surrounded by single quotes.
If you didn't escape the quote, the generated HTML is:
<input name='groupname' type='text' value='Linda's group' />
This is not valid. What you need is:
<input name='groupname' type='text' value='Linda's group' />
You can get that by calling htmlspecialchars:
echo "<input name='groupname' type='hidden' value='" . htmlspecialchars($groupname) . "' />";
This also prevents XSS attacks. Otherwise someone could enter '/><script type="text/javascript">alert("omg hax!")</script><br' for example, and you would get an alert on your page.
Related
So within my php code: I'm trying to auto generate and populate a form that will edit a database.
$aName = "Wayne Gretzky";
echo "<form>";
echo "<input type='text' value=".$aName.">";
echo "<input type='Submit'>";
echo "</form>";
But when the code executes it shows a textbox with the value of "Wayne" rather than "Wayne Gretzky"
Because i want the form to be auto generated, so it can adapt to whatever data I may pull form the database; How do i call the variable or the result of a query so that the full string will be displayed in the textbox?
You need to put quotes on the value attribute as well, otherwise the browser does it for you and then you get what you got.
echo "<input type='text' value='" . $aName . "'>";
You are going wrong with the quotes.
If you are using double quotes outside, use single quotes inside for the html tags.
The correct code is
<?php
$aName = "Wayne Gretzky";
echo "<form>";
echo "<input type='text' value='$aName'>";
echo "<input type='Submit'>";
echo "</form>";
?>
I am facing problem to pass data from one page to another using POST method. I want to pass data from the input field name 'keyword' to another PHP page. But it is not passing the complete data but when i print this data in same page using the 'keyword_div' it is showing the complete data.
Div is showing only 10 words:
আয়,গুর,ছুটে,লগন,জীবন,বয়ে, আজ,যায়,করে,চাঁদের
These lines are for passing the data-
print "<input type='hidden' id='keyword' name='keyword' value=". implode(',', extractKeyWords($file)) .">";
Print "<div class='output' name='keyword_div' id='keyword_div'>Keywords: " . implode(',', extractKeyWords($file)) . "<div>";
These lines are for getting the data after form submission-
if (isset($_POST['keyword'])){
$val = $_POST['keyword'];
} echo $val;
But Input is passing 6 words only:
আয়,গুর,ছুটে,লগন,জীবন,বয়ে
Why I am not getting the whole value? Please help.
You need to put quotes around the value, because there's a space at the beginning of the 7th keyword and that's ending the value attribute.
print "<input type='hidden' id='keyword' name='keyword' value='". implode(',', extractKeyWords($file)) ."'>";
Good HTML style is to put quotes around all attribute values.
If you want to get rid of the whitespaces as well, call trim().
print "<input type='hidden' id='keyword' name='keyword' value='". implode(',', array_map('trim', extractKeyWords($file))) ."'>";
I have a profile page in which I want to display informations from the database for most users, and a form with the current data as default value for the users with modification rights.
if ($IDprofile == $_SESSION['userID'])
{
echo "<form method='post'>
Surname: <input type='text' required name='surname' maxlength=50
value=".htmlentities($user['Surname'])."><br>
Name: <input type='text' required name='name' maxlength=50
value=".htmlentities($user['Name'])."><br>
Birthdate (format YYYY-MM-DD): <input type='text' required name='BirthDate' value='";
if ($user['BirthDate'] != null)
echo $user['BirthDate'];
else
echo "-";
echo "'><br>
Description: <input type='text' maxlength=255 name='description' value='";
if ($user['Description'] != null)
echo htmlentities($user['Description']);
else
echo "-";
echo "'><br>
<input type='submit' value='OK'></form>";
}
As you can see, I tried with htmlentities, which should transform the apostrophe into ', but it doesn't work. Other methods like addslashes and addcslashes don't work either.
What is displayed is my form input with the value it should have, until the place where there should be an apostrophe, where it just ends. addslashes does the same, with a / before the end.
What puzzles me the most is that I have a surname with an apostrophe in it in my database, and this one is displayed just fine.
htmlentities by default only encodes " double quotes, because those are the more common terminators for HTML attributes. If you want it to encode ' single quotes too, you need to set the ENT_QUOTES flag:
htmlentities($foo, ENT_QUOTES | ENT_HTML401)
(ENT_HTML401 is the other default flag; these days you may want to use ENT_HTML5 instead.)
You should also actually delimit your attributes with quotes! Currently your result looks like value=James, which isn't incorrect, but will get you into trouble once your values contain spaces or, well, quotes or other special characters.
Please try outputting your variables like this:
htmlspecialchars($user['Surname'], ENT_QUOTES);
Also be sure to disable magic quotes in your system so you don't get any extra slashes automagically when posting new data.
Is it possible to add a value to a dynamically created input field?
Im trying something like this: echo "<input value="$row['test']">" but that gives me a syntax error. It has to be in my php file since im calling it via ajax and want to keep my html and php seperate.
Im getting content via ajax and I need to set many field names as there are records in the database.
You can do it like this:
echo '<input value="' . $row['test'] . '">';
Alternatively escape the " (not recommended if not needed, because it is hardly readable):
echo "<input value=\"" . $row['test'] . "\">";
Otherwise you’re mixing quotation marks, which is a syntax error. The . is to combine strings with variables (in this case).
You can also Use:
<input value="<?php echo htmlspecialchars($row['test']); ?>" >
OR
echo "<input name='test' value=".$row['test'].">";
OR
echo "<input name='fred' value='{$row['test']}'>";
Reference
When using certain php values within a quoted string, such as the array syntax in the question, you should either escape from the quotes or encapsulate the variable in curly braces. Also, as the string was quoted with double quotes you should use single quotes around attributes and values.
echo "<input name='fred' value='{$row['test']}'>";
<input type="text" name="post_title" class="form-control" value="<?php
if(isset($post_title))echo $post_title;
?>">
If you want to add it into the HTML
I try to show this string : «let's go» in a the value of an input tag
i wrote:
$chaine="let's go";
echo "<input type=text name=test value='".$chaine."'>";
result: let
What can i do to show the correct string in this case ?
use htmlspecialchars
echo "<input type=text name=test value='".htmlspecialchars($chaine, ENT_QUOTES)."'>";
You can look at htmlentities()
htmlentities($chaine, ENT_QUOTES) ;
This produces
<input type=text name=test value='let's go'>
You can see, that for HTML (--> your Browser) the value ends after "let". Everything after that is invalid (but ignored). Escape
$chaine = "let\'s go";
However, in HTML double quotes are prefered and omitting the quotes is also no good style
$chaine="let's go";
echo '<input type="text" name="test" value="'.$chaine.'">';
In this case you must escape every double quote.