I'm inserting the following TEXT value into MySQL using..
$groupname = addslashes($_POST['groupname'];
When getting the value from Mysql I'm using
$name = $row['groupname'];
echo $name;
And this show correctly as "Mr. Davis's Group"
but when this value in added to a form as
then I pass the value to another page, and retrieve it as
$name = $_POST['groupname'];
echo $name;
it show up as "Mr. Davis" keeping everything before the apostrophy.
??No clue why, i've tried adding stripslashes($_POST['groupname']; and same thing happens
<input name='groupname' type='hidden' value='$groupname' />
Will generate:
<input name='groupname' type='hidden' value='Mr Davis's Group' />
^----
At the indicated spot, the browser's parser will see the 'end' of the value=, followed by some unknown attribute s and a broken attribute Group '.
To embed this type of text in a form, you need to use htmlspecialchars(), which will convert any HTML metacharacters (<, >, ', ") into their character entity equivalents, so they can be safely embedded in a form.
addslashes() is a deprecated method of "safely" adding something into a database. It will not make something safe to embed in HTML.
Check the text encoding of your input webpage. Match your db charset - use utf-8.
Related
I have a value ($title) that is stored in MySQL and is being called, using PHP, to be inserted into the value of an input element. The problem is when a single or double quote is used, the value of the input field terminates at that point.
The behavior that should occur is the input field should be populated EXACTLY with the data in the $title variable, so that when the form is updated, the quotes remain intact.
Here is the PHP:
<?php
echo '<input type=text size=91 name=title value="'.stripslashes($title).'">';
?>
Now, here is a typical problem: if the value of $title
this is a test " of what occurs with a quote
and I echo the variable, it echos correctly to
this is a test " of what occurs with a quote
However, when used in an input field, it renders as:
<input value="this is a test " of what occurs with a quote">
The first " terminates the value of the field, causing the new value to be:
this is a test
I'm confused as to how to get the proper value to display and be submitted with the form, when that variable is displayed and updated.
Try using htmlspecialchars. This will escape the " in yout title.
value="'.htmlspecialchars($title).'">
Put a \ before the quote.
echo "This is a \" test";
Change this line.
<input type=text size=91 name=title value="'.stripslashes($title).'">
To
<input type=text size=91 name=title value=\''.stripslashes($title).'\'>
Why are you running stripslashes()? Running addslashes() (the opposite function) would fix this particular issue, but a better approach would be to use htmlentities($title, ENT_COMPAT, 'utf-8') everywhere you output the title (or, if your structure allows, when the data is stored).
After you perform stripslashes you should use htmlspecialchars to escape the special characters. This avoids the mess the characters like ",', etc might otherwise create.
<input type=text size=91 name=title value="'.htmlspecialchars(stripslashes($title)).'">
The above snippet will only fix it for display purpose. But when the submit happens you must use either mysql_real_escape_string() or $pdo->quote() to escape the special characters before you run the SQL query.
I have a database var that contains
5/8\" Cabinet Grade Plywood
the \ being added by either WP or SQL to escape the ".
when retrieving this var i use stripslashes() both in in the value of the field used to edit that table (so that the next time someone want to edit that field he/she will see whats in that input already) and in the actual website where it suppose to appear.
The weird thing is ..
in the field it cuts from 5/8\" Cabinet Grade Plywood to just 5/8
and in the website where it suppose to appear it shows normally without slashes or anything unusual.
this is how I stripslash the field:
$somevar = '<input value="'.stripslashes($currentselected['something']).'" class="niceclass" name="something" type="text" />';
and this is how I use it when it appears on page:
<td><span style="font-size: larger;"><?php echo stripslashes($goods['verygood']); ?></span></td>
it simply collides with HTML markup
<input value="'.stripslashes($currentselected['something']).'"/>
will result in
<input value="5/8" Cabinet Grade Plywood" />
take a look on those ", its broken right there, you need to escape those "
to fix this use urlencode function in php
<input value="'.urlencode(stripslashes($currentselected['something'])).'"/>
or htmlspecialchars function, it should replace quotes with
"
You could use some htmlspecialchars on the output. The " has special meaning in HTML, and in this case would actually be seen as the closing of the value attribute of the input. Thus, you should escape it (htmlspecialchars will translate " to ").
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I have a string that has special letters like "á" and htmlcode like "<input type='text' />". When I store this string in my DB I use: htmlentities($string, ENT_QUOTES);.
The problem is when I output the text, I use html_entity_decode($string_from_db, ENT_QUOTES) and all the entities I have in the database like "á" for the letters and "<input type='text' title="LA1&qu..." for the htmlcode gets converted. So my output will show the "á" letter and a text field which is not normal. I want the letter to be like that but for the field I want to show the code "<input type='text' />" not the actual field.
I need this for a multilingual site with alot of user input, so I need to be able to process the special letter properly but also protect for bad input. Any advice is greatly apreciated.
Well it seems I figured it out .... at least for now. Here's what I'm doing:
The text submitted by the user i sanitize it with:
function sanitize_form_input($string) {
$string = mysql_real_escape_string($string);
return $string;
}
Got page encoding, php encoding, html encoding, mysql encoding ... and any other possible thing with encoding set to UTF-8.
Output the text with:
function sanitize_db_output($string) {
return htmlentities(stripslashes($string), ENT_QUOTES, 'UTF-8');
}
Please let me know if this is a wrong way to do it.
You could just do an additional htmlspecialchars after html_entity_decode; that function will only convert the characters which have a special function in HTML to their entity:
htmlspecialchars(html_entity_decode($string_from_db, ENT_QUOTES), ENT_QUOTES)
That should take care that the resulting string has no unencoded html characters. Of course, performancewise, that's probably not the best solution, but it's simple!
I am retrieving data from my SQL database...
data exactly as it is in the DB = (21:48:26) <username> some text here. is it ok?
when i try and echo $row['log']."<br>";
it displays it as = (21:48:26) some text here. is it ok?
i assume this is due to the <> brackets making it think its an HTML opener... would this be the case? and if so how would one echo a string that contains HTML?
Use htmlspecialchars() to translate HTML control characters into their entities:
echo htmlspecialchars($row['log'])."<br>";
You need to escape the characters so it is not recognized as an HTML element, but as text:
echo htmlentities( $row['log'] ) . '<br/>';
i assume this is due to the <>
brackets making it think its an HTML
opener...
Yes, any construction in <> brackets is treated by web browser as HTML tag. So, you should use either htmlspecialchars() or htmlentities() or some similar custom function to convert "<" and ">" symbols to "<" and ">" strings, which are displayed to user as brackets.
Some more comments:
ALL text data displayed to user must be passed through htmlspecialchars() funciton (or through other function with similar behavior), since "some text" may also contain tags, etc.
Probably it would be better to store date/time, username and "some text" in separate table columns in DB, in order to satisfy relational database constraints. This may require some additional input data parsing.