I am new to programming with php.
I've done that:
There is a textarea that user writes text, and it is saved to db. But when listing the entries, the text with html tags are shown as html elements.
For example, "I'm < b >25< /b > years old" is shown "I'm 25 years old".
I want to show it as what user writes on textarea, not applying html rules. And due to this, user can not break multiple lines.
How can I avoid all html properties? is there any function or something else to help me?
Run the posted content through htmlentities:
$var = htmlentities($old_var);
Note: you should also be making sure you're not making yourself vulnerable to SQL injection.
Save it to the database but escape every value that comes from a user to avoid mysql-injections.
Example:
$sqlaction = mysql_query("INSERT INTO posts (text) VALUES ('".mysql_real_escape_string($_POST['text'])."')");
if you want to Show it on a page use htmlentities like this:
<div><?php echo htmlentities($row['text']); ?></div>
Related
I'm making a website where a user should be able to use HTML and CSS in their profiles but I came across one problem.
<?php
$profile = "<h1>THIS IS A TEST</h1>";
echo htmlentities($profile);
?>
That's my code, but it only show this in the profile:
<h1>THIS IS A TEST&</h1>
I don't know what is happening, nor do I know if this only happens to me.
How do I make it show only the h1 content?
Function htmlentities is showing the representation of html characters like tags etc., and is being used especially to avoid parsing as html. So if you mean to echo html so that the browser parses it as html, the last thing you want is to use this function! Just echo it out directly, no need to use htmlentities or htmlspecialchars!
You just have to use echo $profile;, that's all. Check this and don't forget to check Display as HTML as browsers display PHP echoed text as HTML unless they're told to display it differently.
I have this textarea called personalInfos where i fill the infos in following format :
<p><span class="white">1966 - '69</span><br/> text .... </p>
When i submit it to database, it gets saved ok, same format. When i retrieve the code from database to admin textarea it gets filled ok.
My only problem is on front end where i get displayed the code as text not rendered as html code. So basiclly i see it on the page like this :
<p><span class="white">1966 - '69</span><br/>
Most likely you display fetched code parsed processed by htmlentities() or similar function. This is in most cases the way to go to avoid planting i.e. html in comments. So simply stop doing this after fetching (or insert - depends where you do so) and your content will be outputed as literaly HTML and properly processed by web browser.
You should have a look at htmlspecialchars_decode()
Example
$str = '<p><span class="white">1966 - \'69</span><br/> text .... </p>';
echo htmlspecialchars_decode($str);
Also make sure to escape the single quotes as well.
I've recently thrown together a basic PHP webpage that lists information pulled from an MySQL table and displays it in various sorts. I'm wanting to allow the user to add a new item to the table, edit an item in the list and delete an item in the list without refreshing the page (Ajax).
This currently goes;
To add/edit an article you click on a link which prompts the popover ajax form, and fills it's contents (if editing) by performing the function setEdit(comment) as below;
<a class="popup-button" title="<?php echo $row['comment']; ?>" onclick="setEdit('<?php if($row['comment']){ echo $row['comment']; } else { echo "Enter comment here..."; } ?>');"><?php echo $row['listitem']; ?></a>
The setEdit() comment is as follows;
function setEdit(editcomment)
{
if(editcomment){ document.getElementById('help-us-comment').value=editcomment; }
}
Which is then, after submitting the ajax form, handled by the following php code;
if(isset($_POST['comment_text']))
$comment=$_POST['comment_text'];
$sql = "INSERT INTO table SET
comment='$comment'";
Problem: I'm having constant issues trying to get the database contents through 1, 2, 3 without falling over at a new line, single or double quote. I've tried endless combinations of replacing tags, htmlspecialchars and nl2br with no half successes - where it's got to the point that it's so convoluted and encoded/decoded now that I'm assuming that there is a far simpler and obvious way that I'm missing.
The main problem happens when trying to load the data into the form, typically having either the form fall over and refuse to populate at all (typically by the a link becoming broken by the data extracted i.e. single quote or new line) or the form being populated with special characters instead of plain text to edit.
I've tried to go into as much detail as possible, but if any more is needed I'm happy to provide. Also apologies if this is an obvious fix/mistake, and I'm being an idiot.
You have two problems here: storing and displaying.
To display you should look in to htmlentities that makes it safe HTML (it does all the quotes replacing, html encoding, etc. for you) so that your string to be safe to be displayed as plain text, or as inputs' values.
To store the data, you should sanitize your queries. You could use mysqli and bind parameters, or use mysql_real_escape_string to escape your input manually.
Otherwise, say hi to Bobby Tables ;)
I'm getting data from my textarea with the following code
$about_me=mysql_real_escape_string(nl2br($_POST['about_me']));
which
1. Receives data, using $_POST.
2. nl2br makes brakes so If I echo this code to user he will see if there were new lines.
3. mysql_real_escape_string to secure code from mysql injections before entering it to database.
So if I echo this code everything works fine.
But If I edit it again through textarea, php goes to mysql gets data, puts it to textarea and I see <br> signs...
How can I get rid of them while editing my text again in textarea ?
How can I get rid of them while editing my text again in textarea ?
Stop using nl2br(), of course. It's entirely wrong here.
You use nl2br() when you want to output data that contains linebreaks to HTML, not when you want to store it in the database. Store data unchanged, format it for viewing.
If you output it into a <textarea> you don't need to use it either, since textareas display linebreaks (whereas HTML in general does not). For the textarea you need htmlspecialchars(), but apparently this is already happening - otherwise you would not see literal <br> showing up.
<?php
function br2nl($string){
$return=eregi_replace('<br[[:space:]]*/?'.
'[[:space:]]*>',chr(13).chr(10),$string);
return $return;
}
?>
Use this while getting data from database and before printing into textarea .
http://php.net/manual/en/function.nl2br.php
Check examples on this page
I have a form where a user types paragraphs into a text area and then it takes them to another page after they submit. How can I pass whatever they typed to the page after they submit? The text area might have linebreaks and if I use a query string to pass the data, it gives me an error. This is my current code to pass the field:
<?php
if(isset($_POST['form']))
{
$title = $_POST['title'];
$body = $_POST['body'];
header("SubmitForm.php?title=$title&body=$body");
?>
<html>
...html form...
It doesn't work when the text area has line breaks in it.
I would suggest installing a wysiwyg editor to make this easier for you, but i assume that would add some time for the learning curve.
The simplest tips I can give you is to set a CSS attribute for your textarea: white-space:pre so that when it gets submitted, all line breaks get sent as well.
On your server side, you would need to use the nl2br() function, so that when it gets saved on your DB or wherever you store them, all line breaks are converted to HTML breaks.
For your additional reference, I had a similar question like this last year.
You really shouldn't be putting anything that long in a query string in the first place. Look into using sessions to store data across pages instead.
(This is assuming I understood the question right)
urlencode the data in order to pass it via query string.