I have a strange problem: htmlspecialchars(with ENT_QUOTES) and mysql_real_escape_string functions aren't translating single quote in i've(and some others words), all others are translated, what is the reason of that result?
It may be that what you think is a normal quote (', or HTML ') is actually a curly apostrophe (’, or HTML ’). This will not be transformed by htmlspecialchars (nor mysql_real_escape_string, as it is not a valid quote for MySQL). htmlentities should escape this.
If you want escaping use htmlentities()
Related
Why does filter_var()'s FILTER_SANITIZE_STRING filter encode single quotes as ' and double quotes as " while htmlentities() encodes single quotes as ' and double quotes as "?
Code Sample:
<?php
$string = "Well that's \"different.\"";
echo "filter_var: ".filter_var($string, FILTER_SANITIZE_STRING)."\n";
echo "htmlentities: ".htmlentities($string, ENT_QUOTES)."\n";
echo "htmlspecialchars: ".htmlspecialchars($string, ENT_QUOTES)."\n";
Output:
filter_var: Well that's "different."
htmlentities: Well that's "different."
htmlspecialchars: Well that's "different."
It's because filter extension has nothing to do with HTML processing. It doesn't use HTML entity conversion table. It is just a stupid encoding based on the ASCII value.
" is 34 in ASCII
' is 39 in ASCII
The same applies for any other character that the filter extension converts to HTML encoded form. It takes the ASCII numerical value in decimal, prepends &# and appends ;. That's it! It's simple and efficient, even if it's not very correct.
No offence to anyone, but using this extension for anything HTML related is a rather dumb idea. The constant FILTER_SANITIZE_STRING is deprecated now and it will be removed in future versions of PHP. There exists a filter FILTER_SANITIZE_FULL_SPECIAL_CHARS which is just a wrapper around htmlspecialchars(), but I can't think of any reason to use this over the simple htmlspecialchars() function.
Some of these filters are a remainder from the era of lazy PHP. Developers used lazy approaches to security like magic quotes, which didn't provide enough security and often lead to more mess. These HTML filters were created with the same lazy approach in mind. It's better to provide something than nothing to mitigate XSS. However, this is definitely not the recommended practice anymore. Please format the output correctly using the appropriate functions to avoid XSS rather than relying on filters for sanitization.
<script type="text/javascript">
Player.embed("ID", {soundFile: "http://yoursite.com/path/to/mp3_file.mp3"});
</script>
This is the snippet I need to parse in PHP. What characters do I need to use the backslash break on?
<script type=\"text\/javascript\">Player\.embed\(\"$2$3$4\"\, \{soundFile\: \"http://$2$3$4/$5\"\}\);
<\/script>
Do you mean:
string addslashes ( string $str )
Returns a string with backslashes before characters that need to be escaped. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).
This source goes into it:
http://php.net/manual/en/function.addslashes.php
and this one:
http://www.w3schools.com/php/func_string_addslashes.asp
From the 2nd source, the addition of escape characters can be used to prepare a string for storage in a database and database queries.
-
Note: PHP runs addslashes() on all GET, POST, and COOKIE data by default, so you don't want to do it again and get double the escape slashes.
There's also a stripslashes() function for when it you need to undo it.
http://php.net/manual/en/function.stripslashes.php
I'd like to keep a certain string in a configuration file, that is to be parsed by PHP parse_ini_file() function. However, this string contains some special characters (with codes like 0x2C or 0x3D) that need to be encoded in some way. Is there any way to write a special character with a hex code in such a file?
The proper way to escape INI values is to enclose them in "double quotes". If your string doesn't contain double quotes, you can use it in as a value enclosed in double quotes.
Escaping single quotes with a backslash seems to work as long as there are not two consecutive double quotes in the value, as per http://php.net/manual/en/function.parse-ini-file.php#100046
If you want to do your own escaping, you certainly can:
htmlspecialchars / htmlspecialchars_decode escapes <,>,& and ".
htmlentities / html_entitity_decode will escape very aggresively (but also very safely) to HTML entities
urlencode / urldecode will escape all special characters except _-~..
base64_encode / base64_decode will ensure the encoded string contains only alphanumeric characters and +=/. This might be optimal for encoding binary data but doesn't preserve readability.
Hi I was wondering if there is an easy way to escape strings in php.
In python I use """ """, and everything between there is escaped. so when using special characters it is ignored.
I have some text to echo, and escaping everything manually just takes forever.
Does php have a similar function built in ?
thanks!
Which are the characters do you have to escape?
You could use single quotes [docs]. The only characters that have to be escaped in such a string are \ and '.
If you have a long string, also have a look at heredoc [docs].
Since PHP 5.3, you can use nowdoc. As opposed to heredoc, nowdoc does not expand variables inside it.
There are various functions depending on what you want to escape.
If you are using a lot of double quotes, for example with html, you can wrap the string in single quotes to prevent having to escape.
$string = 'no escape needed';
The same goes the other way
$string = "I'd rather be gaming";
Then you have a couple of functions used mostly for escaping user input:
addslashes() that will escape quotes
htmlspecialchars() will 'escape' html codes
mysql_real_escape_string() for escaping mysql input
I have a string in PHP that contains both single and double quotes.
I am trying to use this string in some JSON output. To do this I need to escape double quotes, slashes, newlines etc.
I thought that addslashes() would do the job but it also escapes single quotes which causes the JSON to fail.
How can I escape all relevant special characters except for single quotes?
json_encode() will handle all that for you.