When I have a form like this one -
<form action="t.php" method="get">
<input type="text" name="test"></input>
<input type="submit"/>
</form>
Processed by PHP like this -
<?php
$t = $_GET["test"];
echo "<a href='".$t."'>".$t."</a>";
?>
If I provide an form input like -
What's a form?
The link is cut off after "What". I know this is because of the quotation mark, but I'm not sure how to get around it in a way that would deal with any number of single or double quotation marks.
Any Ideas? Thanks.
echo "<a href='".urlencode($t)."'>".$t."</a>";
To play safe, you should cater htmlspecialchars to protect yourself from xss or so
htmlspecialchars
echo "<a href='".urlencode(htmlspecialchars($t), ENT_QUOTES))."'>".$t."</a>";
_________________^ cater for question mark which not able to convert
You could also use addslashes() and stripslashes().
Related
I am generating radio buttons based on an XML config values. Sometimes they have apostrophes in the text. When manipulating this data in PHP, I seem to lose everything after the apostrophe. For example:
<input type='radio' name='remove[]' value='Government wants to limit employers' communications about unionization'>
But when dumping it out after the form POSTs, I get this value:
array(1) {
[0]=>
string(35) "Government wants to limit employers"
}
Any suggestions on how to preserve the full string? Thanks!
use htmlspecialchars():
<input type="radio" ... value="<?php echo htmlspecialchars($array[0], ENT_QUOTES) ?>" ... />
It's explicitly intended to allow safe insertion of arbitrary text into html without 'breaking' the html. Note the 'ent_quotes' option. By default htmlspecialchars will only handle <>", but since you're using ', you need the option to tell htmlspecialchars to handle those too.
You can escape the quotes in the string: value='Government wants to limit employers' communications about unionization' Escaping it will cause this problem to stop.
PHP does give functions for this, in case your information is in a variable. Just use htmlspecialchars
Simplest way would be just to use double quotes like so:
<input type='radio' name='remove[]' value="Government wants to limit employers' communications about unionization">
It's pretty much the reason for them.
I usually stick with those 2 easy options, both equally efficient:
You can encapsulate one type of quotes in the other type
$var = " here single quotes ' are encapsulated in double quotes";
$var = 'here double quotes " are encapsulated in single quotes';
you can escape quotes by using \
$var = "just quote some mathematician: \"quot erat demonstrandum\".";
You can use double quotes to surround the text:
<input type='radio' name='remove[]' value="Government wants to limit employers' communications about unionization">
An even better way would be to replace the apostrophes with '.
<input type='radio' name='remove[]' value='Government wants to limit employers" communications about unionization'>
This is a more robust solution in case the text includes double quotes as well. You should replace all 's with 's and "s with "s.
This can be easily done using htmlspecialchars(string $str). http://php.net/manual/en/function.htmlspecialchars.php
I am accepting a preset input from another .php file
$Instructor=$_POST["Instructor"];
when I echo $Instructor, the OUTPUT is Dr. Doom (which is correct)
When i pass it through a fieldset I only get the (Dr.) and not the (Doom). I need for the entire name to get passed. Can any one please help. I am NEW TO PHP, so please try to explain in simple form. Thank you very much ahead of time.
here is the code i am using.
echo "<fieldset>
<Legend> Contact Information </Legend>
PROFESSOR: <inputname='Professor' type= 'text' value=$Instructor maxlength='35'
disabled='disabled'> </fieldset>"
Sincce you've omitted quotes on HTML attribute, only characters up to the first whitespace will be interpreted in your html. Quote the attribute, and escape it properly with htmlentities() using the ENT_QUOTES option:
echo "<fieldset ... ... value='" . htmlentities($Instructor, ENT_QUOTES) . "' ... </fieldset>";
Note that without the escaping, it is vulnerable to cross-site scripting, in addition to potentially breaking the output markup.
You need to put quotes around attribute values that contain spaces. In your case they need to be escaped, because the PHP string literal also uses them:
echo "... value=\"$Instructor\" ...";
Variable sanitization aside, you forgot to quote this:
value=$Instructor
And mind the space here:
type= 'text'
By the way, There's a nice syntax in PHP called "heredoc" if you want to use blocks of HTML text.
$str = <<<EOF
<fieldset>
<Legend> Contact Information </Legend>
PROFESSOR: <inputname='Professor' type='text' value='$Instructor' maxlength='35' disabled='disabled'>
</fieldset>
EOF;
What's nice is the text can stay human readable and still support inline variable interpolation (putting "$something like this")
Every time a POST is made I get escaped characters.
\ -> \\
' -> \'
" -> \"
I have a multistep form, which transmits the data from one form to another. I save the values with prepared statments in the database. The values in the database currently look like Paul\'s House. User should have the possiblity to use single and double quotes in their string.
This is a simple example demonstrating the escaping effect:
<?php
echo $_POST['value'];
?>
<form action="form.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="value" value="Paul's House">
<input type="submit" value="Next">
</form>
Why or who escapes the string? What is the correct way for handling data over multiple forms? What is the correct way for saving it in the database? Should I use stripslashes() or I'm opening a big security hole?
Looks like you have Magic Quotes turned on.
http://www.php.net/manual/en/security.magicquotes.disabling.php
Check that out for how to disable.
You must turn off the magicquotes in server , otherwise you should very careful about on/off status of the magicquotes .
I want to display text in html form(text field) that comes from DB so I used following code
....
.....
<input type="text" name="txtqname" id="txtqname" value="<?=$myvar ?>"></input>
....
.....
Here $myvar is variable whose value comes form DB and that may contains single or double quotes. Because of this my text is not properly displayed in text field as I want. I tried to replace double quotes with single as
....
.....
<input type='text' name='txtqname' id='txtqname' value='<?=$myvar ?>'></input>
....
.....
but still I don't get proper text. Please help me.
Thanks in advance...
Simple, all you have to do is:
<input type="text" name="txtqname" id="txtqname" value="<?= htmlspecialchars( $myvar ) ?>"></input>
Just use htmlentities() or htmlspecialchars()
http://php.net/manual/de/function.htmlentities.php
You should use proper addslashes() and stripslashes() for formatting data.
Make sure every data is properly formatted before inserting into database. Also try this mysql_real_escape_string()
You can use htmlentities function with ENT_QUOTES,
Ex: htmlentities($myvar, ENT_QUOTES);
ENT_QUOTES Will convert both double and single quotes.
I'm trying to populate an HTML text box with a php variable. The variable is a string with a single quotation mark in it and is retrieved from a database.
When I echo the variable it looks as it's supposed to - ie. "here's my string" so, it's correctly displaying the ' single quotation mark.
But when I try to put that variable into a text box field ie.
<? echo("<input type='text' name = 'title' value='$title'/>");?>
The quotation mark is ignored..
Any help is greatly appreciated as I've tried running the variable through a number of HTML formatting functions but to no avail.
You should change it to this:
<input type="text" name="title" value="<?php echo htmlentities($title, ENT_QUOTES); ?>" />
htmlspecialchars() and htmlentities() are used to convert strings in to HTML with correct encoding.
The ENT_QUOTES option ensures that the apostrophes and speech marks are also correctly encoded.
Use htmlentities or htmlspecialchars with the ENT_QUOTES flag to escape quotes in the text before outputting it.
<?php echo '<input type="text" name="title" value="'.htmlentities($title, ENT_QUOTES).'" />'; ?>