I am retrieving data from my SQL database...
data exactly as it is in the DB = (21:48:26) <username> some text here. is it ok?
when i try and echo $row['log']."<br>";
it displays it as = (21:48:26) some text here. is it ok?
i assume this is due to the <> brackets making it think its an HTML opener... would this be the case? and if so how would one echo a string that contains HTML?
Use htmlspecialchars() to translate HTML control characters into their entities:
echo htmlspecialchars($row['log'])."<br>";
You need to escape the characters so it is not recognized as an HTML element, but as text:
echo htmlentities( $row['log'] ) . '<br/>';
i assume this is due to the <>
brackets making it think its an HTML
opener...
Yes, any construction in <> brackets is treated by web browser as HTML tag. So, you should use either htmlspecialchars() or htmlentities() or some similar custom function to convert "<" and ">" symbols to "<" and ">" strings, which are displayed to user as brackets.
Some more comments:
ALL text data displayed to user must be passed through htmlspecialchars() funciton (or through other function with similar behavior), since "some text" may also contain tags, etc.
Probably it would be better to store date/time, username and "some text" in separate table columns in DB, in order to satisfy relational database constraints. This may require some additional input data parsing.
Related
I just want to add in tag any string.
I am using this code to escape string:
$name = $this->_dom->createElement('name', htmlspecialchars($userName, ENT_COMPAT,'utf-8'));
$item->appendChild($name);
I got a problem, one of my users put to name field some specific symbols, and whole xml feed become broken. How i must escaping string?
Thank for help and sorry for my poor English...
I think adding the xml node's value by using createTextNode instead of passing it as a parameter to createElement may solve your problem.
My solution:
$title = $this->_dom->createElement('title',
htmlspecialchars($playlist->getTitle(),
ENT_DISALLOWED, 'utf-8')
);
And when you output xml, you must strip � (REPLACEMENT CHARACTER) see this related link about ENT_DISALLOWED like:
echo str_replace('�', '', $this->_dom->saveXML());
This way allows us to display any string with html entities and/or special chars.
Every time I try to echo a string there is no new line. I how can I make a newline when calling echo in php using the $_GET?
here is my code:
<?php
$text = "Hello world";
$text2 = $_GET['msg'];
echo $text2
?>
and this is what I enter in the url:
http://localhost/hello.php?msg=hello%0Dworld
or this one:
http://localhost/hello.php?msg=hello%0Aworld
and even this one:
http://localhost/hello.php?msg=hello%0D%0Aworld
The echo has to be a newline please don't say I should use a different method than $_GET. It has to be $_GET
While performing your exercises you are creating an HTML page.
HTML is a special markup language, which renders according to set of rules, some of them are:
<> characters has a special meaning of control structures named tags
all newline characters are ignored
to make a newline on the page, one have to use suitable tag - such as <br>, <p> or whatever.
So, to make a newline appear on your page, you have to convert newline characters to tags. Either use nl2br() function to get a <br /> tag or str_replace() if you want any other one
Be aware that echoing any request variables without validating them is a considerable security risk! If you want to publish any application with this code it needs to be redesigned.
As common sense states, the conversion from urlencoded to the corresponding character is automatically done by php, but HTML does not render such characters, so you either need to convert them into linebreaks or enclose the message in <pre> tags.
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I have a php script, where the user inserts his name.
Users can insert anything they want, even things like <img src="....
I would like to save their input in a way it won't show any image (or any html).
I know it exists but I don't know what keywords to search in order to find what does it.
Use strip_tags($str).
http://php.net/strip_tags
htmlspecialchars() will encode the text so that the tags are not interpreted as HTML.
The easiest solution is the PHP function strip_tags(), which does exactly what the name suggests, and strips HTML tags from a string.
The other alternative is to 'escape' the input, so that HTML characters such as < and > are converted into displayable text. This would result in the HTML code being displayed.
You would do this with the function htmlentities().
It's worth pointing out that the input may contain HTML characters without actually intending to be HTML. The & character is a HTML reserved character, but can also be found in normal text. > and < are less commonly used in normal text, but still possible. All of them may cause problems when displayed on your page, without necessarily being actual HTML code.
The solution to this is as above, to escape the string using htmlentities(). You may want to run striptags() first, but you should also run htmlentities() as well, to ensure that the string is displayed correctly.
Hope that helps.
Should I use htmlentities with strip_tags?
I am currently using strip_tags when adding to database and thinking about removing htmlentities on output; I want to avoid unnecessary processing while generating HTML on the server.
Is it safe to use only strip_tags without allowed tags?
First: Use the escaping method only as soon as you need it. I.e. if you insert something into a database, only escape it for the database, i.e. apply mysql_real_escape_string (or PDO->quote or whatever database layer you are using). But don't yet apply any escaping for the output. No strip_tags or similar yet. This is because you may want to use the data stored in the database someplace else, where HTML escaping isn't necessary, but only makes the text ugly.
Second: You should not use strip_tags. It removes the tags altogether. I.e. the user doesn't get the same output as he typed in. Instead use htmlspecialchars. It will give the user the same output, but will make it harmless.
strip_tags will remove all HTML tags:
"<b>foo</b><i>bar</i>" --> "foobar"
htmlentities will encode characters which are special characters in HTML
"a & b" --> "a & b"
"<b>foo</b>" --> "<b>foo</b>"
If you use htmlentities, then when you output the string to the browser, the user should see the text as they entered it, not as HTML
echo htmlentities("<b>foo</b>");
Visually results in: <b>foo</b>
echo strip_tags("<b>foo</b>");
Results in: foo
I wouldn't use htmlentities as this will allow you to insert the string, as is, into the database. Yhis is no good for account details or forums.
Use mysql_real_escape_string for inserting data into the database, and strip_tags for receiving data from the database and echoing out to the screen.
try this one and see the differences:
<?php
$d= isset($argv[1]) ? $argv[1] : "empty argv[1]".PHP_EOL;
echo strip_tags(htmlentities($d)) . PHP_EOL;
echo htmlentities(strip_tags($d)) . PHP_EOL;
?>
open up cmd or your terminal and type something like following;
php your_script.php "<br>foo</br>"
this should get what you want and safe !