EDIT: I solved it seconds after posting the question (sorry!) but can't accept an answer yet.
Hi folks,
Just a quick one. I have a PHP/CodeIgniter site and the user can edit their profile. I'm using CI's XSS Filtering and Active Record-based Models, so the data is escaped automatically.
It naturally displays fine on the profile page view, text such as "We'll see if this works" (the apostrophe in the we'll). However when the user goes to the Edit page, the input box (filled with the data in the DB) displays:
We'll see if this works
I thought I could get around it by setting the value of the input box to html_entity_decode($query->row('example_database_row')) but it still doesn't work. Am I misunderstanding something here?
Thanks!
Jack
You can use html_entity_decode($query->row('example_database_row'), ENT_QUOTES).
However, I would advise against HTML encoding before you insert it into the database. Just encode it when you output it. It's better just storing the raw data in the database.
Related
I'm currently developing a table layout.
The tables are using a paginator and a filter function in PHP.
All values are transmitted as GET parameters.
For example, the paginator will use &limit=20&page=5.
The filter is built upon a table row in thead as input fields.
What I mean is that each column has it's own input field.
Once the submit button is clicked, it will pass the data via GET to itself, so the next pageview will query/filter the data correctly.
For example, if I want to filter the postcode the url will be as following:
&limit=20&page=5&postcode=5
Because I'm allowing searches like %5% to show all postcodes where 5 where the result is not limited to 5 only. It will show all data which has a 5 at any spot of the value.
However, if I want to filter the postcodes showing all results with 58, I will type in %58%. As per URL encoding, unfortunately, the URL won't be &postcode=%58% as expected. It will be &postcode=X%.
The question is whether it is somehow possible to get the correct values into the URL?
The problem lays on browser level. If I would change the URL from &postcode=X% to &postcode=%58% directly and hit enter, Chrome would translate it straight away to X%.
Maybe it's possible somehow with meta tags, http headers, or Javascript, etc.
I'm doing it via GET instead of POST because it was - apparently - simpler to integrate with the paginator.
Sorry for my bad English. Any help would be much appreciated.
Thanks a lot.
You should escape the "%" sign itself (that would be "%25"). PHP should be smart enough to decode that automatically.
So &postcode=%58% should become &postcode=%2558%25, which PHP will decode so that $_GET['postcode'] is '%58%'.
You should urlencode your values before inserting them into the params.
Overall though, If you are using mysql I agree with billrichards.
Since you mention %% searches I assume you are using MySQL or another SQL back end to query for the data. In that case I would suggest leaving the querystring always formatted as postcode=58&page=1, and add some other parameter to indicate if it should be a %wildcard% search or exact match, and if the wildcard parameter is there, add the %% on the back end when performing the query.
I have an issue with a Wordpress premium theme and MySQL database. The value in the database box looks like this:
a:1{i:0;a:4{s:4:"name";s:9:"Trailer";s:6:"select";s:6:"iframe";s:6:"idioma";s:2:"en";s:3:"url";s:82:"https://youtube.com/sample.mp4
";}}
When I edit the YouTube link value to something else, the entire data in this box disappears on the live Wordpress page, although it is visible in the database even after refresh. I have no idea why this happens and how I can keep it from happening.
EDIT:
After i tried editing other values like post_title etc it just wont update the values at all on the live WP page.Why im doing this is because i need to add and edit mass amounts of data easily with scripts.
The string you are displaying is coming from PHP serialize. This is a way for PHP to stringify any value for later usage.
If you want to mass modify those values, your best bet is to create a PHP script that fetch the data, unserializes it, make change directly to the PHP variable it created, and serialize again to put to database.
If you want to play with the string directly, you will need to make sure you are careful.
The main reason why changing the URL of the youtube video doesn't work is because you might not be changing the string declaration too.
s:82:"https://youtube.com/sample.mp4";
This is invalid. It is split into 3 parts, using :. Type:Length:Value. So it is a string of length 82, yet you provide a 30 character string.
If you turn on NOTICE in PHP you will certainly see the errors about it.
EDIT:
After tinkering a bit on PHPFiddle.org I came up with a clean string from the one you gave, which has numerous flaws...
a:1:{i:0;a:4:{s:4:"name";s:7:"Trailer";s:6:"select";s:6:"iframe";s:6:"idioma";s:2:"en";s:3:"url";s:30:"https://youtube.com/sample.mp4";}}
Note that I changed the Length values in 2 parts, and added 2 semi-colon :
I am trying to make a basic forum/board where anyone can simply post a message via a submit for. So far I've been able to send the text they've entered via POST and put it into a MySql table. I am wondering how I then can go and print on the webpage what was just submitted?
Well if it's on the same page / script as the MySQL insertion, then you can take it from post, however I suggest using htmlspecialchars() to remove any HTML that people could embed in to their data.
If it's not on the same page, as it won't always be, then use MySQL to retrieve the data with a SELECT query - See here for help: W3Schools - SELECT - and, again, use htmlspecialchars() on it and display it in your desired format.
This is a very vague question for StackOverflow, so I can't really give you much more information unless you give me something that you've already tried, something I can correct / alter.
There are a lot of little pieces of information on this subject, and maybe I'm just not looking in the right spot. But I'd like to put it all together in one place. Start to finish.
I'm trying to make a form pretty much like the one I'm using right now on stack overflow. There is a textarea, when someone hits enter, it does not submit the form, but adds a new line. But it doesn't display \n or <br \> in the actual text box.
Then the text with all structural integrity needs to be entered into a database and retrieved to an xhtml page.
I've hear of using javascript. I've heard of the nl2br function. They all seem to be pieces to the puzzle, but I can't find the big picture.
Does anyone have a sample script of start to finish how they would accomplish this?
Thank you very much for your help! I hope others can use this too who are having difficulty.
You need to create a regular <textarea>, and save its raw text to the database. (making sure to use parameters to prevent SQL injection)
Then, when you want to display the text, use <pre> or nl2br() to ensure that the newlines are displayed by the browser.
Here is an example of the workflow a user can have on my website :
Create a task, with content: I use htmlentities to encode the content and store it in my database (yes, I've decided to store the encoded content);
The user comes back later and clicks to view the task. The thing is, the preview of the content is done in a disabled textarea.
I tried to use htmlentities_decode when printing the content in the textarea (XSS problem if the user entered bad things);
I just print the encoded text and everything is fine.
The user clicks on EDIT, this will make the textarea editable
The user clicks on SAVE.
Here is my main issue, as I didn't decode the text before I printed it, it is still encoded and when the user saves it, it is re-encoded. So, the previous content is double encoded.
So, if the first time the user enters something like:
blablabla </textarea/> yeah!
Then, it's encoded and the result is:
blablabla </textarea/> yeah!
Then, when I display it, it displays as the user previously entered it but if he saves it, the result is:
blablabla </textarea/> yeah!
And, so, if he displays it again, it is not well displayed (and it also takes more and more space in my database as the user keeps editing his task).
Well, I am sure this is a problem a lot of people have experienced but I can't find any good solution.
By the way, I am using htmlentities with ENT_QUOTES.
ahah, here is my main issue, as I didn't decode the text before I
printed it, it is still encoded and when the user save it, it is
reencoded. So, the previous content is double-encoded.
This is actually correct, you shouldn't decode the text before you print it. In fact, it must be HTML encoded when output in the HTML page. It is not still encoded when the user submits it because the browser will have already interpreted the HTML entities.
Unless... you are creating a TEXT_NODE in the DOM and assigning the encoded data to this (in the textarea)? In which case the browser will not interpret the HTML entities and you will end up resubmitting already encoded data. Assign to the innerHTML property instead, if this is the case. However, the HTML entities would be clearly visible in the form to the end user (on the first edit), before the data is submitted, which does not appear to be the case?
Hum,
I fixed my problem.
I didn't noticed but for the first entry, I was using htmlentities() and when editing, I was using the Zend escape() function.
Using only htmlentities() fixed the problem. I don't know how the escape() function of ZF works, but I won't use it in the future :p
Thanks you for answers :)
Anyway, so, I am wondering, the htmlentities_decode() function, in which situation should it be used? As I htmlentities() when I get the form and print it like that, I never use the htmlentities_decode(). Is that normal? So I am wondering what is this function used for?
Thanks again!