I am hoping that there is someone that can help me with this question. I am a ASP programmer and not sure how this works in PHP
echo '</textarea>
<input type="hidden" name="g_word" id="g_word" value="$_POST[g_word]" />
<input type="hidden" name="article_no" id="article_no" value="$_POST[article_no]" />
</form>';
How do I use the $_POST[article_no] in the example above? In asp I would have used it like this "+Request.Form("article_no")+". How would I do it in PHP?
Thanks
if you use the solution posted above, please add some basic protection against xss injection - for example htmlentities($_POST['article_no'])
echo '</textarea><input type="hidden"
name="g_word" id="g_word"
value="'.$_POST[g_word].'" /> <input
type="hidden" name="article_no"
id="article_no"
value="'.$_POST[article_no].'" /></form>';
Close the single quote, and use a dot to concatonate
$value = "cool";
echo 'My String is ' . $value . '!!!!!';
In this case, the dot is the same as the plus concatenation operator.
echo '</textarea><input type="hidden"
name="g_word" id="g_word"
value="'.$_POST['g_word'].'" /> <input
type="hidden" name="article_no"
id="article_no"
value="'.$_POST['article_no'].'" /></form>';
You have to put article_no between '-s.
I think I've understood your question; feel free to let me know if not.
In PHP (and many other languages), the number of quotes around a string determines how the string is parsed. If single quotes are used, then nothing in the string is parsed (except for another single quote — it will need to be escaped with a backslash if you intend it to be a part of the string rather than the closequote). If double-quotes are used, more things are parsed, but you accordingly have to do more escaping.
There are a variety of ways of dealing with inserting variables in strings.
Using double quotes:
echo "</textarea><input type=\"hidden\"
name=\"g_word\" id=\"g_word\"
value=\"$_POST['g_word']\" /> <input
type=\"hidden\" name=\"article_no\"
id=\"article_no\"
value=\"$_POST['article_no']\" /></form>';
Using single quotes:
echo '</textarea><input type="hidden"
name="g_word" id="g_word"
value="' . $_POST['g_word'] . '" /> <input
type="hidden" name="article_no"
id="article_no"
value="' . $_POST['article_no'] . " /></form>';
Or, in my opinion the most elegant way, using (s)printf to return a formatted string:
printf('</textarea><input type="hidden"
name="g_word" id="g_word"
value="%s" /> <input
type="hidden" name="article_no"
id="article_no"
value="%d" /></form>', $_POST['g_word'], $_POST['article_no']);
Variables aren't interpreted inside of single quotes. However, they are inside double quoted strings, or heredoc. Personally, I'd switch out of PHP mode entirely, like so:
<?php
//...
?>
</textarea><input type="hidden"
name="g_word" id="g_word"
value="<?php echo htmlentities($_POST['g_word']); ?>" /> <input
type="hidden" name="article_no"
id="article_no"
value="<?php echo htmlentities($_POST['article_no']); ?>" /></form>
<?php
//...
This is even more readable if you do some formatting and use short tags -- although, it requires a non-default configuration option, and there are other disadvantages, primarily if you have XML docs parsed by the PHP interpereter, or your app is going to be installed on servers you don't control.
That'd look like this:
<form>
<textarea>
<?
//...
?>
</textarea>
<input type="hidden" name="g_word" id="g_word" value="<?= htmlentities($_POST['g_word']); ?>" />
<input type="hidden" name="article_no" id="article_no value="<?= htmlentities($_POST['article_no']); ?>"/>
</form>
<?
//...
Related
I am using a php variable in html. $userProfile['institute'] is displaying correct value whenever $userProfile['institute'] is non-empty. When $userProfile['institute'] is empty , it display '/'. What may be the issue here ?
Institute: <input type="text" name="institute" value=<?php echo $userProfile['institute']?> /><br />
You are missing a set of quotes for your value attribute
value="<?php echo $userProfile['institute']?>"
You should add double quotes around it like this (like you have wrapped value of type and institute attributes )
Institute: <input type="text" name="institute" value=" <?php echo $userProfile['institute']?>" /><br />
I have something like this (code simplified):
<?php
$var = 'Read "The Book"';
?>
<input type="text" value="<?php echo $var; ?>" />
The problem is that in the input looks like if it prints read and when you look at the source code you see it has <input type="text" value="Read "The Book"" /> and it doesn't work.
I can't simply replace value="<?php echo $var; ?>" for value='<?php echo $var; ?>' because $var could has any value and if I do it that way and its value is D'Artagnan it is going to try to print <input type="text" value='D'Artagnan' />.
=(
Any suggestion?
You should sanitize all your output by escaping characters with special meaning into their respective HTML entities. You can do that in the html context with htmlspecialchars.
<input type="text" value="<?php echo htmlspecialchars($var); ?>" />
So, with that, you can avoid XSS attack.
I need to use a php variable to echo the id into an input field:
<input type="text" id={{ strtolower($val) . "Field" }}/>
But with the code above the output is
<input type="text" id=waterField/>
I want the output to wrapped in double quotes like:
<input type="text" id="waterField" />
I am using laravel but am totally willing to accomplish it without.
Is there a simple way to accomplish this? Thank you.
That is pure php, considering you have short tags enabled.
<input type="text" id="<? echo strtolower($val) ?>Field" />
use
echo '<input type="text" id="'.strtolower(htmlspecialchars($val)). 'Field"/>';
OR idle way to use html and php is
<input type="text" id="<?php echo strtolower(htmlspecialchars($val)); ?>Field"/>
If $val can have quotes in it, then need to clear them by using htmlspecialchars.
Why not just:
<input type="text" id="{{ strtolower($val) }}Field"/>
You can simply add the double quotes into your html text. Escape the double quotes like this \" so php won't parse them and you're fine.
Data or value in $description from database is
<div>Henry</div>
My HTML Code
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
Output :
If the code be
<input type="hidden" id="hidden" value='<?php echo $description; ?>'/>
Its working fine !..Any one please tell me the issue ?
You are trying to have HTML code inside the value of a hidden input in a form? That doesn't sound right.
If you need to keep it as it is, you should at least use htmlentities to make it a string:
<input type="hidden" id="hidden" value="<?php echo htmlentities($description); ?>"/>
An example:
<?php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
// Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str, ENT_QUOTES);
?>
Your code becomes like this...
<input type="hidden" id="hidden" value = "<div><a href="www.google.com" > Henry </a></div> "/>
You can divide this as...
<input type="hidden" id="hidden" value = "<div><a href="www.google.com" >
Henry
</a></div>
"/>
That's how you get Henry"/>
Here comes 2 issues,
First of all use htmlentities to convert all applicable characters to HTML entities.
htmlentities($description);
And Its fair to use Single quote instead of double quotes. Ref link
By default, SGML requires that all attribute values be delimited using either double quotation marks (ASCII decimal 34) or single quotation marks (ASCII decimal 39). Single quote marks can be included within the attribute value when the value is delimited by double quote marks, and vice versa
look at the different between " and ':
if your code is :
$description = <div>Henry</div>
and
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
so it's actually means
<input type="hidden" id="hidden" value="<div>Henry</div>"/>
and the " that before the url closes the "value", so the value is actually -
value="<div><a href="
so try to use ' instead of " on the url (google) OR in the value (not both).
This is how your browser sees the code:
<input type="textbox" id="textbox" value="<div>Henry</div>
"/>
See how the double-quotes don't make sense?
If you want to keep double-quotes you need to go with htmlentities.
$description = htmlentities($description);
<input type="hidden" id="hidden" value="<?php echo $description; ?>"/>
Also, your link "www.google.com" will point to a page called www.google.com RELATIVE to your directory. Be sure to use ABSOLUTE path: http://www.google.com
A simple replace in here like this
<div><a href='www.google.com'>Henry</a></div>
or like this
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value='<?php echo $description; ?>'/>
but not both should do the trick.
http://php.net/manual/en/function.strip-tags.php
Try this:
div><a href='www.google.com'>Henry</a></div>
<input type="textbox" id="textbox" value=""/>
<input type="hidden" id="hidden" value='<?php echo strip_tags($description); ?>'/>
I want to replace a string such as:
<input type="hidden" name="id" value="12345" />
but the problem I have is that the values value (12345) is different everytime so how can I do what I'm trying to do? ..I'm guessing regex' but havent a clue
preg_replace('/\<input type="hidden" name="id" value="[0-9]+" \/\>/is', '', $source)