When doing this job in PHP,one may meet this kind of issue:
<span title="<?php echo $variable;?>">...
The problem is that if $variable contains double quotes,should change it to \"
And that's not the whole story yet:
<span title='<?php echo $variable;?>'>...
In this case,we need to change single quotes to \',but leave double quotes as is.
So how can we do it in a general property manner?
You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:
<span title="<?php echo htmlspecialchars($variable); ?>">
You probably want to set the second parameter ($quote_style) to ENT_QUOTES.
The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.
Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.
Pay attention to the second parameter of that function.
To address your edit [Edit: that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should before know quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.
Beyond that,
<a onclick="func('l')">
works exactly like
<a onclick="func('l')">
The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.
https://github.com/lingtalfi/Bat/blob/master/StringTool.php
Related
So I am trying to link using data I got from a function but it keeps giving me a blank value for ID. Here's my code for what I'm trying to print
<h3 style="text-align: center;">Seller: <?php $sellername =
getNameFromListingID(); $id = getIDByUsername($sellername); echo "".$sellername."";?></h3>
The functions work properly, I have tried printing both of them and it works. They're in a file called getinfo.php, which I have
Include 'getinfo.php';
At the top of my document.
The link with the name works but I always get seller.php?id=, with no value after. Any clue as to why?
You're ending the href attribute too early.
<a href=\"seller.php?id=".$id."\">
This will put the $id inside the href attribute, where it belongs.
Use single quotes in PHP, it's a good practice to get into, and it's also slightly (a teeny tiny bit) faster for PHP to process. Why? Because, when you use double quotes, you're telling PHP that your string contains variables that may need to be evaluated.
So in truth, you don't even need the quotes around variables here.
echo "$sellername";
But doing it like this would be following a best practice.
And now you don't need to escape \" double quotes that HTML uses.
echo ''.$sellername.'';
Caution: It's also a very good idea to escape special characters in anything you're outputting into HTML markup. That avoids the potential for an XSS vulnerability. See: htmlspecialchars()
echo ''.htmlspecialchars($sellername).'';
When doing this job in PHP,one may meet this kind of issue:
<span title="<?php echo $variable;?>">...
The problem is that if $variable contains double quotes,should change it to \"
And that's not the whole story yet:
<span title='<?php echo $variable;?>'>...
In this case,we need to change single quotes to \',but leave double quotes as is.
So how can we do it in a general property manner?
You always want to HTML-encode things inside HTML attributes, which you can do with htmlspecialchars:
<span title="<?php echo htmlspecialchars($variable); ?>">
You probably want to set the second parameter ($quote_style) to ENT_QUOTES.
The only potential risk is that $variable may already be encoded, so you may want to set the last parameter ($double_encode) to false.
Well, before you output any text into HTML you should escape it using htmlspecialchars(). So just make sure (double) quote is correctly changed.
Pay attention to the second parameter of that function.
To address your edit [Edit: that you have removed meanwhile]: When you place dynamically JavaScript onto your site, you should before know quite well, what it would look like. Else you open the door widely for XSS attacks. That doesn't mean you have to know every quotation mark, but you should know enough to decide how to embed it at the line where you finally output it in the HTML file.
Beyond that,
<a onclick="func('l')">
works exactly like
<a onclick="func('l')">
The Bat tool has a StringTool::htmlAttributes ( $arrayOfAttributes ) method that does the job too.
https://github.com/lingtalfi/Bat/blob/master/StringTool.php
Inside "the loop" echo get_permalink() or the_permalink() work fine and produce something like http://www.example.com/path-to-post, until I put these calls inside of quotes in the HTML like so.
<p>
This is normal HTML!
"<?php the_permalink()?>"
</p>
At which point it magically becomes a site relative url, like just "/path-to-post".
I just figured out that I can avoid this problem by putting a space between the quote mark and the php, which works fine for links and stuff, but what's going on here? Since when is PHP able to read the content outside of php blocks and react to it? And why would this happen anyway?
Q: Since when is PHP able to read the content outside of php blocks and react to it?
A: For a very long time (think PHP 4) it's been able to capture the outputted text into a buffer and then read that buffer like a string. See ob_start(). Technically a function could just check if the last character on the buffer is a " and behave differently in that situation.
Q: Why would this happen anyway?
A: Are you sure this is happening with the the_permalink() function? There could be a plugin which is attempting to make sure that absolute urls don't get used in <a href="<?php the_permalink() ?>"> context. Which plugins do you have installed? Maybe that's even default behaviour and I'm just not seeing it on my quick scan of the_permalink() in wp-includes/link-template.php.
You could try a few other ways to get around it. The first thing I would try is using " instead of a literal ".
Well, I'm a fool. There was a plugin, called "Absolute Relative Links" no less, which was reformatting the page. Still, strange the way it operates. It seems to look for a quotation mark immediately followed by anything resembling a URL and reformats it. But even a single space is enough to stop it. And I didn't realize PHP could read stuff on the page outside of itself. Lesson learned.
Just noticed that when using single quotes to echo a basic link in php, the url repeats itself.
<?php
echo 'Link URL - Single Quotes<br />';
?>
The above code outputs the link as:
http://example.com/"http://example.com/"
Can anyone shed some light on the reason for this?
You shouldn't \-escape your " when you're using ' to surround the string as a whole. This couldn't create that output itself, but it might confuse a parser somewhere down the line, producing the problem. Try this instead:
echo 'Example.com<br />';
Use PHP to output dynamic data and leave the HTML out of it. This will save you hours of quotation frustration
?>
Example.com<br />
<?php
// carry on with the PHP
echo 'Example.com<br />';
outputs
Example.com<br />
The backslashes are included in the final output and most likely trip up the HTML parser.
You're escaping the double quotes. It isn't necessary when using single quotes and vice-versa.
<?php
echo 'Example.com<br />';
?>
The above code outputs the link as:
http://example.com/"http://example.com/"
No, it doesn't produce that output.
This is what you see in the browser when you put the cursor over the link and when you click on the link. It's part of the browser's job to resolve the relative and incomplete links, but what it shows to the user is, most of the times, not what it is written in the HTML code.
Use the browser's "View Source" functionality to see the HTML generated by your code.
The (invalid) HTML produced by your code is:
Link URL - Single Quotes<br />
The browser interprets \"http://example.com\" as the value of the href attribute. The HTTML attribute values can be either enclosed in quotes (") or apostrophes (') or unquoted at all and the quoting character must be the first non-space character after the equal sign (=). Because it finds a backslash (\) after the equal sign, it concludes the attribute value is not quoted and read everything until the first whitespace or until the tag ends (>) as the attribute's value.
The value \"http://example.com\" is not a valid URL and the browser handles it as an incomplete URL. An incomplete URL needs to be resolved to a complete URL in order to be used. It doesn't look like a relative URL (doesn't start with ..), it doesn't look like an absolute path without a host name either (doesn't start with /). The only way to resolve it is to treat it as a file name located in the same directory as the page that is currently loaded. Chances are that your offending code runs in a page located in the root of your website (http://example.com/index.php, for example).
I won't provide a fix for your problem here. The question already have plenty of answers that provide you various ways to avoid this happen.
However, take a look at the strings documentation page in the PHP manual. All you need to know is explained there.
Just wondering, what is the correct way to add HTML <strong> tags or anything else for that matter to this?
echo $row->title
I did this
echo '<strong>'.$row->title.'</strong>';
The way you are doing it is perfectly fine. However, don't forget that you might need to escape html characters unless HTML should be allowed (which is unlikely in a "title").
echo '<strong>'.htmlspecialchars($row->title).'</strong>';
This would escape <> and some other special characters.
There is no wrong or correct way to do it. Do it like it is best readable for you (and this is a subjective question). But try to develop a standard and don't do it in a different way everytime.
you can also do this
echo "<strong>{$row->title}</strong>";