Whenever the texts value has double-quotes, everything behind and including the double-quotes dissappear.
Ex: Nice bmw m3 with 19" wheels BECOMES Nice bmw m3 with 19 the part after the double-quotes is skipped.
Is there anyway around this?
About the code below: This is for a form on a php page, so when the form is submitted to itself the value of the input remains unchanged, so the user doesn't have to fill in everything again whenever form is submitted to self.
<input style="width:300px;" type="text" name="annonsera_headline" id="annonsera_headline" value="<?php echo #$_POST['annonsera_headline'];?>">
Thanks
Because " ends the value of the html attribute.
Use htmlentities or htmlspecialchars
value="<?php echo htmlentities(#$_POST['annonsera_headline']);?>">
It is not advisable to write values from $_POST or $_GET without using at least one of the above functions as otherwise it allows people to construct a URL that alters the HTML on your page.
You forgot to sanitize the value with htmlentities().
... value = "htmlentities(<?=$_POST['annonsera_headline']?>)"
Related
I have a value ($title) that is stored in MySQL and is being called, using PHP, to be inserted into the value of an input element. The problem is when a single or double quote is used, the value of the input field terminates at that point.
The behavior that should occur is the input field should be populated EXACTLY with the data in the $title variable, so that when the form is updated, the quotes remain intact.
Here is the PHP:
<?php
echo '<input type=text size=91 name=title value="'.stripslashes($title).'">';
?>
Now, here is a typical problem: if the value of $title
this is a test " of what occurs with a quote
and I echo the variable, it echos correctly to
this is a test " of what occurs with a quote
However, when used in an input field, it renders as:
<input value="this is a test " of what occurs with a quote">
The first " terminates the value of the field, causing the new value to be:
this is a test
I'm confused as to how to get the proper value to display and be submitted with the form, when that variable is displayed and updated.
Try using htmlspecialchars. This will escape the " in yout title.
value="'.htmlspecialchars($title).'">
Put a \ before the quote.
echo "This is a \" test";
Change this line.
<input type=text size=91 name=title value="'.stripslashes($title).'">
To
<input type=text size=91 name=title value=\''.stripslashes($title).'\'>
Why are you running stripslashes()? Running addslashes() (the opposite function) would fix this particular issue, but a better approach would be to use htmlentities($title, ENT_COMPAT, 'utf-8') everywhere you output the title (or, if your structure allows, when the data is stored).
After you perform stripslashes you should use htmlspecialchars to escape the special characters. This avoids the mess the characters like ",', etc might otherwise create.
<input type=text size=91 name=title value="'.htmlspecialchars(stripslashes($title)).'">
The above snippet will only fix it for display purpose. But when the submit happens you must use either mysql_real_escape_string() or $pdo->quote() to escape the special characters before you run the SQL query.
I have a database var that contains
5/8\" Cabinet Grade Plywood
the \ being added by either WP or SQL to escape the ".
when retrieving this var i use stripslashes() both in in the value of the field used to edit that table (so that the next time someone want to edit that field he/she will see whats in that input already) and in the actual website where it suppose to appear.
The weird thing is ..
in the field it cuts from 5/8\" Cabinet Grade Plywood to just 5/8
and in the website where it suppose to appear it shows normally without slashes or anything unusual.
this is how I stripslash the field:
$somevar = '<input value="'.stripslashes($currentselected['something']).'" class="niceclass" name="something" type="text" />';
and this is how I use it when it appears on page:
<td><span style="font-size: larger;"><?php echo stripslashes($goods['verygood']); ?></span></td>
it simply collides with HTML markup
<input value="'.stripslashes($currentselected['something']).'"/>
will result in
<input value="5/8" Cabinet Grade Plywood" />
take a look on those ", its broken right there, you need to escape those "
to fix this use urlencode function in php
<input value="'.urlencode(stripslashes($currentselected['something'])).'"/>
or htmlspecialchars function, it should replace quotes with
"
You could use some htmlspecialchars on the output. The " has special meaning in HTML, and in this case would actually be seen as the closing of the value attribute of the input. Thus, you should escape it (htmlspecialchars will translate " to ").
Trying to keep new lines and unescaped values intact in a textarea being repopulated with data during a PRG cycle. At what point do you assign the variable correctly so that new lines are recognized?
I've tried double quotes, nl2br, htmlentities, stripslashes but I can't seem to get it. Some attempts:
Assigning during the intial prg $_SESSION array:
$_SESSION['prg']['textarea'] = "$textarea";
When passing from prg array to var:
$textarea = htmlentities($_SESSION['prg']['textarea']);
When echoing into the textarea:
<textarea name="textarea"><?php if(isset($textarea)) echo nl2br($textarea); ?></textarea>
And various combinations of the above, including the initial $_POST, directly after sanitizing.
Also, in case anyone asks: the escaping works as intended, db insert results are fine. It's just the form repopulating that's throwing things off.
I'm sure this is just a symptom of amateur hour... Looking for php/html solution only. Thanks in advance.
I don't think you want to be calling nl2br when you populate the text area if you want to keep the newlines showing up properly in the textarea. The htmlentities part is good though.
while storing the data use addslashes($_POST['textarea']) and while displaying use stripslashes($textarea)
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I searched the site and didn't find a solution. My problem is that I've got a hidden input that I want to send via the post method that has quotes in it. I've tried using addslashes() and I get the same problem. It looks something like this right now:
<?php $value = 'I\'ve got \"some\" random text with quotes'; ?>
<input name="example" value="<?=$value?>">
And I get most of the the text showing in my form because the quotes aren't being ignored AARGH! ;) So how to I get text with quote into a hidden input?
Thanks in advance!
<?php $value = "I've got \"some\" random text with quotes"; ?>
when you output this will result in the following?
<input name="example" value="I've got \"some\" random text with quotes">
I would convert them so they validate and avoid confusion:
<?php $value = 'I've got "some" random text with quotes'; ?>
<input name="example" value="<?=$value?>">
Try to avoid using double quotes with PHP strings, as PHP will search the entire string for a variable to parse, regardless if the string contains one. They are slower than single quotes. Not so much anymore these days, but still a good practice to use single quotes for strings.