FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » Writing double-prime to file?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: Writing double-prime to file? [message #184790 is a reply to message #184789] Sat, 01 February 2014 19:07 Go to previous messageGo to previous message
Christoph Michael Bec is currently offline  Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
Senior Member
Adrian Tuddenham wrote:

> Christoph Michael Becker <cmbecker69(at)arcor(dot)de> wrote:
>
>> Adrian Tuddenham wrote:
>>
>>> ~~~~~~~~ Sending code within an HTML page ~~~~~~~
>>>
>>> <!--NOEDIT--><?php
>>>
>>> Print "<P><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Sent = \"$Sent\"
>>> </B></FONT><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Paid =
>>> \"</B></FONT><FONT SIZE=\"+2\"
>>> COLOR=\"#FF0000\"><B>$Paid</B></FONT><FONT SIZE=\"+1\"
>>> COLOR=\"#CCFFFF\"><B>\" Reminder = \"$Reminder\"</B></FONT>";
>>>
>>> print"<P><FORM
>>> ACTION=\"http://www.poppyrecords.co.uk/php/PayFileGen2.php\"
>>> METHOD=POST><CENTER><INPUT TYPE=hidden NAME=txt VALUE=\"$txt\"><INPUT
>> ^^^^^^^^^^^^^^
>>> TYPE=submit NAME=Submit VALUE=\"O.K.\"></B></FONT></CENTER></FORM>";
>>> print $txt;
>>> ?><!--/NOEDIT-->
>>> ~~~~~ end of sending code ~~~~~~~
>>
>> Consider the code that will be generated for the part "highlighted"
>> above, when there are double-quotes contained in $txt.
>>
>> You should never ever output variables which may contain special
>> characters to your HTML unescaped; use htmlspecialchars()[1].
>>
>> [1] <http://www.php.net/manual/en/function.htmlspecialchars.php>
>
> I did not think I was outputting the variable to HTML, the handler for
> that code is written in PHP (although it does generate some HTML, but
> the problem occurs before that bit).

Consider the following simplified example:

<?php
$txt = "foo\"bar";
print "<input type=hidden name=txt value=\"$txt\">";

Thil os wilutput the following HTML:

<input type=hidden name=txt value="foo"bar>

Obviously, the value of the value attribute is terminated by the second
double-quote, so it is foo. The browser is most likely going to ignore
the bar, because it is an unknown attribute name.

What you want is the following:

<input type=hidden name=txt value="foo&quot;bar">

To have it, you can use the following PHP code:

<?php
$txt = "foo\"bar";
print "<input type=hidden name=txt value=\"" .
htmlspecialchars($txt) . "\">";

However, note that it is necessary to set the correct character encoding
as third parameter of htmlspecialchars() (otherwise it may not work
correctly). The default value depends on the PHP version. If you're
using a current version (i.e. PHP 5.4 or newer), it is UTF-8. If you're
using UTF-8 encoding (what's usually recommendable), you can omit the
parameter. Otherwise you have to use something like:

htmlspecialchars($txt, ENT_COMPAT, 'ISO-8859-1');

Note, that there are caveats regarding the second parameter, too; see
the manual[1].

> Would it make more sense to re-write the program above so that it is a
> PHP program and generates the necessary HTML, rather than being an HTML
> page with PHP code embedded in it?

That doesn't make a difference wrt. to escaping the characters.

[1] <http://php.net/manual/en/function.htmlspecialchars.php>

--
Christoph M. Becker
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Phonegap upload issue with PHP server
Next Topic: RE: Seeeking Windows PHP IDE for USB Stick
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sun Nov 24 20:21:49 GMT 2024

Total time taken to generate the page: 0.04774 seconds