| Re: Writing double-prime to file? [message #184789 is a reply to message #184787] |
Sat, 01 February 2014 18:00   |
adrian
Messages: 27
Registered: December 2012
Karma:
|
Junior Member |
|
|
Christoph Michael Becker <cmbecker69(at)arcor(dot)de> wrote:
> Adrian Tuddenham wrote:
>
>> ~~~~~~~~ Sending code within an HTML page ~~~~~~~
>>
>> <!--NOEDIT--><?php
>>
>> Print "<P><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Sent = \"$Sent\"
>> </B></FONT><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Paid =
>> \"</B></FONT><FONT SIZE=\"+2\"
>> COLOR=\"#FF0000\"><B>$Paid</B></FONT><FONT SIZE=\"+1\"
>> COLOR=\"#CCFFFF\"><B>\" Reminder = \"$Reminder\"</B></FONT>";
>>
>> print"<P><FORM
>> ACTION=\"http://www.poppyrecords.co.uk/php/PayFileGen2.php\"
>> METHOD=POST><CENTER><INPUT TYPE=hidden NAME=txt VALUE=\"$txt\"><INPUT
> ^^^^^^^^^^^^^^
>> TYPE=submit NAME=Submit VALUE=\"O.K.\"></B></FONT></CENTER></FORM>";
>> print $txt;
>> ?><!--/NOEDIT-->
>> ~~~~~ end of sending code ~~~~~~~
>
> Consider the code that will be generated for the part "highlighted"
> above, when there are double-quotes contained in $txt.
>
> You should never ever output variables which may contain special
> characters to your HTML unescaped; use htmlspecialchars()[1].
>
> [1] <http://www.php.net/manual/en/function.htmlspecialchars.php>
I did not think I was outputting the variable to HTML, the handler for
that code is written in PHP (although it does generate some HTML, but
the problem occurs before that bit).
Would it make more sense to re-write the program above so that it is a
PHP program and generates the necessary HTML, rather than being an HTML
page with PHP code embedded in it?
--
~ Adrian Tuddenham ~
(Remove the ".invalid"s and add ".co.uk" to reply)
www.poppyrecords.co.uk
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]