| Re: Writing double-prime to file? [message #184790 is a reply to message #184789] |
Sat, 01 February 2014 19:07   |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
|
Senior Member |
|
|
Adrian Tuddenham wrote:
> Christoph Michael Becker <cmbecker69(at)arcor(dot)de> wrote:
>
>> Adrian Tuddenham wrote:
>>
>>> ~~~~~~~~ Sending code within an HTML page ~~~~~~~
>>>
>>> <!--NOEDIT--><?php
>>>
>>> Print "<P><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Sent = \"$Sent\"
>>> </B></FONT><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Paid =
>>> \"</B></FONT><FONT SIZE=\"+2\"
>>> COLOR=\"#FF0000\"><B>$Paid</B></FONT><FONT SIZE=\"+1\"
>>> COLOR=\"#CCFFFF\"><B>\" Reminder = \"$Reminder\"</B></FONT>";
>>>
>>> print"<P><FORM
>>> ACTION=\"http://www.poppyrecords.co.uk/php/PayFileGen2.php\"
>>> METHOD=POST><CENTER><INPUT TYPE=hidden NAME=txt VALUE=\"$txt\"><INPUT
>> ^^^^^^^^^^^^^^
>>> TYPE=submit NAME=Submit VALUE=\"O.K.\"></B></FONT></CENTER></FORM>";
>>> print $txt;
>>> ?><!--/NOEDIT-->
>>> ~~~~~ end of sending code ~~~~~~~
>>
>> Consider the code that will be generated for the part "highlighted"
>> above, when there are double-quotes contained in $txt.
>>
>> You should never ever output variables which may contain special
>> characters to your HTML unescaped; use htmlspecialchars()[1].
>>
>> [1] <http://www.php.net/manual/en/function.htmlspecialchars.php>
>
> I did not think I was outputting the variable to HTML, the handler for
> that code is written in PHP (although it does generate some HTML, but
> the problem occurs before that bit).
Consider the following simplified example:
<?php
$txt = "foo\"bar";
print "<input type=hidden name=txt value=\"$txt\">";
Thil os wilutput the following HTML:
<input type=hidden name=txt value="foo"bar>
Obviously, the value of the value attribute is terminated by the second
double-quote, so it is foo. The browser is most likely going to ignore
the bar, because it is an unknown attribute name.
What you want is the following:
<input type=hidden name=txt value="foo"bar">
To have it, you can use the following PHP code:
<?php
$txt = "foo\"bar";
print "<input type=hidden name=txt value=\"" .
htmlspecialchars($txt) . "\">";
However, note that it is necessary to set the correct character encoding
as third parameter of htmlspecialchars() (otherwise it may not work
correctly). The default value depends on the PHP version. If you're
using a current version (i.e. PHP 5.4 or newer), it is UTF-8. If you're
using UTF-8 encoding (what's usually recommendable), you can omit the
parameter. Otherwise you have to use something like:
htmlspecialchars($txt, ENT_COMPAT, 'ISO-8859-1');
Note, that there are caveats regarding the second parameter, too; see
the manual[1].
> Would it make more sense to re-write the program above so that it is a
> PHP program and generates the necessary HTML, rather than being an HTML
> page with PHP code embedded in it?
That doesn't make a difference wrt. to escaping the characters.
[1] <http://php.net/manual/en/function.htmlspecialchars.php>
--
Christoph M. Becker
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]