| Re: Writing double-prime to file? [message #184787 is a reply to message #184784] |
Sat, 01 February 2014 17:07   |
Christoph Michael Bec
Messages: 207
Registered: June 2013
Karma:
|
Senior Member |
|
|
Adrian Tuddenham wrote:
> ~~~~~~~~ Sending code within an HTML page ~~~~~~~
>
> <!--NOEDIT--><?php
>
> Print "<P><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Sent = \"$Sent\"
> </B></FONT><FONT SIZE=\"+1\" COLOR=\"#CCFFFF\"><B>Paid =
> \"</B></FONT><FONT SIZE=\"+2\"
> COLOR=\"#FF0000\"><B>$Paid</B></FONT><FONT SIZE=\"+1\"
> COLOR=\"#CCFFFF\"><B>\" Reminder = \"$Reminder\"</B></FONT>";
>
> print"<P><FORM
> ACTION=\"http://www.poppyrecords.co.uk/php/PayFileGen2.php\"
> METHOD=POST><CENTER><INPUT TYPE=hidden NAME=txt VALUE=\"$txt\"><INPUT
^^^^^^^^^^^^^^
> TYPE=submit NAME=Submit VALUE=\"O.K.\"></B></FONT></CENTER></FORM>";
> print $txt;
> ?><!--/NOEDIT-->
> ~~~~~ end of sending code ~~~~~~~
Consider the code that will be generated for the part "highlighted"
above, when there are double-quotes contained in $txt.
You should never ever output variables which may contain special
characters to your HTML unescaped; use htmlspecialchars()[1].
[1] <http://www.php.net/manual/en/function.htmlspecialchars.php>
--
Christoph M. Becker
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]