Solved

How can I get these HTML characters to be displayed correctly?

Posted on 2012-03-10
4
264 Views
Last Modified: 2012-03-30
Here's the code that inserts my text, which includes HTML characters:

$quote_question = str_replace('"', '"', trim($_POST['question']));
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
$the_question = mysqli_real_escape_string($cxn, $links_question);

...then I do an insert script and this is working great!

When I go to display what I've inputted, I just do an "echo $_POST['text']" and the link and the text look great.

My problem is when I go to display the question. Although it looks as the though the HTML characters have been inputted correctly, the link will show up as http://localhost/NHBC/fidelis/adm/%22http://www.brucegust.com%22. In other words, the link is being displayed with my localhost URL prior to it.

What am I doing wrong? The info is being inputted in correctly, but I can't make it render accurately when I go to display it.

Thoughts?
0
Comment
Question by:brucegust
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 15

Expert Comment

by:StingRaY
ID: 37704905
Seems like your link surrounded with quotes before htmlspecialchars() to it. Make sure that $_POST['question'] is http://www.brucegust.com (unquoted) not "http://www.brucegust.com" (quoted).
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37705077
In case StingRay's solution doesn't work, I suggest you print the variables as you process them to find out what is happening.

echo "POST: "; var_dump ( $_POST ); echo "<br />" . PHP_EOL;
$quote_question = str_replace('"', '&quot;', trim($_POST['question']));
echo "quote_question: $quote_question<br />" . PHP_EOL;
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
echo "links_question: $links_question<br />" . PHP_EOL;
$the_question = mysqli_real_escape_string($cxn, $links_question);
echo "the_question: $the_question<br />" . PHP_EOL;
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 37705183
Let me suggest a philosophy that may help you with this.  In doing so, I am understanding the issue to be, "People put information into my web site, I store this information in my data base and I regurgitate this information to other clients.  I am definitely interested in security and I want to be sure that I do not receive a toxic script or other dangerous information and then accidentally poison someone's web browser.  Also, I want to be able to store quote marks correctly."

The correct way to store the received information is to take the entire string of data from the external client and escape it with mysql_real_escape_string() or your favorite equivalent escape function.  Then put it into the data base table.

The correct way to regurgitate the data is to read it from the data base table and pass it through htmlentities() before sending it to the client browser output stream.

In the off-chance that you find unwanted escape characters in your data base, you might want to read this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

HTH, ~Ray
0
 
LVL 13

Accepted Solution

by:
darren-w- earned 250 total points
ID: 37705300
Use prepared statements, this will handle all the escaping for you,

http://php.net/manual/en/pdo.prepare.php
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question