?
Solved

How can I get these HTML characters to be displayed correctly?

Posted on 2012-03-10
4
Medium Priority
?
268 Views
Last Modified: 2012-03-30
Here's the code that inserts my text, which includes HTML characters:

$quote_question = str_replace('"', '"', trim($_POST['question']));
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
$the_question = mysqli_real_escape_string($cxn, $links_question);

...then I do an insert script and this is working great!

When I go to display what I've inputted, I just do an "echo $_POST['text']" and the link and the text look great.

My problem is when I go to display the question. Although it looks as the though the HTML characters have been inputted correctly, the link will show up as http://localhost/NHBC/fidelis/adm/%22http://www.brucegust.com%22. In other words, the link is being displayed with my localhost URL prior to it.

What am I doing wrong? The info is being inputted in correctly, but I can't make it render accurately when I go to display it.

Thoughts?
0
Comment
Question by:brucegust
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 15

Expert Comment

by:StingRaY
ID: 37704905
Seems like your link surrounded with quotes before htmlspecialchars() to it. Make sure that $_POST['question'] is http://www.brucegust.com (unquoted) not "http://www.brucegust.com" (quoted).
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37705077
In case StingRay's solution doesn't work, I suggest you print the variables as you process them to find out what is happening.

echo "POST: "; var_dump ( $_POST ); echo "<br />" . PHP_EOL;
$quote_question = str_replace('"', '&quot;', trim($_POST['question']));
echo "quote_question: $quote_question<br />" . PHP_EOL;
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
echo "links_question: $links_question<br />" . PHP_EOL;
$the_question = mysqli_real_escape_string($cxn, $links_question);
echo "the_question: $the_question<br />" . PHP_EOL;
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 1000 total points
ID: 37705183
Let me suggest a philosophy that may help you with this.  In doing so, I am understanding the issue to be, "People put information into my web site, I store this information in my data base and I regurgitate this information to other clients.  I am definitely interested in security and I want to be sure that I do not receive a toxic script or other dangerous information and then accidentally poison someone's web browser.  Also, I want to be able to store quote marks correctly."

The correct way to store the received information is to take the entire string of data from the external client and escape it with mysql_real_escape_string() or your favorite equivalent escape function.  Then put it into the data base table.

The correct way to regurgitate the data is to read it from the data base table and pass it through htmlentities() before sending it to the client browser output stream.

In the off-chance that you find unwanted escape characters in your data base, you might want to read this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

HTH, ~Ray
0
 
LVL 13

Accepted Solution

by:
darren-w- earned 1000 total points
ID: 37705300
Use prepared statements, this will handle all the escaping for you,

http://php.net/manual/en/pdo.prepare.php
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question