Solved

How can I get these HTML characters to be displayed correctly?

Posted on 2012-03-10
4
261 Views
Last Modified: 2012-03-30
Here's the code that inserts my text, which includes HTML characters:

$quote_question = str_replace('"', '"', trim($_POST['question']));
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
$the_question = mysqli_real_escape_string($cxn, $links_question);

...then I do an insert script and this is working great!

When I go to display what I've inputted, I just do an "echo $_POST['text']" and the link and the text look great.

My problem is when I go to display the question. Although it looks as the though the HTML characters have been inputted correctly, the link will show up as http://localhost/NHBC/fidelis/adm/%22http://www.brucegust.com%22. In other words, the link is being displayed with my localhost URL prior to it.

What am I doing wrong? The info is being inputted in correctly, but I can't make it render accurately when I go to display it.

Thoughts?
0
Comment
Question by:brucegust
4 Comments
 
LVL 15

Expert Comment

by:StingRaY
ID: 37704905
Seems like your link surrounded with quotes before htmlspecialchars() to it. Make sure that $_POST['question'] is http://www.brucegust.com (unquoted) not "http://www.brucegust.com" (quoted).
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37705077
In case StingRay's solution doesn't work, I suggest you print the variables as you process them to find out what is happening.

echo "POST: "; var_dump ( $_POST ); echo "<br />" . PHP_EOL;
$quote_question = str_replace('"', '&quot;', trim($_POST['question']));
echo "quote_question: $quote_question<br />" . PHP_EOL;
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
echo "links_question: $links_question<br />" . PHP_EOL;
$the_question = mysqli_real_escape_string($cxn, $links_question);
echo "the_question: $the_question<br />" . PHP_EOL;
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 37705183
Let me suggest a philosophy that may help you with this.  In doing so, I am understanding the issue to be, "People put information into my web site, I store this information in my data base and I regurgitate this information to other clients.  I am definitely interested in security and I want to be sure that I do not receive a toxic script or other dangerous information and then accidentally poison someone's web browser.  Also, I want to be able to store quote marks correctly."

The correct way to store the received information is to take the entire string of data from the external client and escape it with mysql_real_escape_string() or your favorite equivalent escape function.  Then put it into the data base table.

The correct way to regurgitate the data is to read it from the data base table and pass it through htmlentities() before sending it to the client browser output stream.

In the off-chance that you find unwanted escape characters in your data base, you might want to read this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

HTH, ~Ray
0
 
LVL 13

Accepted Solution

by:
darren-w- earned 250 total points
ID: 37705300
Use prepared statements, this will handle all the escaping for you,

http://php.net/manual/en/pdo.prepare.php
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will explain how to display the first page of your Microsoft Word documents (e.g. .doc, .docx, etc...) as images in a web page programatically. I have scoured the web on a way to do this unsuccessfully. The goal is to produce something …
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now