?
Solved

How can I get these HTML characters to be displayed correctly?

Posted on 2012-03-10
4
Medium Priority
?
276 Views
Last Modified: 2012-03-30
Here's the code that inserts my text, which includes HTML characters:

$quote_question = str_replace('"', '"', trim($_POST['question']));
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
$the_question = mysqli_real_escape_string($cxn, $links_question);

...then I do an insert script and this is working great!

When I go to display what I've inputted, I just do an "echo $_POST['text']" and the link and the text look great.

My problem is when I go to display the question. Although it looks as the though the HTML characters have been inputted correctly, the link will show up as http://localhost/NHBC/fidelis/adm/%22http://www.brucegust.com%22. In other words, the link is being displayed with my localhost URL prior to it.

What am I doing wrong? The info is being inputted in correctly, but I can't make it render accurately when I go to display it.

Thoughts?
0
Comment
Question by:brucegust
4 Comments
 
LVL 15

Expert Comment

by:StingRaY
ID: 37704905
Seems like your link surrounded with quotes before htmlspecialchars() to it. Make sure that $_POST['question'] is http://www.brucegust.com (unquoted) not "http://www.brucegust.com" (quoted).
0
 
LVL 13

Expert Comment

by:Hugh McCurdy
ID: 37705077
In case StingRay's solution doesn't work, I suggest you print the variables as you process them to find out what is happening.

echo "POST: "; var_dump ( $_POST ); echo "<br />" . PHP_EOL;
$quote_question = str_replace('"', '&quot;', trim($_POST['question']));
echo "quote_question: $quote_question<br />" . PHP_EOL;
$links_question = htmlspecialchars("$quote_question", ENT_QUOTES);
echo "links_question: $links_question<br />" . PHP_EOL;
$the_question = mysqli_real_escape_string($cxn, $links_question);
echo "the_question: $the_question<br />" . PHP_EOL;
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 1000 total points
ID: 37705183
Let me suggest a philosophy that may help you with this.  In doing so, I am understanding the issue to be, "People put information into my web site, I store this information in my data base and I regurgitate this information to other clients.  I am definitely interested in security and I want to be sure that I do not receive a toxic script or other dangerous information and then accidentally poison someone's web browser.  Also, I want to be able to store quote marks correctly."

The correct way to store the received information is to take the entire string of data from the external client and escape it with mysql_real_escape_string() or your favorite equivalent escape function.  Then put it into the data base table.

The correct way to regurgitate the data is to read it from the data base table and pass it through htmlentities() before sending it to the client browser output stream.

In the off-chance that you find unwanted escape characters in your data base, you might want to read this article.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

HTH, ~Ray
0
 
LVL 13

Accepted Solution

by:
darren-w- earned 1000 total points
ID: 37705300
Use prepared statements, this will handle all the escaping for you,

http://php.net/manual/en/pdo.prepare.php
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Originally, this post was published on Monitis Blog, you can check it here . In business circles, we sometimes hear that today is the “age of the customer.” And so it is. Thanks to the enormous advances over the past few years in consumer techno…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses
Course of the Month17 days, 6 hours left to enroll

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question