Jump to content

How to validate my links....


rajeevthomas

Recommended Posts

Hi Everyone..

 

I am not sure if I should post this question here. I would like to fix this problem using PHP rather than HTML. I am new to PHP. This code is part of an old PHP gallery file. I am trying to validate my site but the site's links have some characters that makes the link throw errors in W3C Validator. So I tried to replace the characters with HTML characters for example ? are now replaced by ?

 

so my original link before using valid HTML characters looked like

www.awebsite.com/viewgallery.php?cname=Colorado-Fall&pcaption=Lost-In-The-art

And now it looks like this ...

www.awebsite.com/viewgallery.php?cname=Colorado-Fall&pcaption=Lost-In-The-art

But now W3C Validator shows an error like this

  1. error.png Line 32, Column 240: an attribute value must be a literal unless it contains only name characters
    …n class='next'><a href=viewgallery.php?cname=Colorado-Journeys&pca…

    You have used a character that is not considered a "name character" in an attribute value. Which characters are considered "name characters" varies between the different document types, but a good rule of thumb is that unless the value contains only lower or upper case letters in the range a-z you must put quotation marks around the value. In fact, unless you have extreme file size requirements it is a very very good idea to always put quote marks around your attribute values. It is never wrong to do so, and very often it is absolutely necessary.

     

     

The ? for replacing ? seems to be the problem.The & is highlighted in red.

What am I doing wrong? How can I validate this link? I tried to use single or double quotes around HTML characters but that breaks my links and they won't work after that. Any tips will be appreciated...




			
		
Link to comment
Share on other sites

You have to quote the entire attribute. Like this:

<a href="https://yoursite.com/foo">some link</a>

Using unquoted attributes is generally a very bad idea. Apart from the syntax errors, you'll also run into security issues as soon as you start using dynamic parameters. 

 

So always quote your attributes.

 

What the W3C validator actually complained about were the ampersand (&) characters. Since the ampersand is also used to start an HTML entity like ", the parser does not always know if you mean a literal ampersand or an ampersand as part of an HTML entity. The general recommendation is encode all literal ampersands with the & entity:

<a href="https://yoursite.com/foo?x=1&y=2">some link</a>
Link to comment
Share on other sites

You don't need to replace the question mark

 

 

 

You have to quote the entire attribute. Like this:

<a href="https://yoursite.com/foo">some link</a>

Using unquoted attributes is generally a very bad idea. Apart from the syntax errors, you'll also run into security issues as soon as you start using dynamic parameters. 

 

So always quote your attributes.

 

What the W3C validator actually complained about were the ampersand (&) characters. Since the ampersand is also used to start an HTML entity like ", the parser does not always know if you mean a literal ampersand or an ampersand as part of an HTML entity. The general recommendation is encode all literal ampersands with the & entity:

<a href="https://yoursite.com/foo?x=1&y=2">some link</a>

Thank you guys. Looking at your answers I realize that I did not ask my question right. I am sorry about that. My case is a bit different I think. I think it is because I am trying to create the link from inside PHP. My code is

$result_final .= "<a href=viewgallery.php?cname=$cname&pcaption=" . $caption_array[$next] . "><img src='/photos/assets/left.png' alt='left navigation'></a>";

So based on your answers ... I changed the links like this

$result_final .= "<a href=\"viewgallery.php?cname=$cname&pcaption=" . $caption_array[$next] . "\"><img src='/photos/assets/left.png' alt='left navigation'></a>";

It really works. Thank you for the suggestions. No more errors.... ( for now ) :)

Just out of curiosity, is this a bad way of creating links? Is this a hideous code?

Thank you for helping me,....

Link to comment
Share on other sites

Yes, this is hideous code, because your dynamic parameters are neither URL-encoded nor HTML-escaped (what if they contain special characters?), and the parts you did escape are escaped by hand instead of using the appropriate PHP function.

 

Every dynamic value that goes into your HTML markup must be HTML-escaped. If you don't do that, then you're begging for syntax errors and cross-site scripting attacks. Depending on the context, you may need additional preparation. For example, URL parameters must be URL-encoded.

 

It's very important to understand this: You can't just dump a PHP string into an arbitrary context. Many PHP developers struggle with this simple truth, but it's crucial for writing correct and secure applications.

 

In your case, you would encode the parameters with urlencode() and then escape the entire URL with htmlspecialchars(). You can also let PHP do the URL-encoding if you use http_build_query():

$parameters = array(
	'cname' => $cname,
	'pcaption' => $caption_array[$next],
);
$result_final .= '<a href="' . html_escape('viewgallery.php?' . http_build_query($parameters), 'UTF-8') . '"><img src="/photos/assets/left.png" alt="left navigation"></a>';

Mixing small snippets of HTML markup into your PHP code (aka spaghetti code) also isn't the best idea, but that's another story.

Link to comment
Share on other sites

Yes, this is hideous code, because your dynamic parameters are neither URL-encoded nor HTML-escaped (what if they contain special characters?), and the parts you did escape are escaped by hand instead of using the appropriate PHP function.

 

Every dynamic value that goes into your HTML markup must be HTML-escaped. If you don't do that, then you're begging for syntax errors and cross-site scripting attacks. Depending on the context, you may need additional preparation. For example, URL parameters must be URL-encoded.

 

It's very important to understand this: You can't just dump a PHP string into an arbitrary context. Many PHP developers struggle with this simple truth, but it's crucial for writing correct and secure applications.

 

In your case, you would encode the parameters with urlencode() and then escape the entire URL with htmlspecialchars(). You can also let PHP do the URL-encoding if you use http_build_query():

$parameters = array(
	'cname' => $cname,
	'pcaption' => $caption_array[$next],
);
$result_final .= '<a href="' . html_escape('viewgallery.php?' . http_build_query($parameters), 'UTF-8') . '"><img src="/photos/assets/left.png" alt="left navigation"></a>';

Mixing small snippets of HTML markup into your PHP code (aka spaghetti code) also isn't the best idea, but that's another story.

Jaques, thank you!. Sorry about my late reply. And thank you for your code. Now I have somewhere to start from. The array idea is cool. is 'html_escape' a PHP function? I couldn't find out much about it.

Link to comment
Share on other sites

  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.