Adeus Posted May 8, 2008 Share Posted May 8, 2008 I have the following textarea in a form: <textarea name="special" cols="32" rows="3" id="special"></textarea> Upon submitting the form, it is stored in $_POST['special'] and passed again through the following hidden input field: <input type=\"hidden\" name=\"special\" value=\"".$_POST['special']."\" /> Finally, it is presented in step 3 of the process: if (isset($_POST['special']) && $_POST['special'] != "") { $special_prompt = "<p><span class=\"red\">Special Requests:</span> ".stripslashes(stripslashes(nl2br($_POST['special'])))."</p>"; } else { $special_prompt = ""; } Here is an example of what it is doing: //$_POST['special'] = Here's a single quote. echo $special_prompt; //returns: Here's some copy. //$_POST['special'] = Here's some "double quotes." echo $special_prompt; //returns: Here's some As you can see, it is cutting the string off where the double quotes begin. Any ideas? Quote Link to comment Share on other sites More sharing options...
discomatt Posted May 8, 2008 Share Posted May 8, 2008 htmlentities() Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted May 8, 2008 Share Posted May 8, 2008 i use htmlspecialchars() with ENT_QUOTES, but I single-quote all field values, e.g., $the_string = "Hello! Don't mess up with this single quote."; $output = "<INPUT TYPE='text' NAME='somefield' VALUE='".htmlspecialchars($the_string, ENT_QUOTES)."'>"; Quote Link to comment Share on other sites More sharing options...
benphp Posted May 8, 2008 Share Posted May 8, 2008 <?php if (isset($_POST['special']) && $_POST['special'] != "") { $special = nl2br($_POST['special']); $special = str_replace('"', """, $special); $special = stripslashes($special); $special_prompt = "<p><span class=\"red\">Special Requests:</span> $special </p>"; } else { $special_prompt = ""; } ?> Shit - the js on this site is fing up my code. The line should be: $special = str_replace('"', "[apmersand][pound][thirty four][semicolon]", $special); Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted May 8, 2008 Share Posted May 8, 2008 don't forget the myriad other characters that can screw up HTML. for instance, greater than, less than, exclamation point, and many others. use htmlspecialchars() to avoid having to str_replace() for every single possibility. Quote Link to comment Share on other sites More sharing options...
benphp Posted May 8, 2008 Share Posted May 8, 2008 I use a function that allows me greater control over what is replaced and when. Note that the code below will be screwed due to this site's JS: <?php function fnTick($string) { $string = str_replace("'", "'", $string); $string = str_replace('/', "/", $string); $string = str_replace('<?', "<?", $string); $string = str_replace('=', "=", $string); $string = str_replace('?>', "?>", $string); $string = str_replace('?', "?", $string); $string = str_replace("\r", " <br /> ", $string); $string = str_replace("\r", "", $string); $string = str_replace("\n", "", $string); $string = str_replace('"', """, $string); $string = str_replace('!', "!", $string); $string = str_replace('$', "$", $string); $string = str_replace('%', "%", $string); $string = str_replace('(', "(", $string); $string = str_replace(')', ")", $string); $string = str_replace('*', "*", $string); $string = stripslashes($string); return $string; } ?> Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted May 8, 2008 Share Posted May 8, 2008 hm, that doesn't work for me for form inputs: <?php function fnTick($string) { $string = str_replace("'", "&#39;", $string); $string = str_replace('/', "&#47;", $string); $string = str_replace('<?', "<&#63;", $string); $string = str_replace('=', "&#61;", $string); $string = str_replace('?>', "?>", $string); $string = str_replace('?', "?", $string); $string = str_replace("\r", " <br /> ", $string); $string = str_replace("\r", "", $string); $string = str_replace("\n", "", $string); $string = str_replace('"', """, $string); $string = str_replace('!', "!", $string); $string = str_replace('$', "$", $string); $string = str_replace('%', "%", $string); $string = str_replace('(', "(", $string); $string = str_replace(')', ")", $string); $string = str_replace('*', "*", $string); $string = stripslashes($string); return $string; } $content = "What><!-- Happen't to this?>"; ?> <HTML> <BODY> <FORM> <INPUT TYPE='TEXT' NAME='testtext' VALUE='<?=fnTick($content);?>'> </FORM> </BODY> </HTML> output: a text field with the following in it: What><!-- Happen't to this?> I don't want that code visible nor in the input. Quote Link to comment Share on other sites More sharing options...
benphp Posted May 8, 2008 Share Posted May 8, 2008 The javascript on this site screws up the code: $string = str_replace("'", "&#38;#39;", $string); is all wrong. It should be $string = str_replace("'", "[ampersand]#39;", $string); I'll try it outside of the code tags: function fnTick($string) { $string = str_replace("'", "'", $string); $string = str_replace('/', "/", $string); $string = str_replace('<?', "<?", $string); $string = str_replace('=', "=", $string); $string = str_replace('?>', "?>", $string); $string = str_replace('?', "?", $string); $string = str_replace("\r", " ***br /*** ", $string); //replace *** with less/greater than $string = str_replace("\r", "", $string); $string = str_replace("\n", "", $string); $string = str_replace('"', """, $string); $string = str_replace('!', "!", $string); $string = str_replace('$', "$", $string); $string = str_replace('%', "%", $string); $string = str_replace('(', "(", $string); $string = str_replace(')', ")", $string); $string = str_replace('*', "*", $string); $string = stripslashes($string); return $string; } Quote Link to comment Share on other sites More sharing options...
Adeus Posted May 8, 2008 Author Share Posted May 8, 2008 Hrm, I've tried all these ideas and I still can't get it to work right. My latest attempt: //$_POST['special'] is from a <textarea> with value = "Here are some "quotes."" if (isset($_POST['special']) && $_POST['special'] != "") { $special_prompt = "<p><span class='red'>Special Requests:</span> ".stripslashes(stripslashes(nl2br(htmlentities($_POST['special'], ENT_QUOTES))))."</p>"; } else { $special_prompt = ""; } echo $special_prompt; //returns: Here are some I'm starting to think it may not be carrying over from the textarea correctly... going to do some more testing. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted May 8, 2008 Share Posted May 8, 2008 you don't want to use htmlentities. Quote Link to comment Share on other sites More sharing options...
Adeus Posted May 8, 2008 Author Share Posted May 8, 2008 I changed it to htmlspecialchars, everything works (', ?>, >, <, etc...) except double quotes. When I echo "$_POST['special'], it returns everything before the double quotes followed by 2 slashes (\\) and nothing after that. Quote Link to comment Share on other sites More sharing options...
BlueSkyIS Posted May 8, 2008 Share Posted May 8, 2008 i use htmlspecialchars() with ENT_QUOTES, but I single-quote all field values, e.g., $the_string = "Hello! Don't mess up with this single quote."; $output = "<INPUT TYPE='text' NAME='somefield' VALUE='".htmlspecialchars($the_string, ENT_QUOTES)."'>"; if you're using double-quoted field values, you'll need to use ENT_NOQUOTES $output = '<INPUT TYPE="text" NAME="somefield" VALUE="'.htmlspecialchars($the_string, ENT_NOQUOTES).'">'; i prefer single-quoted form values for several reasons. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.