Seaholme Posted July 12, 2010 Share Posted July 12, 2010 Heya, I have a little issue which is that whenever people update their displaynames using " and ', it interferes with the update field by effectively cutting off anything that goes after it. I tried this: $displaynamex = htmlspecialchars($displayname, ENT_QUOTES); However, I don't want it to take away ALL the characters -- just ' and ", I'd really like it if HTML tags like > and < stayed put. And although I thought that this would technically work, I've had no luck with it, it still cuts out... $displaynamex = str_replace('"', '\"' ,$displayname); Can anybody suggest any solutions for somehow making " and ' safe to enter in? Thanks! Quote Link to comment https://forums.phpfreaks.com/topic/207543-replacing-and-somehow/ Share on other sites More sharing options...
PFMaBiSmAd Posted July 12, 2010 Share Posted July 12, 2010 by effectively cutting off anything that goes after it. Does that mean when you display them on a web page? If so, it is likely that your HTML that you are putting them into on the page is invalid. Could you post a specific example and code that demonstrates the problem? Quote Link to comment https://forums.phpfreaks.com/topic/207543-replacing-and-somehow/#findComment-1085099 Share on other sites More sharing options...
Seaholme Posted July 12, 2010 Author Share Posted July 12, 2010 It's not quite when they're displayed -- they display okay, it's just when it comes to the form which updates them. I'll give you an example, it's really hard to explain! xD The error occurs in this HTML here: <table width="700" border="1" cellspacing="1" cellpadding="0"> <tr> <form name="form1" method="post" action="update_ac.php"> <td> <table width="100%" border="0" cellspacing="1" cellpadding="0"> <tr> <td> </td> <td colspan="4">Update your user information: </td> </tr> <tr> <td align="center">Username</td> <td align="center">Camp Name</td> <td align="center">Password</td> <td align="center">Email</td> <td align="center"> </td> </tr> <tr> <td><input name="displayname" type="text" id="displayname" value="<? echo $rows['displayname']; ?>"></td> <td><input name="campname" type="text" id="campname" value="<? echo $rows['campname']; ?>"></td> <td><input name="password" type="password" id="password" value=""></td> <td><input name="email" type="text" id="email" value="<? echo $rows['email']; ?>"></td> </tr> <tr> <td><input name="id" type="hidden" id="id" value="<? echo $rows['id']; ?>"></td> <td align="center"><input type="submit" name="Submit" value="Submit"></td> </tr> </table> </td> </form> </tr> </table> (Sorry it's kinda not formatted that beautifully). Basically if somebody enters in a displayname that contains " or ', then the part of the form which is meant to echo the displayname shows up as a textarea with anything after the " or ' showing up outside the textarea. To demonstrate this a bit more clearly, if you imagine that [ and ] define the beginning and end of the textarea, a name originally entered like this: [<b>Name</b">] Ends up like this: [<b>Name</b ] "> Does that help explain it a bit better? Quote Link to comment https://forums.phpfreaks.com/topic/207543-replacing-and-somehow/#findComment-1085101 Share on other sites More sharing options...
PFMaBiSmAd Posted July 12, 2010 Share Posted July 12, 2010 "<?php echo $rows['displayname']; ?>" should be - "<?php echo htmlspecialchars($rows['displayname'], ENT_QUOTES); ?>" One of the points of using htmlspecialchars() or better yet htmlentities() is so that any special html characters in the data does not break the html syntax of your web page Edit: the other is to prevent XSS through the injection of javascript and html that gets output to the visitors on your site. Quote Link to comment https://forums.phpfreaks.com/topic/207543-replacing-and-somehow/#findComment-1085105 Share on other sites More sharing options...
Seaholme Posted July 12, 2010 Author Share Posted July 12, 2010 Wow, thanks so much! All sorted. Also, you don't have to answer this as technically my problem is solved... but can you be a little more detailed as to what XSS injection might be? I've been paying zero attention to security with my site, really. Is it people inputting PHP onto the page somehow? And if so, do you suggest something along the lines of that function should accompany every userinput? I'm quite new to the world of coding so sorry if these are pretty basic things! Quote Link to comment https://forums.phpfreaks.com/topic/207543-replacing-and-somehow/#findComment-1085111 Share on other sites More sharing options...
PFMaBiSmAd Posted July 12, 2010 Share Posted July 12, 2010 XSS - refers to X©ross Site Scripting. It means getting some of my javascript and html to be output to the visitors on your site. That javascropt and html typically does things like read your visitor's cookies (including the session id cookie) and send it to me by requesting an image from my server and providing the information that was gotten on the end of the URL when the request is made to my server. So, I could sign up on your site and in any of the data that you accept from me and then output to any other visitor on your site, you would need to prevent XSS by passing that data through htmlentities() when it is displayed. Quote Link to comment https://forums.phpfreaks.com/topic/207543-replacing-and-somehow/#findComment-1085115 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.