RebeccaD Posted April 3, 2013 Share Posted April 3, 2013 Hi. I have written a routine for a person even less able than me ( ), so that they can enter a full URL and a decription about it, then have a ready made HTML href attribute constructed so that they can paste this into a text widget in their WordPress website ( See routine at http://interpretationmatters.com/links). Works perfectly, but if for instance the description entered of the URL contains a single quote e.g. The cat's mother, the resulting attribute has a backslash in it before the single quote e.g. <a href="http://www.my_website.com">The cat\'s mother.</a> What can I use to ensure that any special character's that may appear in the description field ($des) are not preceded (escaped) by a backslash - except a backslash of course which is unlikely to be used? These could include !""£$%^&*()_-{}[]:;'?/>< etc. Code which displays results from the form is: <? $id = $_POST["form_id"]; if($id == 0) { echo ""; } else { $url = $_POST["element_1"]; // Data entered for full URL $des = $_POST["element_2"]; // Data entered for description of URL $linka = "<b><a href=\"". $url. "\">". $des. "</a></b>"; // Add $url and $des to give href attribute which will open in same window/tab $linkb = "<b><a href=\"". $url. "\" target=\"_blank\">". $des. "</a></b>"; // // Add $url and $des to give href attribute which will open in new window/tab echo "<div id=\"form_container\">"; echo "<h1><a>Link Coding</a></h1>"; echo "<form id=\"10\" class=\"app\" method=\"post\" action=\"\">"; echo "<div class=\"form_description\">"; echo "<h2>Results</h2>"; echo "</div>"; echo "<ul >"; echo "<p>Using the cursor highlight either code snippet. Copy (Ctrl+C)) then paste (Ctrl+V) either snippet into the Wordpress Widget</p>"; echo "<p>If link is to appear in the <b>same</b> tab:<br>"; echo "<h3>". $linka. "</h3>"; echo "<p>If link is to appear in a <b>new</b> tab:<br>"; echo "<h3>". $linkb. "</h3>"; echo "<p><input type=\"button\" value=\"New Entry\" onclick=\"window.location.href='redirect.html'; return false;\" /></p>"; } ?> Quote Link to comment Share on other sites More sharing options...
requinix Posted April 3, 2013 Share Posted April 3, 2013 Turn off the magic_quotes php.ini setting. Then do a pass over any other code you might have to make sure you are being safe with SQL queries and the like (which addslashes() doesn't count towards). Quote Link to comment Share on other sites More sharing options...
Christian F. Posted April 4, 2013 Share Posted April 4, 2013 You will also want to use htmlspecialchars on the site link address and text, to prevent HTML injection attacks (XSS and similar). Plus adding some validation of the inputs, at least for the URL itself. To ensure that what you're getting is actually a valid URL. PS: It is recommended to use the full PHP tags (<?php), as the short-tags (<?) does not work on all servers. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.