Htmlspecialchars/real Escape
I'm creating a BBCode parser, and everything's working but one thing; I need code tags, but I will need to real_escape/htmlspecialchars the post to make sure it isn't malicious. The only problem is if I real_escape with code tags that contain php, the php will be removed. If I specialchars the post with php, I can't have syntax highlighting (or, not easily). How do I get round this?
View Complete Forum Thread with Replies
Related Forum Messages:
Mysql Real Escape
Upon entry into the database, I first clean form input data with html special characters, strip tags, and mysql real escape string. When I retrieve this data from the db, single quotes aren't coming out right on the pages. Some browsers display a question mark, others a blank space, and another (FireFox) totally screws up the text formatting.
View Replies !
Real Escape String
How can i add a escape string to this php mysql query. mysql_query('insert into times (code, date, time, duration) values ("'.$course_code.'","'.$date_inSQL.'","'.$time_inSQL.'","'.$duration.'" )');
View Replies !
Mysql Real Escape String() In Conditional Statements
I created the following bit of code that allows me to pass a MySQL conditional statement to a function. I am trying to figure out where and how would I go about incorporating the mysql_real_escape_string() function? Is there a way to call the mysql_real_escape_string() in the function itself? Code:
View Replies !
How To Search Strings Escaped By Mysql Real Escape String()?
I am currently developing an article script and there are Titles and Contents. To prevent sql injection, people say we must use mysql_real_escape_string(). So let's say if there is a Title that says "My Friend's best friend", if I look into the MySQL table record, the text will be saved as "My Friend's best friend", where the apostrophe is escaped. Code:
View Replies !
A Real Challenge For Real PHP Programmers
<?php /* A challenge to every PHP programmer.The one who's gonna solve this problem would be deemed as PSP(PHP Supreme Programmer).The problem is this : You have to write a script that displays a list of categories and subcategorieslike this one: <select name="category"> <option value="1">Main</option> <option value="2">Main > Computers</option> <option value="4">Main > Computers > Hardware </option> <option value="8">Main > Computers > Hardware > PC</option> <option value="7">Main > Computers > Hardware > Mac</option> <option value="9">Main > Computers > Hardware > Atari</option> <option value="11">Main > Computers > Hardware > PC > History of Pc</option> <option value="">etc...</option> </select> The categories and subcategories details are stored in these two tables in a MySQL database. -categories : the categories names and ids. -cat_relations : the relations between categories.It shows which subcategory belongs to which category. The belongings between categories can go very deep and the number of categories is unlimited. This script will create the two tables and fill them with sample data. All you need to do is to change the four variables below. You can send the script back to this email : yasbergy@yahoo.com. */ //Here starts the script. Please change the values of these variables to fit your settings $user = "prospective_PSP"; $database = "db"; $server = "localhost" ; $pwd = "" ; //Connection to the database that you created mysql_connect($server,$user,$pwd) ; mysql_select_db($database); //Creation of the two tables : categories and cat_relations $categories = " CREATE TABLE `categories` (`id` INT not null AUTO_INCREMENT, `name` VARCHAR(100) not null , PRIMARY KEY (`id`), INDEX (`id`), UNIQUE (`id`)) comment = 'The categories details' "; mysql_query($categories) ; $cat_relations = "CREATE TABLE `cat_relations` (`id` INT not null AUTO_INCREMENT, `daughter_id` INT not null, `mother_id` INT not null , PRIMARY KEY (`id`), INDEX (`id`), UNIQUE (`id`)) comment = 'Which category is the daughter of which category'"; mysql_query($cat_relations) ; //Filling the two tables with sample data $cats = array('Main','Computers','Countries','Hardware','S oftware','Programming languages','Mac','PC','Atari','Winamp','History of the PC','IBM','Components','High level','USA','NYC','LA','Manhattan','India','Winzi p'); for ($i=0;$i<count($cats);$i++){ $sql = mysql_query("insert into categories (name) values('".$cats[$i]."')"); } mysql_query("insert into cat_relations (daughter_id,mother_id) values (2,1),(3,1),(4,2),(5,2),(6,2),(7,4),(8,4),(9,4),(1 1,8),(12,8),(13,8),(10,5),(20,5),(14,6),(15,3),(16 ,15),(17,15),(18,16),(19,3)"); //Now you can have a look on them through phpMyAdmin ?>
View Replies !
Htmlspecialchars?
I am storing some common html tags like the bold tag and a href tag in a database. I am having no problems there. However I am using this code to extract the first 150 characters out of the Database. $txtNewsDetails = preg_replace('/(?<=^.{150}).+$/s', '...', $txtNewsDetails); And that works great as well. However, say the last character of the 150 characters is text in between the href tag. The href tag does not get closed off and the script does not work properly. I'm seeking suggestions on how to display 150 characters of long text stored in a database as well as make sure the all html characters get closed off at the same time as the extraction.
View Replies !
Htmlspecialchars
I'm using WAMP, XAMPP is set up (localhost). Say we use this example: <?php $new = htmlspecialchars("<a href='test'>Test</a>"); echo $new; ?> for some reason, the code outputs: <a href='test'>Test</a> I looked on php.net, and tried their example; still didn't work. Has anyone had this problem? Anyone any ideas?
View Replies !
Htmlspecialchars()
I'm trying to execute this code it's straight out of the PHP manual: $new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); echo $new; This outputs: <a href='test'>Test</a>
View Replies !
Htmlspecialchars Like Magic_quotes?
I've got magic_quotes turned on in my php configuration so that I don't have to addslashes or anything like that to my form inputs. I still have to use htmlspecialchars() to get rid of any html tags tho - anyone know if there is a setting in php.ini that would do this automatically like magic_quotes? Magic_html - that would truly be magic.
View Replies !
Htmlspecialchars() Problem
Running php 4.3.6 on winxp machine I have following code: ----------------------------------------------------------------------- Restaurants <select size=Ƈ' name='restaurants'> <? while ( $row = mysql_fetch_array($restaurant)){ $opt = "<option value = '" . $row["title"] . "'>" . $row["title"] . "</option>"; $opt = htmlspecialchars($opt, ENT_QUOTES); echo "$opt"; } echo"</select>"; echo "$opt"; ------------------------------------------------------------------
View Replies !
And MySql - Use Htmlspecialchars()
I have a bit of a problem with MySQL and PHP working together. More specifically when i use htmlspecialchars() to encode my text then load it into the database, it is interpreting the special characters and decoding them. Is there any way that I can perserve this coding and make sure it says in my database? Example: Here is what is entered -- t%20t Here is what is showing in the database now -- t t here is what I would like to see -- t%20t
View Replies !
Slipslashes Or Htmlspecialchars??
I wrote a script to update my news article. However, when I go to edit the title and news, if a ' exist, then the update fails. I know from previous work, that either slipslashes or htmlspecialchars should do the trick, I am just not sure which one, or where to put them. Would anyone be able to point me in the right direction of where I should include these statements... or if you have an alternative fix, please post. Keep in mind that I can update articles once the article Title or News body doesn't contain a ' inside of the content. Once a ' exist, then it crashes the script and nothing updates. Code:
View Replies !
Html_entity_decode() And Htmlspecialchars() For XML
Using the conversion to char sets described for these functions, is it possible to get a whole string into some charset? I'm trying to figure out a way to take invalid character sets from idiot users, and translate the string so that in the end I have a string that won't cause my XML to test invalid. Code:
View Replies !
Htmlspecialchars() Or Htmlentities()
I have been wanting to display my PHP sources for stuff I make to help people but using htmlspecialchars() and htmlentities() it only does so much convertion to HTML. The variables still echo the result or nothing, when infact I obviously want it to simple echo $variable_name Lol. Please help. The code I am trying ton convert is the simple random token generation code. <?php for($length=9,$ra='strlen($ra)<$length;$ra.=chr(!mt_rand(0,2)?mt_rand(48,57):(!mt_rand(0,1)?mt_rand(65,90):mt_rand(97,122)))); echo $ra; ?>
View Replies !
Reverse The Htmlspecialchars
Now before any of you get ahead of yourselfs... I do not have PHP 5 thus this has to be a PHP 4 answer. I encode a chunk of html using htmlspecialchars then split it and break it apart. After that I get out put (in browser) like: .....
View Replies !
Htmlspecialchars() And Htmlentities()
I have another question - I have a lot of information in a mysql database which I want to display allowing HTML coding for basic formating. htmlspecialchars() and htmlentities() both make the HTML tags appear instead of formatting the text. Is there a function that will keep the taglines intact but replace pound symbols (£) etc. with the appropriate HTML equivalent?
View Replies !
Htmlspecialchars - Character Set
$new = htmlspecialchars("<a href=", ENT_QUOTES, 'ISO-8859-15'); echo $new; displays: <a href Instead of : < a href I added the character set since this is a computer in Europe. The PHP is the Win32 5.1.2.
View Replies !
Htmlspecialchars And Htmlspecialchars_decode
If I use htmlspecialchars on a user text input before storing into a database, then when showing the data in an output use htmlspecialchars_decode before displaying, would that allow potentially harmful code to be run? (ie is it only a good way to store the data not display it?)
View Replies !
Using Htmlspecialchars() On The Variable
When I try to send the contents of a textarea from a form to my database I get errors if the textarea contained certain characters - for example, ' or ". The errors appear in my SQL syntax only when those characters are entered, so I need to escape them somehow. How should I format the variable containing the text so that this error doesn't occur? By the way, I am already using htmlspecialchars() on the variable in question. Am I going to have to use regular expressions
View Replies !
Reverse Htmlspecialchars
I am pulling information from a database whose input had htmlspecialchars used on it. Is there a way to convert the specialchars into their actual signs so that <b> actually becomes <b> and therefore displayed the text as bold.
View Replies !
How To Use Htmlspecialchars In The Form
how to use the htmlspecialchars function in the form below: <form action="formtest1.php?c=1" method=POST> <b>Find Results with: These words: <input type="text" length=40 name="keywords"> input type="submit" value="Search"> </form>
View Replies !
Htmlspecialchars - Mailing System
i have a mailing system with a textarea where people can typ there message and then send the email. Everything works well,except for when you typ for example : you're great because then the mail will sent this : you're great ! could anybody help me?
View Replies !
How To Use Htmlspecialchars With Foreign Language?
I am building a website which uses other charset, not the standard ASCII code. (A foreign language website). It allows users to fill up a form. Normally we would use htmlspecialchars to prevent potential harmful codes. But doing so will make my website not displaying the text correctly. Anyone has a solution to this?
View Replies !
Htmlspecialchars Makes Stuff Safe?
Do you think using the htmlspecialchars function makes user input safe for the mysql database? If not, what other exploits are there? Do I really need to add more to make my user input secure?
View Replies !
HTML Entities / Htmlspecialchars With Dollar
I am trying to preform a regex to make sure that valid input is entered, but htmlentities and htmlspcialchars don't seem to translate the dollar sign ($) into it's corresponding HTML code (&# 36; ) (spaces added due to board translation of HTML code) $_POST['webCurrency'] = "& #36;"; // posted from form with value & # 36; without spaces $currency = htmlspecialchars(trim($_POST['webCurrency'])); echo 'CURRENCY -> '.$currency; //outputs $ $currency = htmlentities(trim($_POST['webCurrency'])); echo 'CURRENCY -> '.$currency; //outputs $
View Replies !
Htmlspecialchars And Me. Question About Safety And Flexibility.
I have a site where I let users input text into my mysql database. I run their inputs through mysql_real_escape_string before I enter it into the DB and on the output I run it through htmlspecialchars. My question is: How can I add the ability for users to add things such as hyperlinks or images when all the <> brackets and such are converted to their entity counterpart? I don't want them to actually be able to input HTML, or scripts, but I would like to give them the freedom to insert hyperlinks and images, that will parse correctly on the viewing page.
View Replies !
Stripslashes(htmlspecialchars($myrow[1])) To Display A Record
I am using stripslashes(htmlspecialchars($myrow[1])) to display a record from the database. When I enter data in the form in the backend, I want to put <b>text</b> but this actually turns out as <b>text</b> on the webpage instead of bolding the word text. How do I make it so I can enter HTML in the backend textarea form fields?
View Replies !
Loop Through A Result Array And Apply => Htmlspecialchars
I think that this could be easy, but my brain cramps up part way and I can't seem to get it right (I'm in the middle of a marathon coding/programming session). I have a result set: $query = "SELECT * FROM mytable WHERE code = 'topsecret!'"; $result = mysql_query($query); Now I want to loop thru the resulting $row's and apply the htmlspecialchars() function. My brain cramps right about at the point where I start to build the foreach. Can someone walk me through this? while ($row = mysql_fetch_array($result)) { foreach ($row as $key => $val) { CRAMP! }
View Replies !
Testing Htmlspecialchars() PHP Function - Converting HTML Characters
Testing htmlspecialchars() PHP Function - Converting HTML Characters When data needs to be presented in Web pages, HTML special characters must be well protected Otherwise, data well not be presented properly, or the Web will become corrupted. This page allows you to learn and test the htmlspecialchars() function to protect embedded data in Web pages.
View Replies !
Getting The REAL Directory?
Is there any way to get the directory/path of the file running the script, not the directory you're inside (Via dir())? I'm allowing the user to navigate through directories, and that part works great - but whenever I attempt to used getcwd(), it returns the directory the user is in - not the directory of the php file - is there any way to get the directory of the .php file the user is using?
View Replies !
Real Estate MLS/IDX
I am trying to program an MLS/IDX search feature to be integrated into a real estate website. This progrom will allow MLS/IDX searching/browsing (searching by MLS #, house variables, etc) and browsing by property location, etc. I have come accross RETS and have tried to go about it, but wow, maybe MLS/IDX is just some mythical database that doesn't exist? If anyone can help me out here. show some code, point me to a resource, tutorial, something that would be some assistance, I would bow down to them, and mail them one, yes, one ice cold root beer.
View Replies !
Resolve Real IP
I can get the apparent IP from $_SERVER['REMOTE_ADDR']; . However, how can I find the real IP if the user is behind a proxy? I know it must be possible as some "whatismyip" sites do it.
View Replies !
Mysql Real
I found this which I think calls for an indepth brain storming. A very good reading [edited by: eelixduppy at 1:06 pm (utc) on Sep. 12, 2007] [edit reason] fixed typo as per request [/edit]
View Replies !
Escape
<?php echo ("Vladimir's brother said, "Ain't that a hoot?""); ?> Vladimir's brother said, "Ain't that a hoot?" Vladimir's brother said, "Ain't that a hoot?"
View Replies !
Escape <
I'm adding 3 strings and need to escape possible <? and <<< when they occur. I can't figure out a way to do it. This is the code joining the strings. If it comes across a <? in the results it does not add additional strings in the loop. $Result = $Result . chr(intval($k/16)+48) . chr(intval(fmod($k, 16))+48); for($m=0; $m<=$i-1; $m++) { $k=ord(substr($mpass,$m,1)); $k=$k+$LASTK+(27*$j); settype($k, float); $k= fmod($k, 256); $LASTK=$k; $Result = $Result . chr(intval($k/16)+48) . chr(intval(fmod($k, 16))+48) $j++; }
View Replies !
Real-time Output?
I'm a relative PHP newbie, so I apologize if this is a simple question. Anyway, here's my problem. I'm using a PHP script to pre-render a bunchload of insert files for an HTML page. Right now there's about 1,600, but that number could get much, much higher when the site goes live. I'll only need to re-render the whole batch once or twice a year (if that) but it's still something I'd like to be able to do in case I have to move the site to a different server, or there's a hard drive crash or etc. Basically what the script does is grab a whole bunch of information from a database and write the insert file. It does this for every single one. The problem of course, is that PHP by default does all this server-side, and then sends it to the browser. Because this process takes like ten or twenty minutes to do, the browser times out long before it's finished. Is there a way to get progressive output with PHP? Or do I need to re-do this in another language like Perl?
View Replies !
Real Length Of Arrays
Sometimes, I want to know how many elements are really in an array (php3). The count() and sizeof() functions apparently return the number of non-empty array elements, and if you do a while loop checking for empty will stop on the first empty element. I have been using the following function: function truecount($theArray) { if (is_array($theArray)) { end($theArray); return key($theArray); } } but if the key is non-numeric, won't that trip me up? Anyone have a better solution?
View Replies !
Md5 / Sha1 - Any Real Difference?
I use md5 hash with some of my cookies and occassionally a hidden form field - I know the physical data on my network is insecure (unless being served via https) but I was wondering if there are any advantages to using md5 over sha1 or versa vicea... I know md5 gives me a unique 32bit hash while sha1 I've read is 'secure' (?) and gives a 40bit hash... Since The technical webpage on sha1 is lengthy and for the most part over my head... and other than today, I've never heard of it before... I was wondering if anyone could offer any comments on it...
View Replies !
Real Time Chat
There's anyone out there that can give me a light on real time chat using sockets. I've seen some using push technics but they all hang up after an elapsed amount of time.
View Replies !
Real IP Address From Behind Proxy Or NAT
How to get the real IP address of a user, not that of their proxy server or the external NAT address. I was quite sure that this wasn't possible without some kind of process getting the address on the client machine. I have suggested that these sites could be using Java to get the real IP address, however, I could be wrong and for me the script that I found always returns 127.0.0.1 . This suggests to me that any script attempting to obtain the hosts real IP address infarct rely s on the HTTP-X-FORWARDED-FOR header sent by the proxy server...
View Replies !
Real-time Clock
Where should I start to write a Real-time Clock? I want it be dynamic, not static. I know how to get the time and display it but how do I keep changing it ?
View Replies !
My Real Estate Scripts
I have been writing a real estate agency program and its coming on well but taking longer than I thought. Also I think I am just re-inventing the wheel as I guess like BB scripts there are probably good free ones already writen in php and using mysql ? Can anyone recommend one.? can then continue learning while adapting it to my purposes.
View Replies !
REAL E-mail Validation
if there is a way to actually send an e-mail to the server and see if it bounces or not? What I'm trying to do is require users to enter a valid e-mail address on the front page before entering the site. I don't want to do simple character validation (check for @ and no special chars, etc, etc) but actually see if the e-mail account truly exists before letting them into the site.
View Replies !
Real-time Chat
I wrote a PHP chat system similar to gChat which simply uses constant ajax calls to update the chat. This system is fine for a few users, but with potentially thousands of users, it is much too hard on the server. I've been considering taking the 'Comet' route, but have heard that PHP can't handle Comet very well. What would be the best language/API to perform real-time chat for a large user-base?
View Replies !
Real Time Sql Query
I am making a web-based chat but to get the msg from the database i need to refresh the page and that will make load and extra bandwidth on the server so i want to make the query in real time ( only the new msg to be received without refresh the whole page ), Any one in here knows how to get data from sql database without having to refresh page.
View Replies !
|
TRACKER
