SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Zealot
    Join Date
    Feb 2008
    Posts
    165
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Quotes stop browser from reading data

    Here's the thing: I'm using the old stripslashes trick on the data being sent to the DB because magic quotes are on. Works fine (ex. This in not in quotes, but "this is"), the database receives and returns exactly that.

    The problem is seen in two places, and that is when I try to add that string to the URL with $_GET and when I add that string to pre-populate a text input field.

    SAMPLE CODE:

    PHP Code:
    $var 'This has no quotes, but "this does"';
    echo 
    '<a href="nextpage.php?var=' $var '>link</a>'
    URL OUTPUT:
    nextpage.php?var=This has no quotes, but

    The rest of the string is missing...

    I have the same issue when grabbing data from the DB and inserting the returned data as the value of a text input field.

    SAMPLE CODE:
    PHP Code:
    $var 'This has no quotes, but "this does"';
    echo 
    '<input type="text" value="' $var '" /> 
    SOURCE OUTPUT
    <input type="text" value="This has no quotes, but " />

    Any ideas???

  2. #2
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The first set of double quotes in $var closes the ones that open the value attribute in your HTML. Then the rest of $var becomes junk that invalidates your HTML and breaks the page.
    Run $var through htmlspecialchars or htmlentities to make it safe to output this way.

    Also, if any of the content is user submitted (such as a username, or comment) and you don't escape it properly your site will be vulnerable to XSS attacks.

  3. #3
    Non-Member
    Join Date
    Oct 2009
    Posts
    1,852
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Any ideas???
    Pay more attention to what are you doing.
    Try your second code and then check resulting HTML source. It is not like one you posted below. Then count double quotes.
    And then use htmlspecialchars() function to encode HTML special characters in your text.

    For the first one urlencode() should be used instead, because it is URL where you're going to pass your text

  4. #4
    SitePoint Zealot
    Join Date
    Feb 2008
    Posts
    165
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thank you, cranial-bore, for the security suggestion. All data is begin escaped properly. You were right, the html was broken, too many double quotes.

    Thank you schrapnal N5 for your suggestions, both issues are now resolved. You were correct about the source code for the text input value. htmlspecialchars() solved this problem. And once I added urlencode() to the link tag, it worked great.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •