tags:

views:

74

answers:

5
+2  Q: 

What is the best way to echo results from the database into html code in PHP ?

when I have a value like this in the database ("foo")

how can I echo it without any conflict with html code

notice 

<input type="text" value="<? echo '"foo"'; ?>" />

the result will be like this

<input type="text" value=""foo"" />

how can I fix it ?

A:  
<?php

echo "<input type='text' value='{$foo}' />" ;

?>
Chris J  2010-02-08 13:00:00
Just using ' instead of " would bring the same problem if the database would contain a '.
ZeissS  2010-02-08 13:02:14
this will just move from " to ', and it still allows for XSS.
knittl  2010-02-08 13:06:10
+2  A: 

You can use htmlentities to overcome this problem like so: 

<input type="text" value="<? echo htmlentities('"foo"'); ?>" />

this will return

<input type="text" value="&quot;foo&quot;" />

avoiding any conflict with html.

GeekTantra  2010-02-08 13:00:54
this function generate unprintable characters when I used it with other languages beside English .
Waseem Abu Senjer  2010-02-08 13:13:27
Yes, you need to pass in the charset when it's UTF-8 (or anything other than ISO-8859-1): `htmlentities($var, ENT_QUOTES, 'utf-8')`. However it is generally easier just to use `htmlspecialchars` instead; there is no need to entity-encode the other characters.
bobince  2010-02-08 13:57:41
+2  A: 

use urlencode or htmlspecialchars

<a href="<?php echo urlencode($dburl)?>" title="<?php echo htmlspecialchars($dbvalue)?>">link</a>
knittl  2010-02-08 13:02:34
+1  A: 

htmlspecialchars() basically, for example

<input type="text" value="<? echo htmlspecialchars($value, ENT_QUOTES); ?>" />

The ENT_QUOTES is optional and also encodes the single quote ' .

I used $value since I'm not sure what exactly you have in the database (with or without quotes?) but it will sit in some kind of variable if you want to use it anyway, so, I called that $value.

Since the above is a bit unwieldy I made a wrapper for it:

// htmlents($string)
function htmlents($string) {
  return htmlspecialchars($string, ENT_QUOTES);
}

So you can

<input type="text" value="<? echo htmlents($value); ?>" />

Not to be confused with the existing htmlentities(), which encodes all non-standard characters. htmlspecialchars() only encodes &, <, >, " and ', which is more appropriate for UTF8 pages (all your webpages are UTF8, right? ;-).

MSpreij  2010-02-08 13:03:35
yes my pages are UTF8
Waseem Abu Senjer  2010-02-08 13:27:12
I shorten the shortcut even further, by defining `function h($s) { echo htmlspecialchars($s, ENT_QUOTES); }`. Then you can write just `<?php h($value); ?>`.
bobince  2010-02-08 13:54:20
A: 
symcbean  2010-02-08 13:04:41
fails to HTML-escape, causing XSS vulnerabilities. And personally I consider the `print` version much *less* readable. You lose proper consistent HTML and PHP indentation when you do it like that.
bobince  2010-02-08 13:52:20

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?