Using PHP I am able to query MySQL database and see the results echo using:
echo $row['Text'];
I would like the information to load into TextField myAnswer instead. Can anyone help?
Thanks
A:
Going on assumption from your question, you might try something like:
<input type="textbox" value="<?php echo $row['Text']; ?>" />
If you're thinking about a textarea control it'd be like this:
<textarea><?php echo $row['Text']; ?></textarea>
Joel Etherton
2010-10-19 17:17:11
Hello Mr XSS Vulnerability. You forgot `htmlspecialchars`.
David Dorward
2010-10-19 17:19:41
@David Dorward - I didn't forget anything. I am answering a question based on a code snippet without any real knowledge of his application or specifications. For all I know, `$row['Text']` can come from a database, could be a special association, OP could pull it from anywhere. He didn't ask how to sanitize it, he just asked how to get it into the the field.
Joel Etherton
2010-10-19 17:22:11
@David Dorward - Oh, and since you're into being specific, the proper method would be to use `htmlentities()` to account for non-English XSS.
Joel Etherton
2010-10-19 17:27:56
According to http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes "Properly quoted attributes can only be escaped with the corresponding quote". These are property quoted, so what is the problem? Do you have a reference describing how non-English characters can cause an XSS problem in this circumstance?
David Dorward
2010-10-19 17:39:24
@David Dorward - Here is a link indicating `htmlentities()` as the preferred method since not all users have english specific browsers: http://phpsec.org/projects/guide/2.html. Also, your link indicates "Untrusted data". In the OPs question, there is nothing to indicate that $row['Text'] would not be trusted.
Joel Etherton
2010-10-19 18:10:38
That article just recommends `htmlentities`, it doesn't compare it to `htmlspecialchars` or mention anything about non-English characters. That fact the data comes from a database indicates that it would not be trusted (or at least expected to be text rather than an HTML fragment), not guaranteed, but highly likely.
David Dorward
2010-10-19 18:29:30
@David Dorward - Even going on the assumption that the variable name "row" indicates a database, nothing in OPs question indicates the nature of the database and whether it is trusted or not. I would have nothing against any answer you would provide that included either `htmlspecialchars` or `htmlentities`, but to assume that I 'forgot' it or otherwise excluded it erroneously is presumptious.
Joel Etherton
2010-10-19 18:39:16
The question explicitly states it comes from a database.
David Dorward
2010-10-19 18:42:49
@David Dorward - My mistake, it does indicate it comes from a MySQL database.
Joel Etherton
2010-10-19 18:44:05
A:
<input type="text" name="myAnswer" value="<?php echo $row['Text']; ?>" />
mkoistinen
2010-10-19 17:17:28
+1
A:
Like this
<input type="text" name="myAnswer" value="<?php echo htmlspecialchars($row['Text']) ?>" />
or
<textarea name="myAnswer" rows="6" cols="40"><?php echo htmlspecialchars($row['Text']) ?></textarea>
grossvogel
2010-10-19 17:18:33
A:
<?php if ($row['Text']) {?>
<textarea><?php echo htmlspecialchars($row['Text']); ?></textarea>
<?php } ?>
if you are displaying in the same page, otherwise you can just leave out the if .. check.
Sujoy
2010-10-19 17:22:01
A:
None of this seems to work for me. Upon looking further, I found the following:
http://www.daniweb.com/forums/thread252486.html -- You can not manipulate text fields like java or C# or as3 but you can echo or print out html tags and text. if you echo your text you will need to space or manipulate using css and html.
So I guess I can't get the results back from the query in a textbox using PHP and MySQL.
Thanks anyways
BrownBear
2010-10-19 23:08:20