当前位置: 动力学知识库 > 问答 > 编程问答 >

Escaping PHP in functions printing HTML pages

问题描述:

Currently can't figure out how to properly escape a php function in my printing functions that output my HTML pages.

For example, I have a page called removeClient, where I want to remove a client according to it's ID. A drop down box should supply the user with the current client ID's available and they should have the ability to click on one.

I have a main page where functions get called according to the view supplied by the URL.

Now, I want the page to print the drop down menu with the IDs supplied by a Postgres Database, then some forms to fill in the new user data.

Function that gets called is as following;

 function removeClient() {

include 'dbconnect.php';

if ((isset($_POST['add']))) {

if (isset($_POST['ID']) && (isset($_POST['FirstName'])) && (isset($_POST['LastName'])) && (isset($_POST['IP'])) && (isset($_POST['Status']))) {

$clientid = $_POST['ID'];

$FirstName = $_POST['FirstName'];

$LastName = $_POST['LastName'];

$ip = $_POST['IP'];

$status = $_POST['Status'];

$result = pg_query($dbconnection, "somequery");

if (@pg_affected_rows($result) === 1) {

echo "<p> Client removed!</p>";

} else {

echo "<p> Something went horribly wrong. Contact a system adminstrator </p>";

}

}

}

echo

"<form name=\"addClient\" method=\"post\" action=\"?view=addClient\"/><br/>" .

"<select name=\"clientID\" id=\"clientID\"> " .

"<td>ID</td> <tr><input type=\"text\" maxlength=\"32\" name=\"ID\" /></tr><br/>" .

"<td>First Name</td> <tr><input type=\"text\" maxlength=\"32\" name=\"FirstName\" /></tr><br/>" .

"<td>Last Name</td> <tr><input type=\"text\" maxlength=\"32\" name=\"LastName\" /></tr><br/>" .

"<td>IP Addr.</td> <tr><input type=\"text\" maxlength=\"32\" name=\"IP\" /></tr><br/>" .

"<td>Status</td> <tr><input type=\"text\" maxlength=\"32\" name=\"Status\" /></tr><br/>" .

"<input type=\"submit\" name=\"add\" value=\"Send\" /></form><br/>";

}

Now, what I want to do is to change the line

" " .

to a line where Postgres loads her database values in through PHP.

For the PHP part, I got this;

 <option>Select userID</option>

<?php

$db = pg_connect("connection details") or die('Could not connect: ' . pg_last_error());

$sql = pg_query("SELECT title FROM books WHERE ownedby='$user_id'";

while ($row = pg_fetch_assoc($sql)) {

echo '<option value="'.htmlspecialchars($row['title']).'"></option>';}

pg_close($db);

?>

</select>

<input type="hidden" name="userid" id="userid" value="<?php echo htmlspecialchars($user_id); ?>">

Now, I'm not sure how to implement this in echo calls printing HTML pages. I've tried to do a lot of escaping but it is not helping yet. How can I efficiently add this piece of code to my form structure, echo'd in php?

网友答案:
echo <<<_HTML

<html code> _HTML;

using this way to write html code in echo or print.

网友答案:

maybe the param ENT_QUOTES is missing in htmlspecialchars ?

htmlspecialchars($row['title'], ENT_QUOTES)

Also, check the htmlspecialchars (and / or htmlentities) documentation to see the others params (the 3rd is about charset )

EDIT: I m not sure the <option value="something"></option> can display the value, so maybe you should also try this:

echo '<option>'.htmlspecialchars($row['title'], ENT_QUOTES).'</option>';}
网友答案:

As TiMESPLiNTER pointed out - you need to change this:

echo '<option value="'.htmlspecialchars($row['title']).'"></option>';}

to

echo '<option>'.htmlspecialchars($row['title']).'</option>';}
分享给朋友:
您可能感兴趣的文章:
随机阅读: