Page 1 of 1
Escaping quotes in HTML?
Posted: Thu Mar 30, 2006 7:25 pm
by evilmonkey
Hello. I have a string that comes from PHP that I want to include as a hidden value of a form. THe problem is, that string might have quotes, and I may well end up with something like this
Code: Select all
<input type="hidden" name="somename" value="My nickname is "evilmonkey" on the devnetwork forums">
Obviously that will screw thigs up big time. Is there any way I can avoid that?
Thanks!

Posted: Thu Mar 30, 2006 7:36 pm
by Buddha443556
Posted: Thu Mar 30, 2006 7:37 pm
by infolock
in that case you would want to use
" around whatever there is that will have those in it...
example :
<input type="text" name="bob" value="HI "Bob"">
that will display "Hi "Bob" in your input box
thing you should is maybe something like this too...
Code: Select all
$myvar = htmlspecialchars($some_string_with_quotes);
echo "<input type="text" name="bob" value="$myvar">";
edit: guess Buddha443556 got it first. oh well
Posted: Thu Mar 30, 2006 7:56 pm
by evilmonkey

Not very good. I need to pass some html code too that should go into the database and get processed as html code.

Both of those commands would convert that too. Looks like I'm stuck making my own function to replace just the single quotes. Any better ideas?
Posted: Thu Mar 30, 2006 8:04 pm
by Benjamin
Code: Select all
<input type.... blah blah value='My "name is" blah' />
Might work.
Posted: Thu Mar 30, 2006 8:27 pm
by evilmonkey
agtlewis wrote:Code: Select all
<input type.... blah blah value='My "name is" blah' />
Might work.
That's worse considering an apostrophe is used much more than a quote.

Posted: Thu Mar 30, 2006 9:56 pm
by josh
uhh, addslashes() maybe? You shouldn't trust html to a user though.. big security flaw there
Posted: Thu Mar 30, 2006 10:10 pm
by evilmonkey
jshpro2 wrote:uhh, addslashes() maybe? You shouldn't trust html to a user though.. big security flaw there
HTML is my own.

It basically works something like this: It's a messaging system, and if a user is responding to a message, I want to append the previous message to it automatically. So it's something like
Code: Select all
How's it goin?
-----------------------------
On March 30, 2006, evilmonkey wrote
Hey Dude!
The "How's it goin?" part goes through strip_tags, mysql_escape_string, and stripslashes (not in that order of course

), but the dashes and everything after is added automatically. In order to format, I need HTML code, so using htmlentities was not a viable solution. And at the point at which I'm doing this, I no longer have access to just the message, I'd have to break the string again. I solved it by writing a function which will get rid of quotes, apostrophies, etc.
BTW, I'm glad someone brought up the security flaw behind letting the users post HTML. Can someone tell me what that flaw is? (I allow it in other places). The worst it can do is screw up the design of the page, but the area that's HTML-able by the user is in a frame...are there any injection worries or anything of the sort though? Please give examples. Thanks.

Posted: Thu Mar 30, 2006 10:36 pm
by feyd
addslashes doesn't do anything in this instance. htmlentities() is the correct way. Try it, you'll find out.
Posted: Thu Mar 30, 2006 11:29 pm
by josh
Well if he uses addslashes he won't break the HTML code and he can strip it out, but I agree htmlentities would be the ideal solution.
Also I think you need to pay more attention to your HTML:
Code: Select all
<form>
<textearea>
<?php
echo '<b>test</b>';
?>
</textarea>
</form>
If your script is taking that data from that textarea and is not doing any checks on the HTML you are allowing the user to enter anything they want, period. Even if it is a hidden field all it takes is 2 seconds to modify the hidden field data with javascript, a firefox plugin or to do it from telnet. Security risks involved include XSS where cookies can be stolen and any kind of script can be injected into the page. For instance I could write up a javascript that changes the user's password without their knowledge (this is why feyd and others always suggest having the user type their password every time they perform an administrative function)
Posted: Thu Mar 30, 2006 11:45 pm
by feyd
Slashes don't escape anything in HTML. The code would break if it had an end delimiter mixed in.
Posted: Fri Mar 31, 2006 12:35 pm
by evilmonkey
Alright, thanks guys. Rest assured, I do run some checks (i.e., I don't want PHP code inside my text areas). I'm pretty lenient though because I want HTML code to stay. It's a tough balancing act...
Posted: Fri Mar 31, 2006 5:40 pm
by Benjamin
Use a textarea and set the display type to none using css. You can put whatever you want in it and it will be like a hidden field.
Posted: Wed Apr 05, 2006 12:07 pm
by J_Iceman05
I think htmlspecialchars() or something like would do well... I mean... If you are putting it in a database you have to be using php right? so when you display the text, (such as 'HI "bob"') you will be echoing the variable (which will contain ", but still be displayed as a quote)
I just don't see where the problem is with using that kind of function...