All geek questions in one place

No special characters

I have a list of camera names in an html table. You can click the edit button to change the camera name if you want.

This opens up a form (plus many other options) with the camera name now editable.

var edit = function(t, to, cameratype, cameraname, ...) { var mydiv = js("#editform"); if (mydiv.find("form").length) { mydiv.show(); } else { // fields var $myform = js("<form id='EditCameraForm' name='' method='post' action='" + to + "'></form>"); var $myfieldset = js("<fieldset><legend>Edit camera settings</legend></fieldset>"); var $myinput = js("<input type='hidden' name='camera_type' value='" + cameratype + "' />"); var $mylabel = js("<label for='CameraName'>Camera name:&nbsp;</label>"); var $myinput2 = js("<input id='CameraName' name='camera_name' size='25' value='" + cameraname + "' />"); $myform.append($myinput, $mylabel, $myinput2, ...); }

My problem goes to cameraname. I allow special characters. Thus, you can call the Joe camera .

When I press the edit button, the camera name is displayed as soon as Joe .

This is due to my check function in php when the camera name is first created ... I believe:

 function check_input($data) { $data = trim($data); $data = stripslashes($data); $data = mb_convert_encoding($data, 'UTF-8', 'UTF-8'); $data = htmlentities($data, ENT_QUOTES, 'UTF-8'); return $data; }

cameraname is passed through the click button:

 <button id="editbutton" onClick='edit(this, "<?php echo htmlentities($_SERVER['REQUEST_URI']); ?>", "<?php echo $result_cameras[$i]["camera_type"]; ?>", "<?php echo $result_cameras[$i]["camera_name"]; ?>", ...)'>Edit</button>

If you look at the source of the page, it will show: Joe&#039;s camera . So I thought that I need to decode this in JS code with decodeURIComponent (cameraname), but this does not work. Thanks for any help!

+4
source share
2 answers

Instead of creating your input fields like you, try using a bit more jQuery.

 var $myinput = js('<input/>').attr('type','hidden').attr('name','camera_type').val(cameratype);

Your problem, most likely you are creating a double quote problem in the value='" + cameratype + "' section.

+1
source

I see some errors in this code, but let's start with your check_input () function, as you think this is suspicious.

You should stripslashes () if you know that magic quotes are included. Do you do mb_convert_encoding () from UTF-8 to UTF-8? Is there a reason for this? htmlentities () works, but I think you want htmlspecialchars () .

 function check_input($data) { $data = trim($data); $data = (get_magic_quotes_gpc()) ? stripslashes($data) : $data; $data = htmlspecialchars($data, ENT_QUOTES, 'UTF-8'); return $data; }

Tom Peppernik said:

Not sure I understand. I will sanitize any user input with check_input, for example: $ camera_name = check_input ($ _ POST ['camera_name']); then use mysql_real_escape_string before it is inserted into the database. This is not true? - Tom Pepernik 2 hours ago

@TomPepernic As with many questions, it is difficult to give a final β€œright” or β€œwrong” answer without knowing the full scope of the program. From experience, I can tell you that, although it is often considered acceptable in many cases, this is rarely the optimal solution.

Assuming the program is β€œsafe” from malicious data based on unified sanitation at the beginning, this is an erroneous model. Since it is rarely possible to know every possible output of data, you cannot misinform one method in order to be effective with all of them. At the beginning of the program, you sanitize the HTML, but it does. Later in your program you must escape due to SQL because disinfection was ineffective. What if later, along the road that you decided to store in another type of database that was not SQL? You will again have to sanitize for this particular database. The best way is to assume that the data is corrupted at each level, and then sanitize as necessary right before it reaches its output.

Another reason is that you are sanitizing HTML while in the PHP part of your program. At this stage, malicious data practically does not harm your PHP. Since your PHP code and your HTML code must be separate, you are disinfecting for the wrong language. The disinfection for HTML should go into the "overview" part of your program (provided that you use the MVC approach).

The last reason I will bore you is because you change your data before processing it. As a rule, it is recommended to work with the source data and store the source data. Once you have changed the data, it is more difficult or impossible to restore it if you need it later. I learned a lot from this many years ago. I developed a small forum application that used proprietary BBcode, such as syntax, to add formatting for text, images, and links. I sanitized and processed my data before storing it, believing that I would no longer need the original. later on the line, I found that there was a problem with the syntax because it needed to be changed because it caused some messages to be displayed incorrectly. I was able to make corrections in my code, which will work correctly for all future posts. Unfortunately, all the previous messages that were affected by the problem could not be fixed because I saved them in a broken processed form. If I saved the originals, I could recycle them, and not one of the data would be lost.

+1
source

Source: https://habr.com/ru/post/1402753/

More articles:


All Articles