PHP - Simplexml And Htmlspecialchars?
Hello and thanks in advance for any help.
Overview: Im tyring to pull data from a XML api using simpleXML. I have ran into a problem with special characters and entities that simpleXML does not accept. IE " " Ive tried all the solutions i could find to no avail. SimpleXML gives me this error. parser error : Entity 'nbsp' not defined in Here is my code. Code: [Select] $feed = simplexml_load_file('URL TO API FEED'); $feed = html_entity_decode($feed); $feed = str_ireplace(array('<','>','&','\'','"'),array('<','>','&',''','"'),$feed); echo 'Game Title: ' .$feed->game. '</br>'; echo 'Ponts Earned: ' .$feed->gamerscore. '</br>'; echo 'Total Achievements: ' .$feed->totalachievements. '</br>'; foreach($feed->achievements->achievement as $ach) { $output = htmlentities($feed->title, ENT_QUOTES, "UTF-8"); echo $output; if( !empty($ach->unlockedartwork)){ echo '<img src=' .$ach->unlockedartwork. '></img></br>'; }else { echo '<img src=' .$ach->artwork. '></img></br>'; } } Here is the code im trying to retrieve. Code: [Select] <achievement id="40"> <title>Have Gun Will Travel </title> <artwork>http://</artwork> <gamerscore>20</gamerscore> <unlocked>true</unlocked> <unlockdate>7/4/2010</unlockdate> </achievement> Similar TutorialsHi, should i use htmlspecialchars() when i write in mysql or when i read from mysql, and should i use another function for safety ? I'm getting this error and not sure my fix. <b>Warning</b>: htmlspecialchars() expects parameter 1 to be string, array given in <b>/home/xtremer/public_html/efedmanager/processes/polls.php</b> on line <b>13</b><br /> $answer = explode(',', $_POST['answersList']); $answer = htmlspecialchars($answer); I need to put this inside of a p tag so I can change some properties but everything I've tried doesn't work and just shows nothing.
I've tried this:
printf('<p style="text-align: left; width: 500px;">', htmlspecialchars($fetch['shout'], ENT_QUOTES, 'UTF-8'), '</p>');This is what I need to be wrapped in p tags: htmlspecialchars($fetch['shout'], ENT_QUOTES, 'UTF-8');EDIT: I've noticed the code below works but when I style it inside of the tag the text won't show, should I include a CSS file on the PHP file? echo "<p>".htmlspecialchars($fetch['shout'])."</p>\n";EDIT: I just needed to create the CSS for the p tags in the index and it worked perfectly fine. Sorry for the pointless thread. Edited by Alanay, 18 December 2014 - 09:14 AM. What do most people prefer to use? htmlspecialchars or htmlentities which one is necessary while protecting form field Edited July 28, 2019 by mahendaDoes anyone have an example of when htmlentities() would be used over htmlspecialchars()? When sending data via $_POST for example, I've seen the data get filtered with both mysql_real_escape_string or htmlspecialchars When should you use one or the other? Hello Guys ... i am new here and i am also new in php i selfstudy html css and js and bootstrap for front-end and for back-back php & mysql & PDO & OOP and i will soon start mvc then laravel and i am trying to secure my input field and i do not want any attacks or sql injects and i see people user filter_var and htmlentities and htmlspecialchars and each one has diffrent opinion can some one help me and tell me what is the best for securing input which all values will store in database thanks <3
HI all, Please advice me 1. When to use htmlspecialchars() or mysql_real_escape_string? 2. what is the diffrent? Thank you for your help. Not sure how to debug this. I have the following error that is ONLY happening when our site has a PCI scan running : - ERRNO: 2 TEXT: htmlspecialchars() expects parameter 1 to be string, array given LOCATION: /home/bttorj45/public_html/smarty_templates_c/dbbe565f1731d4158472b66b75c85442498e81b9_0.file.top_menu_bar.tpl.php, line 42, at April 11, 2020, 5:05 pm Showing backtrace: htmlspecialchars(Array[1], "3", "UTF-8", true) # line 42, file: /home/siteaddress/public_html/smarty_templates_c/dbbe565f1731d4158472b66b75c85442498e81b9_0.file.top_menu_bar.tpl.php content_5e83087341d089_14126332(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php Smarty_Internal_Template.render() # line 385, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php Smarty_Internal_Template._subTemplateRender("file:page_elements/top_menu_bar.tpl", null, null, "0", "120", Array[0], "0", false) # line 56, file: /home/siteaddress/public_html/smarty_templates_c/0e4c1495f7a25cef1d85553f951690964f702a5a_0.file.error404.tpl.php content_5e4ffba4a49c66_36622821(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php Smarty_Internal_Template.render(false, "1") # line 232, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php Smarty_Internal_TemplateBase._execute(Object:Smarty_Internal_Template, null, null, null, "1") # line 134, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php Smarty_Internal_TemplateBase.display("pages/error404.tpl") # line 65, file: /home/siteaddress/public_html/errors/404.php include("/home/siteaddress/public_html/errors/404.php") # line 34, file: /home/siteaddress/public_html/smarty_plugins/function.load_product.php Product.init("api") # line 5, file: /home/siteaddress/public_html/smarty_plugins/function.load_product.php smarty_function_load_product(Array[2], Object:Smarty_Internal_Template) # line 39, file: /home/siteaddress/public_html/smarty_templates_c/53725e8a2fc4b6c7c0c42e801dab2741a0994a8e_0.file.product.tpl.php content_5e579e9761f086_59385269(Object:Smarty_Internal_Template) # line 123, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_resource_base.php Smarty_Template_Resource_Base.getRenderedTemplateCode(Object:Smarty_Internal_Template) # line 114, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_template_compiled.php Smarty_Template_Compiled.render(Object:Smarty_Internal_Template) # line 216, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_template.php Smarty_Internal_Template.render(false, "1") # line 232, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php Smarty_Internal_TemplateBase._execute(Object:Smarty_Internal_Template, null, null, null, "1") # line 134, file: /home/siteaddress/public_html/include/smarty/sysplugins/smarty_internal_templatebase.php Smarty_Internal_TemplateBase.display("pages/product.tpl") # line 85, file: /home/siteaddress/public_html/dirs.php I ***think*** the scan must be inputting something in the search box to cause this (I'm awaiting info from Security Metrics with regard to this). {load_chat assign="chat"} {if $chat->mChat} <script type="text/javascript" id="763333b0f312f025d780a8f4451bf6f3" src="https://www.siteaddress.com/online-support/script.php?id=763333b0f312f025d780a8f4451bf6f3"></script> {/if} {if !$chat->mChat && $settings->mSettings[13]} <script type="text/javascript" id="aaa07817d7cd2a7dce9e0ffac6286dbb" src="https://www.siteaddress.com/online-support/script.php?id=aaa07817d7cd2a7dce9e0ffac6286dbb"></script> {/if} <div id="menu_switch"><i class="fa fa-bars fa toggler"></i></div> <form id="product_search" method="get" action="{$smarty.const.SITE_ROOT}/searchresults/"> <input type="text" name="search" placeholder=" Product Search" style="font-family: FontAwesome, Arial; font-style: normal; font-size:18px;" {if isset($smarty.request.search) && $settings->mSettings[107]}value="{$smarty.request.search|escape:'htmlall'}"{/if} /><button type="submit" class="button"><i class="fa fa-search" aria-hidden="true"></i> <i class="fa fa-caret-right" aria-hidden="true"></i></button> </form> <form id="code_search" method="post" action="{$smarty.const.SITE_ROOT}/cart/quickadd.php"> <input type="text" name="code" maxlength="14" placeholder=" Product Code" style="font-family: FontAwesome, Arial; font-style: normal; font-size:18px;" /><button type="submit" name="submit" class="orange"><i class="fa fa-shopping-cart" aria-hidden="true"></i> Quick Add <i class="fa fa-caret-right" aria-hidden="true"></i></button> </form> {if !isset($hidecart) && isset($cartsmall) && $cartsmall->mCart.sub > 0} <p id="view_cart"><a class="button orange" href="{$smarty.const.SITE_ROOT}/cart/"><span class="hidden-xs hidden-sm"><i class="fa fa-shopping-cart" aria-hidden="true"></i> View Cart </span>£{$cartsmall->mCart.sub} <i class="fa fa-caret-right" aria-hidden="true"></i></a></p> {/if} <script> $('.toggler').click(function() { $(this).toggleClass("fa-bars fa-times"); }); </script>
function.load_search.php :-
<?php function smarty_function_load_search($params, $smarty) { $search = new Search(); $search->init(); $smarty->assign($params['assign'], $search); } class Search { // public fields public $mSearchString; public $mSearchArray; public $mProducts; public $mProductCount; // private fields private $mDoSettings; private $mDoCatalogue; function __construct() { require_once FILE_ROOT . '/data_objects/do_settings.php'; $this->mDoSettings = new DoSettings(); require_once FILE_ROOT . '/data_objects/do_catalogue.php'; $this->mDoCatalogue = new DoCatalogue(); if (isset($_REQUEST['search']) && strlen(trim($_REQUEST['search']))>0 ) { $this->mSearchString = trim(stripslashes($_REQUEST['search'])); $this->mSearchArray = explode(" ", $this->mSearchString); } else { header ("Location: /emptysearch/"); die (); } } public function init() { $this->mProducts = $this->mDoCatalogue->SearchProducts($this->mSearchArray); $this->mProductCount = count($this->mProducts); for ($i = 0; $i < count($this->mProducts); $i++) { $this->mProducts[$i]['price_inc'] = number_format($this->mProducts[$i]['price'] * (($this->mDoSettings->GetSetting(1) / 100) + 1), 2, ".", ","); } } } ?>
do_catalogue.php :-
public function SearchProducts($search) { $fields = array("code", "title", "keywords"); $query_string = "SELECT p.code, p.title, p.cattext, p.price, p.img, p.url, p.available, p.due, p.special, p.newproduct, p.discontinued, c.name, c.menulinktext FROM " . $this->mProductTable . " p " . "JOIN categories c ON p.category = c.id " . "WHERE (("; for ($f = 0; $f < count($fields); $f++) { if ($f != 0) { $query_string .= ") OR ("; } for ($s = 0; $s < count($search); $s++) { if ($s != 0) { $query_string .= " AND "; } $query_string .= "p." . $fields[$f] . " LIKE '%" . $this->mDoQuery->dbManager->DbEscape($search[$s]) . "%'"; } } $query_string .= ")) AND active=1 AND live=1 " . "ORDER BY p.rating ASC"; return $this->mDoQuery->dbManager->DbGetAll($query_string); }
Any idea's how to fix it? I can't replicate it with a specific issue as I don't know what the scan is doing to cause this! Thanks Hello dears, I've tried to use htmlspecialchars or htmlentities but both no longer work ! Example1 : Code: [Select] <?php $new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); echo $new; ?> Output should <a href='test'>Test</a> Code: [Select] <?php $str = "A 'quote' is <b>bold</b>"; echo htmlentities($str); ?> Output should A 'quote' is <b>bold</b> But it isn't working ? what is wrong ? htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text ); $text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text ); $text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text ); $text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text ); //Spoiler $text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text ); //Beautiful Colors $text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text ); $text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure. Edited by Monkuar, 10 January 2015 - 06:33 PM. htmlspecialchars($str, ENT_QUOTES, 'UTF-8');Using this code with UTF-8. I need someone to help craft up some smalll xss injections with this. I heard htmlspecialchars doesn't stop all xss attacks, so I'm wondering what's the most xss attack you can craft to load a simple cookie loader. (Basically, just simple javascript injection is all I'm trying to find, because people can use cookie loaders with it, and yeah, that's not good). Looking for your code to be posted, and once it is.. I'll copy it and submit it through the code I posted above and see if there is any vulnerabilities. (On my localhost server) Thanks! $str = user input. Oh, and here is the BBCODE regex that the code passes through before this function is returned on the text. $text = preg_replace( "#\[b\](.+?)\[/b\]#is", "<span class='b'>\\1</span>", $text ); $text = preg_replace( "#\[i\](.+?)\[/i\]#is", "<i>\\1</i>", $text ); $text = preg_replace( "#\[u\](.+?)\[/u\]#is", "<u>\\1</u>", $text ); $text = preg_replace( "#\[s\](.+?)\[/s\]#is", "<s>\\1</s>", $text ); //Spoiler $text = preg_replace( "#\[right\](.+?)\[/right\]#is", "<div style='text-align:right'>$1</div>", $text ); //Beautiful Colors $text = preg_replace( "%\[colou?r=([a-zA-Z]{3,20}|\#[0-9a-fA-F]{6}|\#[0-9a-fA-F]{3})](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text ); $text = preg_replace( "%\[colou?r=(rgb\(\d{1,3}, ?\d{1,3}, ?\d{1,3}\))](.+?)\[/colou?r\]%msi", '<span style="color: \\1">\\2</span>', $text );If anyone can craft up an XSS for this, I'd appreciate it. Because I need this to be secure. Edited by Monkuar, 10 January 2015 - 06:33 PM. Hello, I'm learning PHP, so a completely noob, right now. First to the question itself, I want to know how to retrieve the data(variables & it's values) from the url, which was made or generated(or whatever right word is) by using http_build_query() in php. I created a querystring($string) with certain variables & dynamic values that I'm passing to a url Hi, I'm new to php and coding in general. I'm trying to parse xml from a remote device and access specific value data. Here is the xml: <?xml version="1.0" encoding="ISO-8859-1" ?> - <Device id="S10011" hb="1935"> <Group id="1" /> <Group id="2" /> <Group id="3" /> <Group id="4" /> <Group id="5" /> <Group id="6" /> <Group id="7" /> <Group id="8" /> - <Group id="9"> - <Probe id="99"> <Value>1.0</Value> </Probe> - <Probe id="1"> <Value>86.4</Value> </Probe> - <Probe id="2"> <Value>45.7</Value> </Probe> - <Probe id="3"> <Value>2.9</Value> </Probe> - <Probe id="4"> <Value>1.0</Value> </Probe> </Group> </Device> ----------------------- Here is my php code to read in the xml: <?php // Establish a port 80 connection $http = fsockopen("192.168.2.106",80); // Send a request to the server $req = "GET /xmldata HTTP/1.0\r\n"; $req .= "Host: 192.168.2.106\r\n"; $req .= "Connection: Close\r\n\r\n"; fputs($http, $req); // Output the request results while(!feof($http)) { $data .= fgets($http, 1024); } // Close the connection fclose($http); $xml = simplexml_load_string($data); print_r ($xml); ?> This yields the following data: SimpleXMLElement Object ( [@attributes] => Array ( [id] => S10011 [hb] => 117546 ) [Group] => Array ( => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 1 ) => ) [1] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 2 ) => ) [2] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 3 ) => ) [3] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 4 ) => ) [4] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 5 ) => ) [5] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 6 ) => ) [6] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 7 ) => ) [7] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 8 ) => ) [8] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 9 ) [Probe] => Array ( => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 99 ) [Value] => 1.0 ) [1] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 1 ) [Value] => 84.2 ) [2] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 2 ) [Value] => 44.1 ) [3] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 3 ) [Value] => 4.8 ) [4] => SimpleXMLElement Object ( [@attributes] => Array ( [id] => 4 ) [Value] => 1.0 ) ) ) ) ) I would like to display group 9 probe 1 value for example and I cannot get it to work. Any tips? so the code is <?php $xml1 = " <outer> <xml> <more_info> <user> <id>200</id> <name>CLUEL3SS</name> </user> <user> <id>201</id> <name>CLUEL3SS2</name> </user> </more_info> </xml> </outer> "; $cwb = simplexml_load_string($xml1); foreach($cwb->xml->more_info->user as $stats) { echo $stats->id."\n";} ?> output is Code: [Select] 200 201 Now, how can I echo the name under <id>201</id> since there is more than one? echo $stats->id."\n"; That echos both of the "ID" values, now how can I get it to only echo the second id 201 and the second name? Thanks Ok so I have a url that is an XML doc, it says at the top "This XML file does not appear to have any style information associated with it. The document tree is shown below." and it has info like this Code: [Select] <outer> <xml> <viewer> <user> <id>1245789</id> <name>CLueless</user> <business>none</business> </user> </viewer> </xml> </outer> How would I load the link and then assign everything to a variable like id, name and business I usually use something like this but Im trying to get learn simple xml $info = file_get_contents('url'); $id = explode('<id>', $info); $id = explode('</', $id[1]); $name = explode('<name>', $info); $name = explode('</', $name[1]); $biz = explode('<business>', $info); $biz = explode('</', $biz); I am trying to retrieve an attribute from a node and I keep getting the error: Warning: main() [function.main]: Node no longer exists in /Users/dmonsewicz/Projects/noosemonsewicz/api_stuff/index.php on line 70 PHP Code Code: [Select] $xml = new SimpleXMLElement($result); $arr = $xml->tickets->attributes(); echo $arr['count']; XML Code: [Select] <tickets count="0" type="array"></tickets> Any ideas on what I may be doing wrong? |