Jump to content

Ent_compat In Phps Htmlspecialchars


carbonize
 Share

Recommended Posts

OK I am trying to add a search function to Lazarus. Al is working fine except where single quotes are concerned. At present it accepts both POST and GET data with POST coming last. Anyway if you submit a ' via POST all is fine. I then pass the search string to urlencode before adding it to the end of pagination links. That works fine with ' becoming %27. I decode when I turn the GET into a standard variable and thats fine as it becomes \'. I strip slashes if needed then pass to htmlspcialchars. It keeps converting the ' into & #039 even with ENT_COMPAT set which according to php.net

The default mode, ENT_COMPAT, is the backwards compatible mode which only translates the double-quote character and leaves the single-quote untranslated.

Apart from that my search function is fine so any ideas or am I going to have to use a hack fix and convert ' to & #039 myself in the code.

 

BTW this damn forum is stupid. It converts & #039 into ' but leaves & alone.

Edited by carbonize
Link to comment
Share on other sites

Based on my testing, using htmlspecialchars() with any of the quote style constants (or none of them) works as described in the PHP documentation. I wrote the following script and tested it on my server:

><?php
header('Content-Type: text/plain');
echo 'ENT_COMPAT = ' . ENT_COMPAT . "\n";
echo 'ENT_QUOTES = ' . ENT_QUOTES . "\n";
echo 'ENT_NOQUOTES = ' . ENT_NOQUOTES . "\n";
echo "\n";
$text = 'one \' two " three &';
echo "Encoding special characters in string [$text]:\n";
echo 'DEFAULT: ' . htmlspecialchars($text) . "\n";
echo 'ENT_COMPAT: ' . htmlspecialchars($text, ENT_COMPAT) . "\n";
echo 'ENT_QUOTES: ' . htmlspecialchars($text, ENT_QUOTES) . "\n";
echo 'ENT_NOQUOTES: ' . htmlspecialchars($text, ENT_NOQUOTES) . "\n";
?>

The script displays the following results:

>ENT_COMPAT = 2
ENT_QUOTES = 3
ENT_NOQUOTES = 0

Encoding special characters in string [one ' two " three &]:
DEFAULT: one ' two " three &
ENT_COMPAT: one ' two " three &
ENT_QUOTES: one &#039; two " three &
ENT_NOQUOTES: one ' two " three &

Each of the quote style constants is being properly evaluated by PHP, and when used in htmlspecialchars(), each quote style constant is encoding the correct characters.

 

It's hard to say what's going on without seeing the code and/or a concrete example, but it doesn't look like it's due to htmlspecialchars() not handling ENT_COMPAT correctly. :wallbash:

Link to comment
Share on other sites

No after some more testing the bug is errr bizarre. I now have both POST and GET to work exactly the same. Slashed are stripped, it's passed to htmlspecialchars etc. But for some reason the ' from a GET request is converted but not from a POST request. Here are the code snippets. First one is getting the variables from the requests.

>$gb->searchfield = (isset($_GET['searchfield'])) ? $_GET['searchfield'] : '';
  $gb->searchtext = (isset($_GET['searchtext'])) ? urldecode($_GET['searchtext']) : '';
  $gb->searchfield = (isset($_POST['searchfield'])) ? $_POST['searchfield'] : $gb->searchfield;
  $gb->searchtext = (isset($_POST['searchtext'])) ? urldecode($_POST['searchtext']) : $gb->searchtext;

 

Here is where I handle it.

>if (get_magic_quotes_gpc())
{
$this->searchtext = stripslashes($this->searchtext);
}
$this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT);
$this->searchquery = ' AND '.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\'';
$this->searchquery2 = ' AND x.'.$this->searchfield.' LIKE \'%'.$this->searchtext.'%\'';
$this->searchtext = urlencode($this->db->undo_htmlspecialchars($this->searchtext));
$this->postsearch = '<input type="hidden" name="searchfield" value="'.$this->searchfield.'">
<input type="hidden" name="searchtext" value="'.$this->searchtext.'">';
$this->getsearch = '&searchfield='.$this->searchfield.'&searchtext='.$this->searchtext;

 

I did some testing by having it echo the searchtext at various points and it's definately after

$this->searchtext = htmlspecialchars($this->searchtext, ENT_COMPAT)

that the ' is getting cinverted.

Edited by carbonize
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...