htmlspecialchars fout
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
if(isset($_GET['id']) && is_numeric($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials WHERE id='".$_GET['id']."'";
$ress = mysql_query($queryscripts);
$html = mysql_fetch_assoc($ress);
$fet= htmlspecialchars("$html", ENT_QUOTES);
echo "<div><h1>".$fet['titel']."</h1>";
echo '
<table width="500">
<tr>
<td><span class="style1">Titel: </span>'.$fet['titel'].' - '.$fet['datum'].'</td>
</tr>
<tr>
<td><span class="style1">Tutorial:<br /></span>'.nl2br($fet['bericht']).'</td>
</tr>
</table></div>
';
}elseif(!isset($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials";
$ress = mysql_query($queryscripts);
while($fet = mysql_fetch_assoc($ress)){
echo '<a href="index.php?p=tutorials&id='.$fet['id'].'">'.$fet['titel'].'</a><br />'.$fet['descriptie'].'<br /><br />';
}
}
?>
if(isset($_GET['id']) && is_numeric($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials WHERE id='".$_GET['id']."'";
$ress = mysql_query($queryscripts);
$html = mysql_fetch_assoc($ress);
$fet= htmlspecialchars("$html", ENT_QUOTES);
echo "<div><h1>".$fet['titel']."</h1>";
echo '
<table width="500">
<tr>
<td><span class="style1">Titel: </span>'.$fet['titel'].' - '.$fet['datum'].'</td>
</tr>
<tr>
<td><span class="style1">Tutorial:<br /></span>'.nl2br($fet['bericht']).'</td>
</tr>
</table></div>
';
}elseif(!isset($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials";
$ress = mysql_query($queryscripts);
while($fet = mysql_fetch_assoc($ress)){
echo '<a href="index.php?p=tutorials&id='.$fet['id'].'">'.$fet['titel'].'</a><br />'.$fet['descriptie'].'<br /><br />';
}
}
?>
maar nu toont hij alltijd de letter A hoe kan je dit oplossen alvast bedankt
$fet= htmlspecialchars("$html", ENT_QUOTES);
$html is een array... vandaar de A
htmlspecialchars("$html['titel']", ENT_QUOTES);
dat kan dan weer wel...
kan het op een andere manier om het zelfde effect te krijgen?
Dus
htmlspecialchars($html['titel'], ENT_QUOTES);
Als je hem als array doet, doe dan niet
$html = mysql_fetch_assoc($ress);
...maar...
$html = mysql_fetch_array($ress);
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
<?php
if(isset($_GET['id']) && is_numeric($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials WHERE id='".$_GET['id']."'";
$ress = mysql_query($queryscripts);
$html = mysql_fetch_array($ress);
$fet= htmlspecialchars($html, ENT_QUOTES);
echo "<div><h1>".$fet['titel']."</h1>";
echo '
<table width="500">
<tr>
<td><span class="style1">Titel: </span>'.$fet['titel'].' - '.$fet['datum'].'</td>
</tr>
<tr>
<td><span class="style1">Tutorial:<br /></span>'.nl2br($fet['bericht']).'</td>
</tr>
</table></div>
';
}elseif(!isset($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials";
$ress = mysql_query($queryscripts);
while($fet = mysql_fetch_assoc($ress)){
echo '<a href="index.php?p=tutorials&id='.$fet['id'].'">'.$fet['titel'].'</a><br />'.$fet['descriptie'].'<br /><br />';
}
}
?>
if(isset($_GET['id']) && is_numeric($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials WHERE id='".$_GET['id']."'";
$ress = mysql_query($queryscripts);
$html = mysql_fetch_array($ress);
$fet= htmlspecialchars($html, ENT_QUOTES);
echo "<div><h1>".$fet['titel']."</h1>";
echo '
<table width="500">
<tr>
<td><span class="style1">Titel: </span>'.$fet['titel'].' - '.$fet['datum'].'</td>
</tr>
<tr>
<td><span class="style1">Tutorial:<br /></span>'.nl2br($fet['bericht']).'</td>
</tr>
</table></div>
';
}elseif(!isset($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials";
$ress = mysql_query($queryscripts);
while($fet = mysql_fetch_assoc($ress)){
echo '<a href="index.php?p=tutorials&id='.$fet['id'].'">'.$fet['titel'].'</a><br />'.$fet['descriptie'].'<br /><br />';
}
}
?>
maar nu krijg ik deze foutmelding:
Warning: htmlspecialchars() expects parameter 1 to be string, array given in /usr/export/www/hosting/p4e/tutorial.php on line 6
Het is niet...
$fet= htmlspecialchars($html, ENT_QUOTES);
...maar...
$titel = htmlspecialchars($html['titel'], ENT_QUOTES);
of
$bericht = htmlspecialchars($html['bericht'], ENT_QUOTES);
Hij wil een string, GEEN ARRAY
echo "<div><h1>".$titel."</h1>";
...dus NIET...
echo "<div><h1>".$fet['titel']."</h1>";
Ja dat is goed. Ik neem aan dat $html['title'] een string symboliseert :)
dit is mijn script nu voor de mensen die geintrseerd zijn :
Code (php)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
<?php
if(isset($_GET['id']) && is_numeric($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials WHERE id='".$_GET['id']."'";
$ress = mysql_query($queryscripts);
$html = mysql_fetch_array($ress);
$titel = $html['titel'];
$title = htmlspecialchars($titel, ENT_QUOTES);
$datum = $html['datum'];
$date = htmlspecialchars($datum, ENT_QUOTES);
$bericht = $html['bericht'];
$ber = htmlspecialchars($bericht, ENT_QUOTES);
echo "<div><h1>".$fet['titel']."</h1>";
echo '
<table width="500">
<tr>
<td><span class="style1">Titel: </span>'.$title.' - '.$date.'</td>
</tr>
<tr>
<td><span class="style1">Tutorial:<br /></span>'.nl2br($ber).'</td>
</tr>
</table></div>
';
}elseif(!isset($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials";
$ress = mysql_query($queryscripts);
while($fet = mysql_fetch_assoc($ress)){
echo '<a href="index.php?p=tutorials&id='.$fet['id'].'">'.$fet['titel'].'</a><br />'.$fet['descriptie'].'<br /><br />';
}
}
?>
if(isset($_GET['id']) && is_numeric($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials WHERE id='".$_GET['id']."'";
$ress = mysql_query($queryscripts);
$html = mysql_fetch_array($ress);
$titel = $html['titel'];
$title = htmlspecialchars($titel, ENT_QUOTES);
$datum = $html['datum'];
$date = htmlspecialchars($datum, ENT_QUOTES);
$bericht = $html['bericht'];
$ber = htmlspecialchars($bericht, ENT_QUOTES);
echo "<div><h1>".$fet['titel']."</h1>";
echo '
<table width="500">
<tr>
<td><span class="style1">Titel: </span>'.$title.' - '.$date.'</td>
</tr>
<tr>
<td><span class="style1">Tutorial:<br /></span>'.nl2br($ber).'</td>
</tr>
</table></div>
';
}elseif(!isset($_GET['id'])){
$queryscripts = "SELECT * FROM tutorials";
$ress = mysql_query($queryscripts);
while($fet = mysql_fetch_assoc($ress)){
echo '<a href="index.php?p=tutorials&id='.$fet['id'].'">'.$fet['titel'].'</a><br />'.$fet['descriptie'].'<br /><br />';
}
}
?>
Code (php)
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
<?php
$titel = $html['titel'];
$title = htmlspecialchars($titel, ENT_QUOTES);
$datum = $html['datum'];
$date = htmlspecialchars($datum, ENT_QUOTES);
$bericht = $html['bericht'];
$ber = htmlspecialchars($bericht, ENT_QUOTES);
?>
$titel = $html['titel'];
$title = htmlspecialchars($titel, ENT_QUOTES);
$datum = $html['datum'];
$date = htmlspecialchars($datum, ENT_QUOTES);
$bericht = $html['bericht'];
$ber = htmlspecialchars($bericht, ENT_QUOTES);
?>
Dit kan je beter in een foreach loop doen.
dus
Code (php)
1
2
3
4
5
6
7
2
3
4
5
6
7
<?php
foreach($html AS $key => $value){
if (is_string($value)){
$html2[$key] = htmlspecialchars($value, ENT_QUOTES);
}
}
?>
foreach($html AS $key => $value){
if (is_string($value)){
$html2[$key] = htmlspecialchars($value, ENT_QUOTES);
}
}
?>
Dan is $html2['titel'] de beveiligde titel, enz.
Als je nu een kolom toevoegd, dan gaat hij deze AUTOMATISCH na. Je hoeft er dan dus niet meer naar om te kijken.