PHP echo-ing a PHP code inside an echo

Question

I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.

So here's a sample code:

 <?php
 $test = "<b>blah</b>"; //User input from SQL
 echo "$test";
 ?>

What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.

The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...

Is there any way I can do that?

[`strip_tags()`](http://php.net/manual/en/function.strip-tags.php) — Michael Berkowski, Dec 28 '12 at 15:27
To remove the HTML from the string, check out `strip_tags()`. — newfurniturey, Dec 28 '12 at 15:27
FYI:single quotes will display things almost completely as is. http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.single — Kasun, Dec 28 '12 at 15:30
PHP code.. not PHP codes, they're not the nuclear launch secrets. — Mattt, Dec 28 '12 at 15:30
@cristi_b: always _prepare_ your sql-statments when dealing with user input to prevent injection... anyway: this is not the issue at hand here. If you really insist on sending raw html to the client, without encoding the html entities first, you'll have to change the header to plain text... there's no alternative AFAIK — Elias Van Ootegem, Dec 28 '12 at 15:33

Jeff Lambert · Answer 1 · 2012-12-28T15:35:28.553

2

I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()

$test = '<b>blah</b>';
echo htmlentities($test);

This will output:

&lt;b&gt;blah&lt;/b&gt;

Which will render in the page as

<b>blah</b>

edited Dec 28 '12 at 15:35

answered Dec 28 '12 at 15:28

Jeff Lambert

24,395
4
69
96

Now what's the difference between `htmlspecialchars()`? – Praveen Kumar Purushothaman Dec 28 '12 at 15:37
Hey, I guess that worked. Using this function, I can use str_replace to allow only certain codes to be executable. Thanks! – Fouzy Fostdecile Dec 28 '12 at 15:39
Still I don't get. So, `htmlentities()` replaces lesser characters compared to `htmlspecialchars()` right? – Praveen Kumar Purushothaman Dec 28 '12 at 15:40
The difference lies in how they handle character sets and whether or not you are outputting to XML or HTML. In fact, `htmlentities` will replace more characters than `htmlspecialchars`. – Jeff Lambert Dec 28 '12 at 15:56
`htmlspecialchars` suffices for the HTML special characters; no need to use `htmlentities` unless you can’t use certain characters due to a limited output character set. – Gumbo Dec 28 '12 at 16:41

score 2 · Answer 2 · answered Dec 28 '12 at 15:40

2

Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.

answered Dec 28 '12 at 15:40

newman

2,689
15
23

You know, if you read from a database based on a user input, that $test inside the echo can be mess with right? For example, the user types test"; exit; or something like that in the variable, the user can mess up the page right? I hope you understand what I meant. – Fouzy Fostdecile Dec 29 '12 at 05:18
There is any way for run PHP code what you load from database - this special function - eval(). All others functions not executed code from string. If user entered exit() in string then echo will print this string as is: "exit();" and not execute it - just print. – newman Dec 29 '12 at 06:00

Florian Mithieux · Answer 3 · 2012-12-28T15:48:07.060

1

You can use a template engine like Twig for exemple.

edited Dec 28 '12 at 15:48

answered Dec 28 '12 at 15:41

Florian Mithieux

503
1
6
15

score 0 · Answer 4 · answered Dec 28 '12 at 15:35

0

If htmlspecialchars(); is not the one you are looking for, try the header() option.

header('Content-type: text/plain');

When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.

Or the other way is to use htmlentities():

<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>

answered Dec 28 '12 at 15:35

Praveen Kumar Purushothaman

164,888
24
203
252

1

Thanks, that would be the best answer. I can use str_replace for this to allow only certain codes to be displayed, correct? – Fouzy Fostdecile Dec 28 '12 at 15:40

PHP echo-ing a PHP code inside an echo

4 Answers4