Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
This is my source code:
<html>
<body>
<?php
$query = $_REQUEST["search"];
Print "<iframe src="http://www.en.wikipedia.org/wiki/$query"></iframe>';
?>
</body>
</html>
I want to have it where, when the user types in a term, then it automatically brings them to the Wikipedia page of their query. I definitely know I’m doing something wrong here, but I can’t figure out what. Thanks for helping!
Same way you output any variable into HTML text content or attribute values, using
htmlspecialchars(). If you don’t do this every time you drop user data into HTML, you’ve got an HTML-injection vulnerability leading to cross-site-scripting (XSS) exploits.In your case you are inserting a variable into a URL component, so before you HTML-encode, you need to URL-encode, using
rawurlencode().OK… so if you’re doing URL-encoding, you can actually skip the HTML-encoding if you want, because all characters that are special to HTML are also turned into safe
%sequences by URL-encoding.PHP is a templating language. Use it, don’t fight it. Any time you
echoorprintan interpolated string from inside a PHP block, you’re probably making life unnecessarily hard for yourself.Include literal content verbatim and don’t worry about backslash-escaping quote characters in string literals: