Now, if I add a bunch of HTML to this message area (example i was trying, a web form from Aweber, the HTML format option), sometimes when I reload the form to update the message, the web form will actually load outside the form code. It's weird. Like for example, I pasted the code from Aweber web form code here, "html format option", and when I reload the form in the admin panel, the opt-in form actually loads outside the form on the page, which needless to say I don't want to happen
However, the other thing is, if I input the 'javascript snippet' version of the form code in the message field, when I reload the form in the control panel it displays correctly inside the texarea just as I put it in BUT doesn't display ANYTHING on the userside when loaded after the button is clicked.
Basically I have a div that dynamically outputs the $message variable when the button is clicked, just via an
Code:
<?php echo $message?>
again.
Is there a solution to this? It's bizarre everything else seems to work, HTML inputs and outputs just fine, just seem to have issues when using javascript in the message form.
You haven't escaped your data. Simply surround the $message with htmlspecialchars: echo htmlspecialchars($message);, and it will replace the < and > with their respective > and < markers so it will show properly in the text area. The same is true for any HTML element.
You haven't escaped your data. Simply surround the $message with htmlspecialchars: echo htmlspecialchars($message);, and it will replace the < and > with their respective > and < markers so it will show properly in the text area. The same is true for any HTML element.
That still isn't solving the problem of the message displaying correctly in the textarea, if I input Aweber's HTML version of a web form's code it still displays the actual web form above the form on the admin side. However it does display properly on the userside when the button is clicked. And javascript still won't output on the userside either. When say for example javascript is inputted in the textarea of the form and saved, the javascript should output on the user side when the button is clicked on a webpage, not as code, but as executed javascript.
ie, if I put aweber's javascript snippet in the textarea in the admin side and save, when the user clicks the button on the webpage, the web form should be displayed as it's part of the $message variable?
Should i be using some kind of html specialchars on both save, display in admin side, AND on the userside?
This is getting tricky I can't figure it out.
Basically it's working like, 1 - enter message in admin backend form. 2 - when admin backend form is loaded again, the current message is pre-populated in the form. 3 - on the user-side, user clicks the button and sees the particular message.
Anytime you need to show the textual representation, then you need to use htmlspecialchars or htmlentities. If it never needs to be parsed as HTML, it can be escaped before inserting it into storage.
So where should I be using htmlspecialchars? When saving the data from the form, when displaying the data on the website (user side) when button is clicked, or when displaying the data in the form field to change or update the message via the form?
I'm unclear as to how to save the data properly, and then display it parsed and functioning on the userside when it needs to be displayed when the button is clicked.
I mean, if there are single quotes ' and double quotes " and < and > within the custom message set on the admin side, how should I properly save it then display it using htmlspecialchars?
Like I said, it depends on if you ever need to render it as HTML code. If you do, then store it as full HTML code. If it never needs rendering and will always be text, call htmlspecialchars or htmlentities before storing it, then you do not require htmlspecialchars call during display.
Personally regardless of the usage I'd store it in its original format and display it as text with htmlspecialchars.
Storing it is a simple matter of:
If magic_quotes_gpc is enabled, issue a stripslashes() to the data (never skip this step; as of 5.4.0 this directive is now gone).
Optional:
Escape the special characters by issuing a htmlspecialchars or htmlentities. This would indicate it never needs rendering
Escape the data using mysql[i]_real_escape_string OR by using PDO/MySQLi prepared statements. Don't use both together. If the storage engine is not a database, you have many options depending on formats (CDATA blocks in XML, encoded with something like base64 or base2 cast to binary, delimited, serialized, etc).
Conversely, the display of the data as text requires the opposite of what was done in the optional step. If you did convert it to text representation, then you do not need to do so during display. If you did not, then you need to escape it during display. And the reverse is true if you need to render it. You can choose which makes more sense, if you display as text more often than you render as HTML code, then you should probably store it as escaped characters.
Before you post, read our: 
