Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
suatyee ng
3,040 PointsEscaping Output
The PHP file below includes another PHP file that retrieves information from an external source for a directory listing. The page is supposed to display two input fields and a textarea, but it contains some malicious code. Modify the PHP code below to escape the output and display the correct HTML elements on the screen.
<html>
<body>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$link = trim($_POST["link"]);
$name = trim($_POST["name"]);
$description = trim($_POST["description"]);
}
?>
<form method="post">
<table>
<tr>
<th>
<label for="name">Name</label>
</th>
<td>
<input id="name" name="name" value="<?php if (isset($name)) { echo htmlspecialchars($name); } ?>">
</td>
</tr>
<tr>
<th>
<label for="Link">Link</label>
</th>
<td>
<input id="link" name="link" value="<?php if (isset($link)) { echo htmlspecialchars($link); } ?>">
</td>
</tr>
<tr>
<th>
<label for="Description">Description</label>
</th>
<td>
<textarea id="description" name="description"><?php if (isset($description)) { echo htmlspecialchars(description); } ?></textarea>
</td>
</tr>
</table>
<input type="submit" value="Save">
</form>
</body>
</html>
2 Answers
Randy Hoyt
Treehouse Guest TeacherI apologize for the confusion. By "name variable," I meant "the variable with the name in it." That variable is called $listing_name, and you see it in this line:
<input id="name" name="name" value="<?php echo $listing_name; ?>">
You are supposed to change that line to this:
<input id="name" name="name" value="<?php echo htmlspecialchars($listing_name); ?>">
There are two other similar lines that needed to be escaped in the same way.
You didn't need to change the code at the top to look at $_POST variables or anything like that. You were just supposed to change the three lines with input tags to escape the output.
Does that help?
suatyee ng
3,040 Points"You want to escape the name variable before displaying it to the screen." I can't understand this sentence.. comments are appreciated
James Barnett
39,199 Points2 questions do you know what the name variable is and what it means to escape something in PHP?
suatyee ng
3,040 Pointsto escape something in PHP means to ensure that all the inputs within the fields will get treated as strings, so that the users cannot change something in your code ( to avoid cross-site scripting attack) ? sorry not good at explaining stuff.. and i'm not really sure what name variable maybe ($name) ?
James Barnett
39,199 Pointsto escape something in PHP means to ensure that all the inputs within the fields will get treated as strings, so that the users cannot change something in your code ( to avoid cross-site scripting attack) ?
That's a pretty good explanation of why you need to escape/sanitize your data
i'm not really sure what name variable maybe ($name)
Yep, the instructions were referring to the variable called name which is represented in code as $name
suatyee ng
3,040 Pointsso i suppose it will be something like this htmlspecialchars($name) to escape $name, however i still can't figure out how to add it inside the code. what should I do with $listing_name, $listing_link, $listing_description, I tried to concatenate with the $name and escape it but doesn't work, any tips ? :)