Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP

Posted by Tony McCabe
Tony McCabe
8,445 Points

Escaping Output

<?php require_once("controllers_listing.php"); ?><html>
<body>

    <h1>Edit Listing</h1>

    <form method="post">
        <table>
            <tr>
                <th>
                    <label for="name">Name</label>
                </th>
                <td>
                    <input id="name" name="name" value="<?php if (isset($name)) { echo htmlspecialchars($name); } $listing_name; ?>">
                </td>
            </tr>
            <tr>
                <th>
                    <label for="Link">Link</label>
                </th>
                <td>
                    <input id="link" name="link" value="<?php if (isset($link)) { echo htmlspecialchars($link); } $listing_link; ?>">
                </td>
            </tr>
            <tr>
                <th>
                    <label for="Description">Description</label>
                </th>
                <td>
                    <textarea id="description" name="description"><?php if (isset($description)) { echo htmlspecialchars($description); } $listing_description; ?></textarea>
                </td>
            </tr>    
        </table>
        <input type="submit" value="Save">
    </form>

</body>
</html>

Whats wrong with this. It say's there ias still malicious code??????

Colin Marshall
Colin Marshall
32,861 Points

You need to also show us the code for controllers_listing.php, as it is included in the first line so all that code is run too.

<?php require_once("controllers_listing.php"); ?>
Colin Marshall
Colin Marshall
32,861 Points

Nevermind that last message, I didn't realize this was from a code challenge. There's a couple things wrong here.

The first is that your variable names are wrong. $name, $description, and $link are not valid variables. It gives you the variable names you need to use.

The second thing wrong is that you are calling the variables outside of the if statement and when you're doing that the malicious code will not be escaped because it's not run through the htmlspecialchars() function.

Here's what it should look like for name. You should be able to take it from here.

<?php if (isset($listing_name)) { echo htmlspecialchars($listing_name); } ?>

1 Answer

Tony McCabe
Tony McCabe
8,445 Points
Tony McCabe
Tony McCabe
8,445 Points

Hey!! Awesome it worked Boyaah!