Thread

Hey everyone,

Ran into an annoying error in converting some EE1.7 code to EE2.3. Since the {exp:html_strip} feature is not longer valid we have an issue where an expression engine variable that contains different types of quotes and brackets, is causing PHP errors since these things are being “injected” into the PHP code without any sort of escaping etc.

Here is an example:
=======================================
Query:

{exp:query sql="Select body from mytable where id=1"}

In PHP:

$body = ‘{body}’;

Where the “body” being returned from the database is something like… ” ( ’ hey ‘’ “” () test ’ ’ ” ” )

======================================

So we’re getting PHP errors caused by the havoc that the new quotes and whatnot introduce. (i.e.  unexpected T_STRING).

Any help would be awesome!

Hi Trend Hunter,

Since you’re using custom PHP on this, why not use htmlentities() or addslashes() to escape the quotes?

Hey Kevin,

Thanks for the response.

htmlentites or addslashes don’t work here, because the expression engine variables value is being “inserted” into the template and thus embeded within the php before php runs.

So a possible result would be something like:

htmlentities(‘“this is ‘a’ test”’);

Which will flag a syntax error in php prior to ever running.

-TH

Hi Trend Hunter,

I did a search on Devot:ee and found a few add-ons for EE2 that should accomplish what you want to do. Please check out: Strip HTML, HTML Plugin and CE String

Does that help?

Sean

Hey Sean,

Thanks for the search/help.

Can it really be true that safely encoding a string is not a native function in EE? More specifically there is no function/EE tag {exp:clean_str}{body}{/exp:clean_str} or something that will encode characters dangerous to php to make them syntax-safe to inject into php variables?

I feel like this is something that would be built in, although I’ve had no luck finding it. It looks like the plugin CE String has some good functionality for this, I’m just surprised EE itself doesn’t.

If you pull the content from a Channel Entries tag, you’ll notice that EE actually does properly escape any characters that need it. The difference here is that you’re pulling results from the Query module, and the Query module is just a very light skin over top some PHP allowing you to run queries in templates. It’s available to do some simple queries, and PHP in templates is similarly available to accomplish those little odd things that just don’t have a native or third-party solution.

All in all, you’re probably pushing the limits of what can be reasonably done with these two tools, and in the process, you’re overcomplicating things for yourself. Instead of going half-way by trying to develop in a template, I’d recommend just pulling back and writing your own add-on to accomplish it. The brilliant thing about an add-on is that it’s fully PHP. So anything you know you can do in PHP, you can do in an add-on, and it’s all backed with the foundation of CodeIgniter as a PHP framework.

In terms of best practices, that’s really going to be the way to go here.

Hey anyone who follows us and has this same issue,

We ended up spending the $10 and getting the CE String plugin. It worked quickly and like a charm.

Thanks to all for the advice.

Hello Trend Hunter,

I am glad to hear this! That’s awesome. I really appreciate you sharing your findings as well.

If you need anything else, you know where to find us!

Cheers,