Chapter 5 Exercises

Exercise 4: HTML and PHP

As you should understand by now, PHP is a server-side technology that is frequently used to send data to the web browser. This data can be in the form of plain text, HTML code, or both.

In the forum posting exercises you are completing for this chapter, data is entered in an HTML form and then printed back to the web browser with PHP. A potential problem is that the user can enter HTML characters in the form, which will throw off the resulting page’s formatting (Figures 5-7 and 5-8)—or, worse, cause security issues.

Figure 5-7: If the user enters HTML code in the posting...

Figure 5-8: ...it is rendered by the browser.

Because of the relationship between HTML and PHP, you can use many PHP functions to manipulate HTML tags within PHP string variables:

• htmlspecialchars() turns certain HTML tags into an entity version.
• htmlentities() turns all HTML tags into their entity versions.
• nl2br() converts newlines (created when the user presses the Enter key) into HTML <br> tags.
• strip_tags() removes all HTML and PHP tags.

The first two functions turn an HTML tag (for example, <strong>) into an entity version like <strong>. The entity version appears in the output but is not rendered. The fourth function, strip_tags() removes HTML and PHP characters entirely.

In this exercise you will rewrite handle_post.php to demonstrate how these functions work.

To work with HTML and PHP:

Script 5-3: The stripslashes() function combats the effect of magic quotes.

1. To begin, using Synapse to connect to the server, open handle_post.php (from Exercise 3) in Brackets.
2. After you add the stripslashes() function before the print() statement, add the following lines (Script 5-3):
   
   To clarify the difference between how these two functions work, you apply them both to the posting, creating two new variables in the process.
   Script 5-4: This version of the PHP script addresses HTML tags in two different ways.
   
3. Alter the print statement to read as follows:
   
   To highlight the different results, print out the three different versions of the posting. First is the original posting as it was entered, followed by the htmlentities() version of the posting. It will show the HTML tags without rendering them. Finally, the strip_tags() version will be printed, and it will not include any HTML (or PHP) tags (Figures 5-9 and 5-10).
4. Save the script, again as handle_post.php. Since you have opened this page straight from the production server using Synapse, your changes will be applied right on the production server by simply pressing Ctrl-S (Cmd-S on a Mac). This means that you don’t need to use FTP.
5. Switch over to your browser, and test the file there (Figures 5-9 and 5-10). Ensure that it is saved in the same location as posting.html, and ensure you are looking at the production server version of the file, having refreshed to see the latest iteration.
   Figure 5-9: The HTML characters you enter as part of a posting are addressed by PHP.
   
   Figure 5-10: The resulting PHP page shows the original post as it would look if printed without modification, the effect of htmlentities(), and the effect of strip_tags().
   
6. If your file needs editing, you can continue editing and saving your changes in Brackets, then just switching to your browser and refreshing the page. Since you have opened this file straight from the production server using Synapse, your changes will be applied right on the production server. This means that you don’t need to use FTP.

• The html_entity_decode() function does just the opposite of htmlentities(), turning HTML entities into their respective HTML code.
• Another useful function for outputting strings in the browser is wordwrap(). This function wraps a string to a certain number of characters.

← Return to Chapter 5, Assignments Page