Two things: HTML entities and Undefined variables

[eluser]edjon2000[/eluser]
Hello all,

Sorry to pick your brains yet again

1. HTML Entities:
What is the best way to deal with HTML entities, I am currently designing all my views using the XHTML Strict doctype as follows:

Code:

<?php echo '<?xml version="1.0" encoding="UTF-8"?>'; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
&lt;html &gt;

as well as

Code:

<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

This is in my header file, consequently, I have the entities issues to deal with.

First of all I have tried adding htmlspecialchars to my form validation rules which works great, up to a point, however if I then update an existing entry, I run into the double encoding problem, e.g.

Code:

Finance & Accounting

and then on update

Code:

Finance && Accounting

Ok, this is a bit annoying to say the least, so perhaps I should not use htmlspecialchars in the validation rules, I have since enabled global xss filtering and removed all my |htmlspecialchars|xss_clean| options from my validation rules, unfortunately the problem still exists but not as badly, now I don't actually get double encoding but I still have to view this in my edit whatever page.

I tried using htmlspecialchars_decode(PHP 5.x.x) and that removes the appearance of

Code:

&

from the view but, of course kicks up a validation warning.

At the moment, in my database I have data stored with HTML entities, so, should I store the records without encoding? and perhaps encode them on import to the view, and then decode them on update.

Any advice on this would be greatly appreciated as I am sure you have come across this in the past (I did a search prior to posting this but found nothing directly relevant) and what partly related solutions I did find seemed to produce more errors, which brings me to my second question.

2. Undefined Variables
Now this is a weird one, I have found a lot of interesting stuff on these forums but nothing that actually answered my question, which is:-
If I am passing a variable from my controller to my associated view how can I do that in such a way as to prevent an undefined variable problem.

To display my views I use a sort of pseudo_template idea as follows:-
I have a common header and footer and a typical load from my controller is like this

Code:

<?php

/**
* Description of home
*
* @author Jon
*/
class Home extends Controller {

    function __construct()
    {
        parent::Controller();
    }

    function index()
    {
        $data = array();

        $data['page_title'] = 'Home';
        $data['extra_head_content'] = '[removed][removed]';
        $data['featured'] = 'site_views/featured_area_view';
        $data['main_content_1'] = 'site_views/home_view';
        $data['main_content_2'] = 'site_views/forms_view';

        $data['vac_name'] = $this->vacancy_model->generate_vacancy_list();
        $data['sec_name'] = $this->vacancy_model->generate_sector_list();
        $data['vacancies'] = $this->vacancy_model->get_vacancies(array('vacancy_featured' => 'Yes', 'vacancy_active' =>'Yes' ));

        $this->load->view('includes/template', $data);
    }
}

/* End of file home.php */
/* Location: ./application/controllers/site/home.php */

Now that all seems fine, but when it comes to building the view I get loads of undefined variable warnings in my IDE and I am one of those people that prefers to sort out the problem rather than cover it up, so any PHP notice error I have to correct.

To use the above example, here is the associated view, I will have to post this in my next post

[eluser]edjon2000[/eluser]
Sorry about this here is the view.
Header:

Code:

<?php
$timezone = "Europe/London"; // My time zone
date_default_timezone_set($timezone); // set local time
?>
<?php echo '<?xml version="1.0" encoding="UTF-8"?>'; ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
&lt;html &gt;
    &lt;head&gt;
        &lt;meta http-equiv="Content-Type" content="text/html; charset=utf-8" /&gt;
        &lt;title&gt;&lt;?php echo $page_title; ?&gt;&lt;/title&gt;
        &lt;link href="&lt;?php echo base_url(); ?&gt;_assets/css/sj-style.css" rel="stylesheet" type="text/css" media="screen, projection" /&gt;
        [removed][removed]
        [removed][removed]
        [removed][removed]
        &lt;!-- the scriptaculous javascript library is available at http://script.aculo.us/ --&gt;
        &lt;?php if (isset($extra_head_content))
            echo $extra_head_content; ?&gt;
    &lt;/head&gt;

    &lt;body&gt;
        <div id="container">
            &lt;!-- #masthead --&gt;
            <div id="masthead">
                <h1>&lt;?php echo anchor('', 'Savannah James'); ?&gt;</h1>
                <ul>
                    <li class="home">&lt;?php echo anchor('home', 'Home'); ?&gt;</li>
                    <li class="vacancies">&lt;?php echo anchor('vacancies', 'Vacancies'); ?&gt;</li>
                    <li class="candidates">&lt;?php echo anchor('candidates', 'Candidates'); ?&gt;</li>
                    <li class="contact-us">&lt;?php echo anchor('contact', 'Contact Us'); ?&gt;</li>
                    <li class="tips">&lt;?php echo anchor('tips', 'Tips'); ?&gt;</li>
                </ul>
            </div>&lt;!-- end of div #masthead --&gt;
            <div id="topbar">
            &lt;?php
            $link_name = '';
            $admin_link = '';
            if($this->session->userdata('admin_name') != NULL)
            {
                $admin_link = $this->session->userdata('admin_name');
                $link_name = ('Hello ' .
                '<strong> ' .
                $admin_link .
                '!</strong> - ' .
                anchor('admin', 'Site Admin') .
                '&nbsp;-&nbsp;' .
                anchor('logout', 'Log Out'));
            }
            else
            {
                $link_name = anchor('login', 'Log In to Site Admin');
            }
            ?&gt;
                <div id="tb-1">&lt;?php echo $link_name; ?&gt;</div>
                <div id="tb-2">
                    <div id="tb-2-facebook">
                        &lt;?php echo anchor('http://www.facebook.com', 'facebook'); ?&gt;
                    </div>
                    <div id="tb-2-linkedin">
                        &lt;?php echo anchor('http://www.linkedin.com', 'linked in'); ?&gt;
                    </div>
                    <div id="tb-2-twitter">
                        &lt;?php echo anchor('http://www.twitter.com', 'twitter'); ?&gt;
                    </div>
                </div>
                <div id="tb-3">
                    &lt;?php echo "<p>" . date("D d M Y g:i a") . "</p>"; ?&gt;
                </div>
            </div>

for this page the main content is as follows

Code:

<div id="left-column">
      <h2 id="about-us">About Us</h2>
      &lt;!-- insert about us content --&gt;
      <p>Here at Savannah James we make every effort to build solid relationships with both Clients and Candidates by using honesty, integrity and effective detailed communication supported by our commitment and determination to create career enhancing introductions.</p>
      <p>Our approach is as rigorous and intensive as it's open minded, highly successful Candidates can often come from unexpected sources.</p>
      <p>It is our aim to provide the perfect introduction, by gaining a comprehensive understanding of our Candidates' achievements to date, along with their key objectives this will enable us to identify their preferred new role and company they are actively seeking.</p>
      <p>We are skilled in ensuring that our Clients' working environment, benefits package, vision and future plans give complete synergy to our Candidates' requirements.</p>
      <p>Through our intensive research and networking ability we are being approached by national, multi-site organisations, along with niche recruitment businesses, gaining preferred supply/status to assist in their recruitment needs across all areas of the UK.</p>
      <p>Our Service is delivered with Passion Professionalism and Speed to ensure all parties achieve the required outcome.</p>
    </div>&lt;!-- end of div #left-column --&gt;

and the footer is

Code:

</div>
&lt;!-- end of div #container --&gt;
&lt;!-- #footer --&gt;
<div id="footer">
    <div id="ft-wrapper">
        <div id="ft-1">
            <p>
                &lt;?php echo anchor('home', 'Home |'); ?&gt;
                &lt;?php echo anchor('vacancies', 'Vacancies |'); ?&gt;
                &lt;?php echo anchor('candidates', 'Candidates |'); ?&gt;
                &lt;?php echo anchor('contact', 'Contact Us |'); ?&gt;
                &lt;?php echo anchor('tips', 'Tips'); ?&gt;
            </p>
        </div>
        <div id="ft-2"></div>
        <div id="ft-3">
            <p>&copy; 2010 Savannah-James.com</p>
        </div>
    </div>
</div>&lt;!-- end of div #footer --&gt;
<div class="benchmark">&lt;?php echo 'Page loaded in ' . $this->benchmark->elapsed_time() . ' seconds'; ?&gt;</div>
&lt;/body&gt;
&lt;/html&gt;

[eluser]Fabdrol[/eluser]
I'm not sure if I get your problem, but if I understant correctly it's the following:

1. User creates an entry with a title, body, maybe more
2. To be complient entities must be encoded when viewed in the browser

Data in form entries doesn't need to be encoded to be complient with your doctype. So, what I would do is save the data 'raw' in the database (e.g., without encoding the entities). That way, you can always be sure that the entry is the way the author intended it.
Then, when somebody views the data, you encode it in the view (or in route to the view). Example:

Code:

<h1>&lt;?= htmlspecialchars($title) ?&gt;</h1>
<p>
  &lt;?= htmlspecialchars($body) ?&gt;
</p>

When a user edits data, you don't encode it, but put it in the edit form in it's "raw" format. That way, your data remains true and the encoding should be no problem.

[eluser]edjon2000[/eluser]
Now, when it comes to variables on the view page things like

Code:

$data['vac_name']

which resolves to

Code:

$vac_name

appears as undefined.

I have read that all variables should be initialized but, how can you do that with a dynamic variable that is derived from the controller, if I define

Code:

$vac_name = '';

in the view, it effectively removes any data passed from the controller

Any advice on this would also be greatly appreciated.

Jon

[eluser]edjon2000[/eluser]
Sorry Fabdrol I was still composing the post which ended up as several posts, please could you reply again after looking at the additional information but thanks anyway I will certainly have a look at that (raw data in database and do the encoding on import)
which would suggest decoding on export.

Hmm sounds like a plan

Jon

[eluser]Fabdrol[/eluser]
Well, if the data is not encoded in the DB, you don't need to decode it on export. You'll only encode it when viewing it in a view. In any other case, you don't do anything with the encoding..

I'll take a look at the rest of your post in a moment. Maybe you could summarize your specific problems, it's a bit confusing decoding it between all the code samples ;-)

Fabian

[eluser]edjon2000[/eluser]
Actually, thinking about the double encoding problem since PHP 5.2.3 they added the double_encode parameter which is as follows:-

When double_encode is turned off PHP will not encode existing html entities, the default is to convert everything.

Perhaps that may solve the problem, it is difficult, my development setup uses PHP 5.3.3 running on ZendServerCE but my WebHost uses PHP 5.2.14, hmm this could be a problem.

Jon

[eluser]edjon2000[/eluser]
Hi Fabian, thanks for sticking with me.

I’ll take a look at the rest of your post in a moment. Maybe you could summarize your specific problems, it’s a bit confusing decoding it between all the code samples

In essence, at the moment, information is stored in the database in encoded format i.e

Code:

& is stored as &

and so on
Now as this project is brand new, and I have built it from the ground up, I have the freedom to play about with the database and change it for best practices although I am running out of time, My client would like to launch this soon, preferably in the next week or so, but he would prefer that it be "right" so to speak.

Jon

[eluser]edjon2000[/eluser]
Fabian thanks,

I do have a dev version of the site available at the following location please feel free to have a look at it.