#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    2
    Rep Power
    0

    Question Remove space from item in array


    I am a beginner at PHP and have been puzzling over this for a while. It is a custom Wordpress function but the issue is a PHP syntax one I just can't figure out.


    $author=>display_name outputs "John Smith" and I need it to output "JohnSmith".

    The SQL query is correct. However, $authorImg outputs nothing. I am very new to ob_start() and just can't figure out how to use it with an array. Can someone help me with the correct way to apply str_replace to display_name?

    Code:
    $authors = $wpdb->get_results("SELECT ID, display_name FROM wp_users INNER JOIN wp_usermeta ON wp_users.ID  = wp_usermeta.user_id WHERE wp_usermeta.meta_key = 'wp_capabilities' AND (wp_usermeta.meta_value LIKE '%author%' ) ORDER BY display_name");	
    
    ob_start();
    $authorImg = ($author->display_name);
    ob_end_clean();
    
    $authorImg = str_replace(' ', '', $authorImg);
    	
    	foreach($authors as $author) {
    		echo '<img src="/wp-content/uploads/' . $authorImg . '.jpg" />';
    		
    	}
    }
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    I'm not sure what you're trying to do with this "ob_" stuff. It seems completely useless in this case. The "ob_" functions can be used to buffer the PHP output, but a single assignment ($authorImg = ...) obviously has no output.

    This code generally looks a bit twisted. Shouldn't the $authorImg stuff be in the "foreach" loop?
    PHP Code:
    <?php

    $authors 
    $wpdb->get_results("SELECT ID, display_name FROM wp_users INNER JOIN wp_usermeta ON wp_users.ID  = wp_usermeta.user_id WHERE wp_usermeta.meta_key = 'wp_capabilities' AND (wp_usermeta.meta_value LIKE '%author%' ) ORDER BY display_name");    

    // loop through the authors
    foreach($authors as $author) {
        
    // change display_name of author
        
    $authorImg str_replace(' '''$author->display_name);
        echo 
    '<img src="/wp-content/uploads/' urlencode($authorImg) . '.jpg" />';
    }
    Note the urlencode(). You need to make sure the author name from the database doesn't break your HTML. This could even be used to attack your website, see cross-site scripting.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    2
    Rep Power
    0

    Thumbs up


    Thank you for this! There is actually a lot more to the function, but that was the part I was having trouble with so it's all I included.
    Your solution worked.
    To answer your question about the ob_, I was using it in another place on the site with a function and thought it might work for this. I don't know enough about it yet, as I said I am still a beginner. If you wouldn't mind answering some questions about this I would really appreciate it and it would help me to understand why this worked

    I honestly wasn't sure if it should be in the foreach loop or outside of it. I was keeping it outside just to keep the rest of the function easy to read, but really there was no other reason. Does it really make a difference where you set the variable?

    Can you tell me why the ur1encode is necessary? After the str_replace runs, there will no longer be a space in the filename and from what I can tell I wouldn't need it..? Can you elaborate on what part of this function is insecure and vulnerable to cross-side scripting?

    How could using the author name from the database break my html? The reason I needed to pull out that space was so it *did* work in the html.

    Thanks again for all your help!! ^ ^
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by jamieb7210
    I honestly wasn't sure if it should be in the foreach loop or outside of it. I was keeping it outside just to keep the rest of the function easy to read, but really there was no other reason. Does it really make a difference where you set the variable?
    In this case the variable assignment doesn't even make sense outside of the loop, because it depends on the loop variable $author. Before the loop, there simply is no $author.

    The code inside a loop is executed for every loop iteration. So when you have a variable assignment there, it can use the values of that specific iteration. And the assignment is repeated for each iteration.

    A more obvious example:
    PHP Code:
    for ($i 1$i <= 10$i++) {
        
    $double $i 2;
        echo 
    $double'<br />';

    The loop counts from 1 to 10 and assigns each number to the loop variable $i. Inside the loop you have another variable $double, which takes the current value of $i and doubles it. This assignment $double = $i * 2; obviously wouldn't make sense outside of the loop. First of all, there is no $i before the loop. And secondly, it would be a single assignment of a single value, not a repeated operation.



    Originally Posted by jamieb7210
    Can you tell me why the ur1encode is necessary? After the str_replace runs, there will no longer be a space in the filename and from what I can tell I wouldn't need it..? Can you elaborate on what part of this function is insecure and vulnerable to cross-side scripting?
    You should never insert raw values into your HTML, because this can be used to manipulate the page and inject JavaScript.

    Let's say you have this:
    PHP Code:
    <h1><?php echo $_GET['title'?></h1>
    What PHP will do is take the GET parameter "title" and simply dump the content between the h1 tags. This is no problem if "title" is actually a title like "My products" or something. But what if it contains HTML? That would be inserted into the page as well. So an attacker could use the URL to inject JavaScript code into your page and for example steal the cookies from anybody who opens this URL.

    Your case might be a little different. If you validate the names to only contain alphabetic characters, the actual risk of cross-site scripting is rather low. But don't rely on it! The best approach is to escape any value that goes into the page, no matter if it's actually dangerous at this point of time. Escaping means devaluating any character that has a special meaning in this context and turning it into a literal character.

    Since your value will be used in a URL, you have to apply urlencode() to it, which is the URL-specific encoding function. This makes sure that $authorImg cannot be used to manipulate the URL or the HTML.



    Originally Posted by jamieb7210
    The reason I needed to pull out that space was so it *did* work in the html.
    No, that's not necessary. A URL can contain any ASCII character, but some of them (like the space) have to be encoded first.

    So the urlencode() I was talking about also fixes this problem. You no longer need to remove the whitespace -- which is yet another reason why to escape any value.
  8. #5
  9. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,316
    Rep Power
    7171
    Also note along those lines, if you are escaping data for display in HTML rather than in a URL, then use htmlentities instead of urlencode. That's not relevant to what you're doing right now, but probably will be in the future.
    Last edited by E-Oreo; December 24th, 2012 at 12:08 AM.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around

IMN logo majestic logo threadwatch logo seochat tools logo