[Resolved] textarea containing PHP/HTML tags?

Havin_it2

Hi,

I hope someone can help with this. Is there a way of reading the contents of a PHP page into a textarea, so the PHP and HTML tags are nullified (so they don't affect the active document) but are displayed as-is in the textarea?

Thanks in advance

swr

The PHP tags won't be interpreted if you're just echoing it. The HTML tags will be interpreted by the browser though.

Use [man]htmlentities[/man] or [man]htmlspecialchars[/man] to fix it. They will turn <html> into <html> so that it will not be interpreted as HTML by the browser.

Havin_it2

Not so! That's exactly what I've been doing, and the output is still not escaped. Are there config options I should be checking?

swr

How are you doing it?

This has no effect because it discards the value:
htmlentities($foo);

This works fine:
$foo = htmlentities($foo);

Havin_it2

<DOH!> Thank you kind developer, for highlighting my stupidity.

This seems to be a bit of a grey area in manual terms. Some functions automatically update their arguments, some don't. Am I missing something in the terminology?

swr

The term you are looking for is "return value". Most functions return a new value without modifying the arguments. It's usually best to assume that is the case, unless the manual says otherwise.

The [man]htmlentities[/man] page doesn't really say, though the examples show it using the return value.

Most of the time it is only array-related functions that modify their arguments. If an array is large, creating a whole new one to return would be inefficient, so the change is done in-place.

Havin_it2

'ANG ABOUT! Now that I've tried your method, it still doesn't work! Exactly the same behaviour as before, over a variety of pages. I cleared my browser cache just to be sure, but it's still the same.

WHAT THE FIRETRUCK IS GOING ON?

Havin_it2

Okay, after a very negative-emotional day I've sussed it.

I was reading from the file thus:

$src = file_get_contents('http://localhost/foo.php');

So, however I tried to escape the contents of $src, it was too late because the PHP had already been parsed.

And if it had been possible, that would be a pretty sizeable security hole I guess. Wish I could think like a sysop...