Search code examples
phphtmlspecialchars

php htmlspecialchars_decode() issue

I have a slight issue. I need to get htmlspecialchars_decode to run immediately before before the $CmdExe = 'nircmd runs as it is interfering as it wont execute properly. So basically I am needing the $PlayMovie to already have a decoded value before proceeding. How can I make this work? I use php desktop and nircmd executes functions on the PC as needed. It works great until a name has a special char in the database such as '. All special chars where put into the database using htmlspecialchars. nircmd is still seeing the value undecoded so I need these decoded before it hits this line. Or is it decoded already? I ask because when I test the $PlayMovie variable without encoded values it works fine. Unusual question I know however my php skills are still in the beginner stage. Much appreciated in advance.

$results = $db->query("SELECT * FROM Movies WHERE id = '$RecID'");

while($row = $results->fetchArray()) {

$MovieFile = $row["FileName"];

$PlayMovie = htmlspecialchars_decode($MovieFile);

//NEEDS TO BE DECODED BEFORE THIS LINE
$CmdExe = 'nircmd.exe shexec "open" "'. $MovieHostDrive . $PlayMovie .'"';

exec($CmdExe);

}

Upon further testing when I do a str_replace it works. So is htmlspecialchars_decode not working?

 //This Works
 $PlayMovie = str_replace("'", "'", $MovieFile);

//This doesn't
$PlayMovie = htmlspecialchars_decode($MovieFile);
Solution

  • In the process that you are using, with inserting the database output into a php declaration, you need to escape the qoute until it reaches. it would be strange that the substitue string will work in the declaration since the other parts after the single quote would go into the php zone and cause some sort of syntax error. But if you need to do that code above, you would escape it with a backslash character \ as the single quote is converted.

    so change this:

          $PlayMovie = str_replace("'", "'", $MovieFile)

    to this: 

           $PlayMovie = str_replace("'", "\'", $MovieFile);

    then this line will work, because the single quote is escaped in php, but the modifyer will be removed when php executes the varible. just like html code.

         $CmdExe = 'nircmd.exe shexec "open" "'. $MovieHostDrive . $PlayMovie .'"';