We Keep Coding

How to output an HTML page based on user input

I want to make an HTML (or php maybe?) page that constructs a new HTML page based on input parameters the user gives to a drop-down box. I just don't know how you handle the input.
Here's my HTML:
<html>
<body>
<input type="number" min="1">
</body>
</html>
Yes I know it's not the full HTML page, but I just want to focus on the <input> tag. I know you probably have to set it equal to a PHP variable maybe?
I want it to generate a different HTML page that looks like this:
<html>
<body>
<p>You have chosen: $input </p>
</body>
</html>
I might be asking this all wrong, but I hope it makes sense what I'm looking for. I need to know how to handle the user input. I couldn't find a thread that discusses this. Do I need to generate a new HTML file? Or just override the current one and maybe have a reset button? I'm so confused.

In the simple case, you'll have two pages: your form and your result page. You can send data from the form page to the results page with one of two methods: GET or POST.
GET means that the data you're sending gets put in the page URL. This is useful because then you can link to a specific version of the results page, but potentially dangerous because you don't want to put sensitive data in the URL bar.
POST means that the data is sent with the HTTP request in the background. This is preferable for something like a password.
The GET and POST data can be read by nearly any server-side language and used to generate HTML on-the-fly. The example below uses PHP.
The form page doesn't necessarily need any server-side code, just basic HTML. Here's a simple example:
<!DOCTYPE html>
<html>
<form method="GET" action="my_result.php">
<input type="text" name="my_value">
<input type="submit">
</form>
</html>
Your second page (the results page) should bear the name that you specified in the form's action attribute. This is the page which will need server-side code. So here is an example my_result.php:
<!DOCTYPE html>
<html>
<p><?php echo $_GET['my_value']; ?></p>
</html>
Obviously, my_value can and should be replaced by whatever you want to call your data, as long as the name attribute of the input element matches the key in the PHP.
This example uses the GET method. You can use POST by changing the method attribute of the form and using $_POST instead of $_GET (if you are using PHP).
If you use $_REQUEST rather than $_GET or $_POST, it finds a value that was passed via either GET or POST. This is usually less safe than explicitly stating how your value was passed.
Addendum: Some servers are configured to disallow you from directly using the values of php superglobals such as $_GET, $_POST, and $_REQUEST for security purposes. That is because you really should always sanitize user input before using it in an application. The type of sanitization required depends on the type of input and how it is being used, and is well outside of the scope of this question. For this purpose, php provides the filter_input function.
The sanitization filter is an optional parameter for the filter_input function, so if you really want to use the data unfiltered, you can simply omit it (but know that this is dangerous). In this case, you can replace all instances of $_GET['my_value'] in the above code with filter_input(INPUT_GET, 'my_value').

This is not a tutorial, but I guide you to some important points:
You can get user input with html by using form element. read more about form and methods of form (GET and POST).
Then, how can you print user input when submitted by user? php supports both (GET and POST) using $_GET and $_POST with input name as key.
Dealing with user-input needs extra care because of security. user might submit malicious content that later attacks you or another user.

Try like below
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<?php
if ($_POST) {
echo "<h3>You have selected ".$_POST['number']."</h3>";
} else {
echo '
<form method="post" action="">
<select name="number" id="number">
<option value="1" >1</option>
<option value="2" >2</option>
<option value="3" >3</option>
</select>
<input type="submit" value="submit">
</form>
';
}
?>
</body>
</html>

To handle a user input you have to use forms
<form action="action_page.php">
<input type="number" min="1 name="my-number">
<input type="submit" value="Submit">
</form>
After user set number and press submit button, you will get the value in action_page.php in $_REQUEST['my-number']

Printing the current page to pdf using wkhtmltopdf

Recently installed wkhtmltopdf. Was trying to capture the entire page in its current state, however, the below method seems to navigate to the initial state of that page without all the input fields that the user has entered.
PHP
shell_exec('wkhtmltopdf http://localhost/www/bolt/invoice.php invoice.pdf');
I was wondering if someone knew of an implementation of wkhtmltopdf that captures the current state of the page including any text entered in the text fields??
I appreciate any suggestions.
Many thanks in advance!

wkhtmltopdf hits the page independently of your current browsing session. If you hit it like that, you're going to get what anyone would see when they first go to your page. Probably what you want to do is save the current page using an output buffer, and then run wkhtmltopdf on the saved page. Here's some sample code:
sub.php
<?php
$documentTemplate = file_get_contents ("template.html");
foreach ($_POST as $key => $postVar)
{
$documentTemplate =
preg_replace ("/name=\"$key\"/", "value=\"$postVar\"", $documentTemplate);
}
file_put_contents ("out.html", $documentTemplate);
shell_exec ("wkhtmltopdf out.html test.pdf");
?>
template.php
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta charset="utf-8" />
</head>
<body>
<h1>This is a page</h1>
<form action="sub.php" method="post" accept-charset="utf-8">
My Test Field:
<input type="text" name="test_field" value="">
<input type="submit" value = "submit">
</form>
</body>
</html>
Probably in the long run you should have some kind of base template that both pages would use, and one have some markers like value='%valueOfThisVariable%' in your input fields that you can replace with blanks when you present the fields to the user, and fill with the user data when you create the page that you want to write to pdf. Right now it's just going through and replacing all the name='this_name' with value='this_name->value'.

Echo back from PHP include file not working in IE

I have a simple form that posts signup info to a mailchimp account. The form and messages back from the include file work perfectly in Firefox, but nothing is happening in IE. If no email address is entered, it should come back with an error just like it does in Firefox. I have no idea how to trouble shoot this type of issue. If there is an error, it should echo back the error into a div on the form which again works perfectly in Firefox and nothing happens in IE. It makes no sense to me. I need to have this working by today. I have tried moving the files to the same location as the index.php, changed permissions, etc. with no luck. I need some major help! I can't even get this piece of code to come back in IE: if(!$_GET['email']){ return "No email address provided"; }
You can try the form at: www.terrybryan.com/index.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1" />
<title>Ajax Mailing List Sign Up System</title>
<link type="text/css" rel="stylesheet" href="css/default.css" />
</head>
<body>
<form id="signup" action="<?=$_SERVER['PHP_SELF']; ?>" method="get" style="width:250px;">
<fieldset>
<label for="email" id="email-label">Email Address</label>
<input type="text" name="email" id="email" />
<label for="zipcode" id="zipcode-label">Zip Code</label>
<input type="text" name="zipcode" id="zip" />
<label for="events" id="events-label">Receive future info from us?</label>
Yes<input type="radio" name="events" value="Yes" checked="checked" />
No<input type="radio" name="events" value="No" />
<label for="hearabout" id="hearabout-label">How did you hear about us?</label>
<select name="hearabout" id="hearabout">
<option value="Ice">Ice</option>
<option value="Radio">Radio</option>
<option value="Friend">Friend</option>
<option value="Door Hanger">Door Hanger</option>
</select>
<br /><br />
<input type="image" src="i/join.jpg" name="submit" value="Join" class="btn" alt="Join" />
<br /><br />
<div id="response">
<? require_once 'store-address.php'; if($_GET['submit']){ echo storeAddress(); } ?>
</div>
</fieldset>
</form>
<!-- Some fancy Ajax stuff to store the sign up info. If you don't want to use it, just delete it and the form will still work -->
</body>
</html>
and here is the include file that the message comes back from:
<?php
/*///////////////////////////////////////////////////////////////////////
Part of the code from the book
Building Findable Websites: Web Standards, SEO, and Beyond
by Aarron Walter (aarron#buildingfindablewebsites.com)
http://buildingfindablewebsites.com
Distrbuted under Creative Commons license
http://creativecommons.org/licenses/by-sa/3.0/us/
///////////////////////////////////////////////////////////////////////*/
require_once('MCAPI.class.php');
function storeAddress(){
// Validation
if(!$_GET['email']){ return "No email address provided"; }
if(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*$/i", $_GET['email'])) {
return "Email address is invalid";
}
// grab an API Key from http://admin.mailchimp.com/account/api/
$api = new MCAPI('********');
// grab your List's Unique Id by going to http://admin.mailchimp.com/lists/
// Click the "settings" link for the list - the Unique Id is at the bottom of that page.
$list_id = "********";
// Merge variables are the names of all of the fields your mailing list accepts
// Ex: first name is by default FNAME
// You can define the names of each merge variable in Lists > click the desired list > list settings > Merge tags for personalization
// Pass merge values to the API in an array as follows
$mergeVars = array('ZIPCODE'=>$_GET['zipcode'],
'EVENTS'=>$_GET['events'],
'HEARABOUT'=>$_GET['hearabout']);
if($api->listSubscribe($list_id, $_GET['email'], $mergeVars) === true) {
// It worked!
return 'Success! Check your email to confirm sign up.';
}else{
// An error ocurred, return error message
return 'Error: ' . $api->errorMessage;
}
}
// If being called via ajax, autorun the function
//if($_GET['ajax']){ echo storeAddress(); }
?>
Does anyone have any idea why this simple form would not work in IE like it does in Firefox and other browsers?
Thanks,
T Bryan

Here's why: When using an image button in IE, when you click it, instead of sending $_POST['nameofbutton'], it sends $_POST['nameofbutton_x'] and $_POST['nameofbutton_y']. Now, Firefox sends both $_POST['nameofbutton_x'] and $_POST['nameofbutton_y'] as well as $_POST['nameofbutton']. The _x and _y values store the x and y coordinates of where you clicked on the image button, so you can do different things depending on where the user clicked for doing something like an image map.
So, when you test for if($_GET['submit']){ echo storeAddress(); } ?> you don't get it on IE because IE doesn't have $_GET['submit'] it has $_GET['submit_x'] and $_GET['submit_y'], so you must test for $_GET['submit_x'] or y.
Least I think the format was _x and _y, might be slightly different. Easy way to tell is to print_r($_GET);
Oh, also, by the way, be careful using Get for forms, particularly if they have to transfer a lot of potentially long information, IE has like a 255 character limit in the address bar and anything after that will get cut off and left out of $_GET or malformed. Best to use Post for forms. Get is only really good for things like structuring links for a CMS controller or registration email verification links and all that.

I suggest editing your html code for submit:
From:
<input type="image" src="i/join.jpg" name="submit" value="Join" class="btn" alt="Join" />
To:
<input type="submit" name="submit" value="Join" class="btn" alt="Join" />
type submit is generally reliable, other types (including, sadly, , image submits, etc) are often implemented differently in different browsers. Another thing not to rely on is the contents of submit, since ie in some cases submits html instead of the value (generally with things other than the standard submit value), or submit multiple forms on the page, annoying things like that.
So in general, it is best to go with a simple <input type='submit' ...etc, and go with a simple check for the -presence- of the submit and don't be too specific about what the submit contains.

I would suggest a very simple approach, style your button using CSS, or do <img src="path/to/your/image" alt="my image button" />

Since PHP runs on the server, it should (generally) provide the same response to the browser for the same input. Since the form uses the "get" method, the input is entirely specified by the URL (plus headers, including cookies, though those don't appear to factor in here).
In any case, when you submit the form from Firefox, you should see that the URL of the form submission appears in the Firefox address bar. If the PHP script issues a redirect as a response, then the URL may only appear very briefly. Either way, it should be available in your browser history.
If you can copy that URL into the address bar of IE and submit the same request from IE (again, assuming cookies aren't involved), then you should get pretty much the same response from the server. If you're not seeing the same thing in the browser window of IE as you do in Firefox, there may be several reasons.
View the source. (View -> View Source). If it's completely blank, the script probably failed to execute properly.
If you have access to the server error logs, check for an error message related to your request. A sane PHP implementation (in cooperation with a sane server) will provide error logging. Sometimes this is really the only way to know what's going on with your script. If you have access to the web server through an FTP account, you will probably find the logs at or near the top level.
If you don't have access to the server, you can still get a low-level view of what's happening with your request through the use of Firebug Lite or Fiddler2.

Escaping output safely for both html and input fields

In my web app, users can input text data. This data can be shown to other users, and the original author can also go back and edit their data. I'm looking for the correct way to safely escape this data.
I'm only sql sanitizing on the way in, so everything is stored as it reads. Let's say I have "déjà vu" in the database. Or, to be more extreme, a <script> tag. It is possible that this may be valid, and not even maliciously intended, input.
I'm using htmlentities() on the way out to make sure everything is escaped. The problem is that html and input fields treat things differently. I want to make sure it's safe in HTML, but that the author when editing the text, sees exactly what they typed in the input fields. I'm also using jQuery to fill form fields with the data dynamically.
If I do this:
<p><?=htmlentities("déjà vu");?></p>
<input type=text value="<?=htmlentities("déjà vu");?>">
The page source puts déjà vu in both places (I had to backtick that or you would see "déjà vu"!) The problem is that the output in the <p> is correct, but the input just shows the escaped text. If the user resubmits their form, they double escape and ruin their input.
I know I still have to sanitize text that goes into the field, otherwise you can end the value quote and do bad things. The only solution I found is this. Again, I'm using jQuery.
var temp = $("<div></div>").html("<?=htmlentities("déjà vu");?>");
$("input").val(temp.html());
This works, as it causes the div to read the escaped text as encoded characters, and then the jquery copies those encoded characters to the input tag, properly preserved.
So my question: is this still safe, or is there a security hole somewhere? And more importantly, is this the only / correct way to do this? Am I missing something about how html and character encoding works that make this a trivial issue to solve?
EDIT
This is actually wrong, I oversimplified my example to the point of it not working. The problem is actually because I'm using jQuery's val() to insert the text into the field.
<input>
<script>$("input").val("<?=htmlentities("déjà vu");?>");</script>
The reason for this is that the form is dynamic - the user can add or remove fields at will and so they are generated after page load.
So it seems that jQuery is escaping the data to go into the input, but it's not quite good enough - if I don't do anything myself, a user can still put in a </script> tag, killing my code and inserting malicious code. But there's another argument to be made here. Since only the original author can see the text in an input box anyway, should I even bother? Basically the only people they could execute an XSS attack against is themselves.

I'm sorry but I cannot reproduce the behaviour you describe. I've always used htmlspecialchars() (which does essentially the same task as htmlentities()) and it's never lead to any sort of double-encoding. The page source shows déjà vu in both places (of course! that's the point!) but the rendered page shows the appropriate values and that's what sent back to the server.
Can you post a full self-contained code snippet that exhibits such behaviour?
Update: some testing code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<?php
$default_value = 'déjà vu <script> ¿foo?';
if( !isset($_GET['foo']) ){
$_GET['foo'] = $default_value;
}
?>
<form action="" method="get">
<p><?php echo htmlentities($_GET['foo']); ?></p>
<input type="text" name="foo" value="<?php echo htmlentities($_GET['foo']); ?>">
<input type="submit" value="Submit">
</form>
</body>
</html>
Answer to updated question
The htmlentities() function, as its name suggests, is used when generating HTML output. That's why it's of little use in your second example: JavaScript is not HTML. It's a language of its own with its own syntax.
Now, the problem you want to fix is how to generate output that follows these two rules:
It's a valid string in JavaScript.
It can be embedded safely in an HTML document.
The closest PHP function for #1 I'm aware of is json_encode(). Since JSON syntax is a subset of JavaScript, if you feed it with a PHP string it will output a JavaScript string.
As about #2, once the browser enters a JavaScript block it expects a </script> tag to leave it. The json_encode() function takes care of this and escapes it properly (<\/script>).
My revised test code:
<?php
$default_value = 'déjà vu </script> ¿foo?';
if( !isset($_GET['foo']) ){
$_GET['foo'] = $default_value;
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head><title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript"><!--
$(function(){
$("input[type=text]").val(<?php echo json_encode(utf8_encode($_GET['foo'])); ?>);
});
//--></script>
</head>
<body>
<form action="" method="get">
<p><?php echo htmlentities($_GET['foo']); ?></p>
<input type="text" name="foo" value="(to be replaced)">
<input type="submit" value="Submit">
</form>
</body>
</html>
Note: utf8_encode() converts from ISO-8859-1 to UTF-8 and it isn't required if your data is already in UTF-8 (recommended).

If you just need to reverse the encode then you can use html_entity_decode - http://www.php.net/manual/en/function.html-entity-decode.php.
Another possibility to is only run htmlentities at the time the content will be displayed as part of a web page. Otherwise, keep the unencoded text, as submitted or loaded from your datastore.

I believe it is a problem with the way you are applying the value towards the input. It is being displayed as encoded, which makes sense because it is Javascript, not HTML. So, what I would propose is to write your encoded text as part of the markup so that it gets parsed naturally (as opposed to being injected with client script). Since your textboxes are not readily available when the server is responding, you can use a temporary hidden field...
<input type="hidden" id="hidEncoded" value="<?=htmlentities("déjà vu");?>" />
Then it will get parsed as good old HTML, and when you try to access the value with Javascript it should be decoded...
// Give your textbox an ID!
$("#txtInput").val($("#hidEncoded").val());

Firefox Upload Form Issue

I've created an upload script in php that takes a file, resizes it, and creates a cropped square thumbnail. The script itself seems to work fine.
However, when I tried to upload an image through Firefox, on clicking the submit button the browser shows the loading animation, but it never calls the script, it just stays on the current page. If don’t upload an image, then the script can be found and is run.
I tried in safari, and I don’t get the same problem, I can upload an image from the form, it will process it and take me the correct page.
I’ve tired just calling a basic script from the form, it just prints out the $_POST and $_FILES, and I get the same result, if an image is present, it won’t get to the script, if no image is present, it runs fine.
I’m just wondering if anyone has any idea what’s going on?
=Update=
Okay, so I’ve still got this problem, I seem to think I’ve found out what’s causing it then, but then I find something that contradicts it completely.
At the moment, I’ve noticed that I can successfully upload after I clear my Firefox cache, but I can only upload one image, then when I try to upload another, I can’t, it just resets the connection after "Loading..." for a bit.
Also, I’ve noticed that I can Ctrl+F5 a few times and get another upload through.
Although there are ways around this, I don’t want to have a form that requires users to clear cookies or refresh every time they need to upload. And as I’ve mentioned before, this error does not occur in IE/Opera/Safari/Chrome.
It seems like Firefox is storing something, I’m not sure what.
Any help would be gratefully appreciated.
If it helps here is the code I’m using.
The HTML Form
<form enctype="multipart/form-data" action="<?php echo $_SERVER["PHP_SELF"]; ?>" method="POST">
<label for="file">Choose a file to upload</label>
<input id="file" name="file" type="file" /><br />
<input type="submit" value="Upload File" name="submit" />
And the PHP:
if (isset($_POST['submit'])) {
echo "Processing...<br/>";
if (isset($_FILES['file']['name'])) {
$file_array = $_FILES['file'];
echo "Uploading...";
upload File($file_array);
echo "...Done";
}
}
The echos are for me to see what’s going on. If none of them are actually being output. So for some reason the form is not being submitted. Which is why it’s not getting to the script. I’ve no idea why though. I’ve got no CSS, or JavaScript errors.
== Update ==
Okay I’ve being trying some more things and still no luck, the HTML, CSS and JavaScript is all valid. I’ve done an IIS Reset, I’ve recreated my Firefox profile. And still now luck.
I was testing it again, and this time I stopped it in the middle of loading (before the connection was reset) and then tried to go to a different page of the website, and the freezing continued, it would still say "Loading..." and "Waiting for localhost...". Not really sure what to make of that, is it some settings that I have? But then why doesn’t it affect other browsers?
== Update ==
As I mentioned below, it seems that AVG Linkscanner/Active surf shield seems to causing this issue, and there are many reports of others having similar problems with it. I updated from AVG Free v9.0.733 to v9.0.790 and I STILL have the same problem. I’m going to browse the AVG support forums and maybe post something over there since it seems to be an AVG issue.
If anyone does have any more insight, please post below. It’s much appreciated :)

Okay, im getting somewhere with this, you may think this is just a stupid mistake but read on.
If i dont have the < html >< body >..etc tags and just have..
<form enctype="multipart/form-data" action="up.php" method="POST">
<label for="file">Choose a file to upload</label>
<input id="file" name="file" type="file" /><br />
<input type="submit" value="Upload File" name="submit" />
</form>
Then i get this issue, where firefox will hang, on form submission.
If i have the correct tags like..
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title></title>
<link href="style.css" rel="stylesheet" type="text/css" />
</head>
<body >
<form enctype="multipart/form-data" action="up.php" method="POST">
<label for="file">Choose a file to upload</label>
<input id="file" name="file" type="file" /><br />
<input type="submit" value="Upload File" name="submit" />
</form>
</body>
</html>
Then it seems that this works. Now this looks simple, but i build my pages up dynamically so i just have one file that contains just the form code that gets included in the page.
Thats as far as ive got, althought having the form code in a separate file should make no difference since its all put together server side.

Sometimes, relative paths are perceived differently by different browsers, not that sure actually but try to specify current directory by prefixing path with ./, eg:
$target_path = "./public/photos/";
Rest of the code looks fine to me.

Just in case you are using the latest FF 3.6 I'm experiencing exactly the same problem, Any form loading a big file (1MB it's enought) seem to block FF upload.
On IE7/Safari/Opera it works.

Then when you right click in FF and view source, it should look exactly like it does in your code above (below "If i have the correct tags like..").

From the xhtml 1.0 specification
HTML 4 defined the name attribute for
the elements a, applet, form, frame,
iframe, img, and map. HTML 4 also
introduced the id attribute. Both of
these attributes are designed to be
used as fragment identifiers.
In XML, fragment identifiers are of
type ID, and there can only be a
single attribute of type ID per
element. Therefore, in XHTML 1.0 the
id attribute is defined to be of type
ID. In order to ensure that XHTML 1.0
documents are well-structured XML
documents, XHTML 1.0 documents MUST
use the id attribute when defining
fragment identifiers on the elements
listed above.
Maybe adding an id to the form could fix your problem.

Maybe shomething wrong with if (isset($_POST['submit'])) { and the variable $_POST['submit'] is not included by FireFox?
<pre>
<?PHP
print_r($_POST);
?>
</pre>

This isn't going to help you much but I am having EXACTLY the same problem. I have even re-installed FF, cleared cache, stripped the code right down (to a very simple form without validation and with all PHP stripped out - both on load and on post back). I have the problem in FF 3.6.13 and have tested against current versions of Safari(win), Chrome, Opera and IE where the code all works perfectly. My code validates as strict XHTML and all the suggestions above are already in there... what's more I am using my local (on the same computer) web site.
MANY thanks for pointing me towards AVG Link scanner... disabling it does fix the problem but that still leaves me thinking FF has a bug as "all" other browsers play nicely with the AVG Link scanner on.