I have a simple html form where I am capturing three variables from the user, first is the registration number second is the date of joining and the last one is password. When I use
$regdno=$_POST["regdno"];
$doj=$_POST["doj"] ;
$password=$_POST["password"];echo $regdno;
echo $doj;
echo $password;
I am getting results printed like
113128321985/12/06myownpass
when I am using Internet explorer, firefox and opera which is correct. But when I am using Google Chrome it is showing like this
11312832 1985/12/06myownpass
Which is showing an extra blank space. Friends Why is this difference and how to rectify it?
Try using trim() in each variables
Since each browser parses and validates HTML differently. Generally speaking, if you are noticing different results in form data between browsers it is probably caused by an invalid HTML issue. Where the browser interpreted how to fix the HTML differently than the others.
Try validating your HTML code on W3: https://validator.w3.org/
It could also be caused by autocomplete data including a white-space in a previously saved value.
Lastly you should always sanitize and validate any user supplied data, no matter how trivial the information supplied is.
What's the best method for sanitizing user input with PHP?
Related
Note: I am using Laravel 5.1. I cannot tell at the moment whether this is related to Laravel or not, it works fine on my local machine with the exact same code as is on the server. So may be server related. I've given as much information as I can think of.
I have a textarea that a user can fill in, much like the textarea on this forum. When I try to repopulate that textarea from the database for editing, multiple new lines are lost.
The database shows this:
[b]some text[/b]\r\n
A: More text\r\n
\r\n
[b]other text[/b]\r\n
A: More other text\r\n
When I put it back in a textarea input it still has new lines, but double new lines are lost:
[b]some text[/b]
A: More text
[b]other text[/b]
A: More other text
I have tried this without using the blade escape syntax (just a plain echo) with the same result.
Infact I can't tell when it is losing the whitepace at all. Here are some examples of when I can see the string having multiple whitespace and when I can't.
dd($model);
// This shows with whitespace (/r/n) in both the attributes and originals array
dd($model->column);
// This shows the multiple new lines \r\n
var_dump($model->column);
// This shows no new lines
return $model->column;
// simple return from the controller removes multiple white lines
return Response::make($model->column);
// again just outputting the plain string multiple white lines are removed
<textarea>{!! $model->column !!}</textarea>
// of course the actual problem in a blade file, no extra spaces between lines are displayed in the textarea
What's more confusing is that in vagrant the whitelines are retained just fine, only on my centos server are they lost. The code is identical which made me think it might be a mysql/php/server setting, but then dd() on the model shows the correct whitespace so it's obviously coming out of the database just fine, something is happening to the string when it's echo'd or var_dump'd (i'm not sure what dd() uses I assumed it was var_dump, perhaps not).
It does seem to be related to the database in some way though, because a form with a validation error repopulates the textarea just fine with the multiple new lines. It's only when repopulating the textarea from the database that a problem occurs.
Every result i've found trying to google this error references using nl2br, which obviously isn't helpful in this instance. I'm not trying to display the text in html, i'm trying to let a user submit a form using the textarea and then refill that textarea to let them edit the data they've submitted later on. So to be very clear, nl2br is not a solution in this instance.
A year later and this was causing a problem again, finally figured it out, it was Cloudflare's minify html setting that was causing it.
I am creating a rather small web application in PHP, where a (trusted) administrator can, amongst other things, store hundreds of objects in a database. The user can enter a number of details about these objects in the form of text fields (an input element with the type attribute set to "text").
The objects with their details are echoed in the form of a table, escaped by the htmlspecialchars function. This function, however, does not prevent against the malicious use of html tags, for example, the <script> tag.
The question is whether all user entered data (every cell in the table) should be purified by something like HTMLPurifier, which is already used elsewhere in the application. And if so, what would be the best way to do it as using HTMLPurifier thousands of times, as there are many details, may cause some serious performance issues.
The objects with their details are echoed in the form of a table, escaped by the htmlspecialchars function. This function, however, does not prevent against the malicious use of html tags, for example, the <script> tag.
Yes it does. They get harmlessly and correctly output as <script>.
The question is whether all user entered data (every cell in the table) should be purified by something like HTMLPurifier
Nope. You should only use HTMLPurifier on fields where you are deliberately intending to allow the user to enter markup for direct rendering to the page, for example a comment system where the user can type <i> for italics.
For other input that you are treating as plain text, htmlspecialchars remains the right thing to do when outputting to HTML.
Everything should be checked and cleaned before you save it into database. Principle is that you DO NOT TRUST anything which is coming from user.
ALWAYS escape everything.
Or just use tools which will do that for you - like frameworks.
I'm trying to sort out an issue with foreign characters and matching those to a database value.
I've managed to get a match out of the database query as I wanted but now I've run into a different problem and simply don't know why what's happening is happening.
On all pages throughout the site there is a header include which has a input field to search the site.
<form action="/search.php" method="get"><input name="q" type="text" />etc...
My problem query string was this grønhøj. When I enter this string into the input form on the homepage I get taken to the search page with the url like so: search.php?q=gr%F8nh%F8j which doesn't work at the moment.
However if I then re-enter that same search query into the header input when im on the search page the page reloads except the url now looks like this: search.php?q=grønhøj which does work.
If the resulting url would remain the same all the time, then I'd not have a problem, but because its inconsistent I don't know how to provide solutions to both possible versions of the query string.
So I guess I have 2 questions.
1) Why does the url not stay the same when it's using the exact same form to submit the string?
2) how can I manipulate both versions (or stop the different pages resulting in different urls) of the url so that the resulting string is consistent regardless of which version of the url I get?
UPDATE: I found a function to detect utf8 encoding Here which allowed me to switch how I handle the url string depending on which version of the url I get, so now my main issue is fixed.
I would still however like to understand why I get the 2 different url variables from the different pages even though the form is a consistent include across the site. Any ideas?
One way you can solve this issue, is to always decode the query string using urldecode() and then forcefully use urlencode() on it again. This way, if the initial query string was url encoded or decoded, no matter what, it will go through decoding and encoding process again, which will result in the same final query string.
Manual - urlencode
Manual - urldecode
Here is an example of the workflow a user can have on my website :
Create a task, with content: I use htmlentities to encode the content and store it in my database (yes, I've decided to store the encoded content);
The user comes back later and clicks to view the task. The thing is, the preview of the content is done in a disabled textarea.
I tried to use htmlentities_decode when printing the content in the textarea (XSS problem if the user entered bad things);
I just print the encoded text and everything is fine.
The user clicks on EDIT, this will make the textarea editable
The user clicks on SAVE.
Here is my main issue, as I didn't decode the text before I printed it, it is still encoded and when the user saves it, it is re-encoded. So, the previous content is double encoded.
So, if the first time the user enters something like:
blablabla </textarea/> yeah!
Then, it's encoded and the result is:
blablabla </textarea/> yeah!
Then, when I display it, it displays as the user previously entered it but if he saves it, the result is:
blablabla </textarea/> yeah!
And, so, if he displays it again, it is not well displayed (and it also takes more and more space in my database as the user keeps editing his task).
Well, I am sure this is a problem a lot of people have experienced but I can't find any good solution.
By the way, I am using htmlentities with ENT_QUOTES.
ahah, here is my main issue, as I didn't decode the text before I
printed it, it is still encoded and when the user save it, it is
reencoded. So, the previous content is double-encoded.
This is actually correct, you shouldn't decode the text before you print it. In fact, it must be HTML encoded when output in the HTML page. It is not still encoded when the user submits it because the browser will have already interpreted the HTML entities.
Unless... you are creating a TEXT_NODE in the DOM and assigning the encoded data to this (in the textarea)? In which case the browser will not interpret the HTML entities and you will end up resubmitting already encoded data. Assign to the innerHTML property instead, if this is the case. However, the HTML entities would be clearly visible in the form to the end user (on the first edit), before the data is submitted, which does not appear to be the case?
Hum,
I fixed my problem.
I didn't noticed but for the first entry, I was using htmlentities() and when editing, I was using the Zend escape() function.
Using only htmlentities() fixed the problem. I don't know how the escape() function of ZF works, but I won't use it in the future :p
Thanks you for answers :)
Anyway, so, I am wondering, the htmlentities_decode() function, in which situation should it be used? As I htmlentities() when I get the form and print it like that, I never use the htmlentities_decode(). Is that normal? So I am wondering what is this function used for?
Thanks again!
I m building a small search script for my website. I need to send data by get method because by POST it will get real messy as I have to show many pages of search results.
So, My question is Can I use get method directly? means do i need to encode url or any other thing ??
I have checked it in modern browsers. It works just fine..
Thanks
Edit:
Urlencode is used when puting variables in url.
I am submitting my search form with method='get' Then I get variable and perform search query and make new page links with variable data.
- Length,Size is not a prob.
U people suggesting I should use urlencode func. while making new links only ???
You can and should use urlencode() on data that possibly contains spaces and other URL-unfriendly characters.
http://php.net/manual/en/function.urlencode.php
You need to URL Encode the parameters on the URL eg http://www.example.com/MyScript.php?MyVariable=%3FSome%20thing%3F.
Be aware that there's a limit to how much data can be sent via GET - more restrictive on older browsers. If I remember correctly, IE6 has a limit of 1024 characters in the URL so if you think you're going to go over that, consider using POST or you may exclude some users.
You should use urlencode($variable) (Link) before sending the variable (even though the browser usually takes care of this) and urldecode ($variable) (Link) after receiving it, this way you can be sure special chars will be treated correctly.