I am currently writing some search engine, where this page is retrieving some _GET variables from a previous page. This is working as intended.
Now I am using those variables as default value in a POST form. However, for some reason, only the first word for each of them is showing up. The form code is as follows:
<form action = "insert.php" method = 'POST'>
<Place name <input type="text" name="name" size = "30" value= <?php echo $_GET['name']; ?> />
Note that when echoing $_GET['name'] anywhere else in the page, everything is fine. Multiple words show up as expected, but when I use it as a text box default value, only the first word shows up on the textbox.
At first, I thought it had something to do with the way those $_GET variables are sent in the URL so I tried this:
$fullname = array();
$fullname = explode("%20", $_GET['name']);
$aaa = implode (' ',$fullname);
...
Place name <input type="text" name="name" size = "30" value= <?php echo $aaa; ?> />
but the result is still the same. If I echo it anywhere else in the page I get the full string, but if it's inside the form only the first word shows up.
What am I missing here?
The value attribute of the input tag needs to be in quotes:
<input type="text" name="name" size = "30" value="<?php echo $_GET['name']; ?>" />"
Otherwise, if $_GET['name'] contains spaces you'll end up with something like: value=John Smith. That will be understood as value=John with an invalid Smith attribute floating around.
Also, consider sanitizing $_GET['name'] with htmlspecialchars. Consider what would happen if $_GET['name'] was "/><script>alert(0)</script><. You'd end up embedding user-controlled code on your website, resulting in a reflected XSS.
Related
Started learning PHP today so forgive me for being a noob. I have a simple HTML form where the user inputs 4 strings and then submits.
HTML form
<html>
<head>
<title>EMS</title>
</head>
<body>
<h1>EMS - Add New Employees</h1>
<form action="<?php echo $_SERVER["PHP_SELF"];?>" method="post">
<table>
<tr><td>Enter a NAME:</td><td> <input type="text" name="name"></td></tr>
<tr><td>Enter a PPSN:</td><td> <input type="text" name="ppsn"></td></tr>
<tr><td>Enter a PIN :</td><td> <input type="text" name="pin"></td></tr>
<tr><td>Enter a DOB:</td><td> <input type="text" name="dob"></td></tr>
<tr><td></td><td><input type="submit" value="Add New Employee" name="data_submitted"></td></tr>
</table>
</form>
</html>
I want to implode the 4 elements in the $_POST["data submitted"] array to a string.
PHP
<?php
if (isset($_POST['data_submitted'])){
$employee = implode(",",$_POST['data_submitted']);
echo "employee = ".$employee;
}
?>
Why is it that when I run the project, Input the 4 strings into the form and submit that there is nothing contained within the employee string when its outputed? There is however a value in the employee string when I just implode the $_POST array like so without 'data_submitted'.
$employee = implode(",",$_POST);
The output of the $employee string is now - employee = will,03044,0303,27/5/6,Add New Employee
It contains the name,pps,pin,dob and this ADD New Employee value?
How do I just get the $employee string to contain just the name,pps,pin and dob from the $POST_[data_submitted] array?
If you wish to implode the submitted data, then you need to refer to the specific items, as follows:
<?php
$clean = [];
if (isset($_POST['data_submitted'])){
// one way to deal with possibly tainted data
$clean['name'] = htmlentities($_POST['name']);
$clean['ppsn'] = htmlentities($_POST['ppsn']);
$clean['pin'] = htmlentities($_POST['pin']);
$clean['dob'] = htmlentites($_POST['dob']);
$employee = implode(",",$clean);
echo "employee = $employee";
}
Never use submitted data without first checking to make sure that it is safe to do so. You need to validate it. Since the OP doesn't specify what kind of data the named inputs "ppsn", "pin", "dob" pertain to, this example does a minimum of validation. Each input might require more or something different.
Whether you're new or familiar with PHP, it is a good idea to frequently read the online Manual.
First, you need to know that php will treat value in the format: value="value here" as string.
So, calling implode(",",$_POST['data_submitted']); will return Add New Employee as declared here: <input type="submit" value="Add New Employee" name="data_submitted">.
From your question:
How do I just get the $employee string to contain just the name, pps, pin and dob from the $_POST[data_submitted] array?
Solution
1. Unset the <code>$_POST['data_submitted']</code> index in the $_POST super global variable
2. Implode it
// Unset the $_POST['data_submitted'] index
$post_data = unset( $_POST['data_submitted'] );
// Format the post data now
$format_post_data = implode( ",", $post_data );
// Escape and display the formatted data
echo htmlentities( $format_post_data, ENT_QUOTES );
I've setup a form with a table which includes rows from a database. I've used a variable to represent the database record ID as the name for one of the rows like this:
<td><input type="text" name= "<?php echo $recordID; ?>" class="form-control" placeholder="User Notes"></td>
which is working fine and ends up appearing like this in the browser:
<td><input type="text" name= "TSL1406" class="form-control" placeholder="User Notes"></td>
I'm having trouble retrieving the value when the form is submitted. I would normally use something like this:
$input = $_POST['userNotes']
which I've updated to handle the dynamic naming of the inputs like this:
$input = $_POST['.$recordID.'];
but this is returning an empty variable and I can't work out the correct syntax to retrieve the input from the $_POST array with a dynamically named input field?
single quote " ' " means literal, it won't display your variable name just literally .$recordID.. Try using double quotation instead.
$input = $_POST[".$recordID."];
Only $input = $_POST[$recordID]; without quotes?
or you use arrays like:
<input type="text" name= "form[<?php echo $recordID; ?>]" class="form-control" placeholder="User Notes"></td>
and save everything at once
$input = $_POST['form'];
Why don't you just simply use $_POST[$recordID]? However there is a better way to get POST variable using filter_input(INPUT_POST, $recordID)
I have a website that converts the input texts to QRcode. The problem is that I can only get access to the first input text. For example I have this code:
Page1.php
<form action="getForm.php" method="post">
<input type="text" id="text1id" name="Text1"> //I have access
<input type="number" id="text2id" name="text2"> <br><br> //I dont have access
<input type="submit" value="Submit" name="submit_y">
</form>
I only have access to the first "Text1" because I dont know hot to pass two variables to qr code. This is the code of the qrcode
getForm.php
if(isset($_POST['submit_y'])) {
include('phpqrcode/qrlib.php');
$text=$_POST['Text1'];
//I tried to put here the POST of Text2
$folder="images/";
$file_name="qr.png";
$file_name=$folder.$file_name;
QRcode::png($text,$file_name);
echo"<img src='images/qr.png'>";
//To Display Code Without Storing
//QRcode::png($text);
}
Assign variables to each POST array, then use the one from both to form a third variable from the concatenated ones.
if(isset($_POST['submit_y']))
{
include('phpqrcode/qrlib.php');
$text1=$_POST['Text1'];
$text2=$_POST['text2'];
$text3 = $text1. "" . $text2; // concatenated from previous 2
$folder="images/";
$file_name="qr.png";
$file_name=$folder.$file_name;
QRcode::png($text3,$file_name); // used $text3 from the concatenated variables
echo"<img src='images/qr.png'>";
//To Display Code Without Storing
//QRcode::png($text);
}
However, it is best to also check if any of the inputs are empty.
Sidenote:
In this $text3 = $text1. "" . $text2; you can add anything inside the "" as a separator.
I.e.: using an underscore.
$text3 = $text1. "_" . $text2;
It could also be a space
$text3 = $text1. " " . $text2;
The choice is yours.
So this is my code for the first_name. I have no clue why it does not work whenever I add an entry.
First Name: <input type="text" name="first_name" value="<?php function convertString($first_name){
$first_name=htmlentities(strip_tags($first_name));
$lowercaseFName = strtolower($first_name);
$ucFName = ucwords($lowercaseFName);
return $ucFName;} ?>"/> // I changed it with echo but nothing changed.
My code doesn't change the format of the text.I tried inputting in all caps and it will show as is. Am I missing something or doing it wrong?
The inputted text if all in capital must still be shown as Camel Case format in the table, like this:
First Name: MARIA YLONA (in the form)
First Name: Maria Ylona (in the table) - this is another .php file for viewing of the data entries
Seeing you didn't post your html form or how it's used, am submitting the following as a successful piece of code and using !empty() against a POST array with form tags and an isset() for the submit input.
Btw, functions and variables assignments should be used seperately than in inputs/form elements.
Create a function, then pass it inside the input with the parameter.
<?php
function convertString($first_name){
$first_name=htmlentities(strip_tags($first_name));
$lowercaseFName = strtolower($first_name);
$ucFName = ucwords($lowercaseFName);
return $ucFName;
}
if(isset($_POST['submit'])){
if(!empty($_POST['first_name'])){
$first_name = $_POST['first_name'];
}
}
// here initialize $first_name to something meaningful
?>
<form method="post">
First Name: <input type="text" name="first_name" value="<?php echo(convertString($first_name)) ?>"/>
<input type="submit" name="submit" value="Submit">
</form>
Footnotes:
In regards to what Marc mentioned about McDonald's -> mcdonald's -> Mcdonald's and my MacDonald in comments...
Consult the following here on Stack which may prove to be useful:
Given upper case names transform to Proper Case, handling "O'Hara", "McDonald" "van der Sloot" etc
Data Cleanup, post conversion from ALLCAPS to Title Case
You mention the use of a database, but haven't posted relative code and would be beyond the scope of the question.
To clarify what aynber meant in the comments:
<?php
function convertString($first_name){
$first_name=htmlentities(strip_tags($first_name));
$lowercaseFName = strtolower($first_name);
$ucFName = ucwords($lowercaseFName);
return $ucFName;
}
// here initialize $first_name to something meaningful
?>
First Name: <input type="text" name="first_name" value="<?php echo(convertString($first_name)) ?>"/>
I want to pass a variable to another page by form data. I've looked at other tutorials and codes, i've followed them closely, but the contents of the variable doesn't output. Basically php doesn't work inside the value="". Here's the code.
page 1.
<?php
$hi = 1224;
?>
<form method = "post" action = "page2.php">
<input type = "hidden" Name = "var" Value = "<?phpecho$hi;?>"/>
<input type = "submit" Name = "enter" Value = "Submit"/>
</form>
page 2.
<?php
$test = $_REQUEST['var'];
echo $test;
?>
Nothing is outputted.
I've even tried session variables but somehow they worked but once i refreshed the page, the variables were reset. I've started sessions on all pages etc..
It should be <?php echo $hi; ?> instead of <?phpecho$hi;?>. i.e. you need give space between <?php and echo and its $hi variable as like in below.
<input type = "hidden" name = "var" value = "<?php echo $hi; ?>"/>
When something isn't working, make sure to check the source code for error, don't just look browser's rendering. In the source, you'd clearly have seen that <?phpecho$hi;?> wasn't evaluated, but instead just printed in the source.
So in conclusion, <?phpecho$hi;?> is wrong. Write <?php echo $hi;?>.
Change your line
<input type = "hidden" Name = "var" Value = "<?phpecho$hi;?>"/>
to
<input type = "hidden" name = "var" value = "<?php echo $hi; ?>" />
If possible change the name of the hidden textbox to something relevant instead of var , because var is a reserved word in javascript to avoid confusion.
Instead of
<input type = "hidden" Name = "var" Value = "<?phpecho$hi;?>"/>
Should be, you need spaces in php
<input type = "hidden" name = "var" value = "<?php echo $hi; ?>"/>
try this look to $_POST super global for value :
<?php
$test = $_POST['var'];
echo $test;
?>