I generate this in a view:
<form method="post">
<input type="hidden"
name="test"
value="<?=htmlentities('<>"&ščé', ENT_QUOTES, 'UTF-8')?>">
<input type="submit>
</form>
Now, should I do this when processing data from the form?
$decodedTest = html_entity_decode($_POST['test'], ENT_QUOTES, 'UTF-8');
I think that this should be allright:
$decodedTest = $_POST['test'];
But I have not found a reference to this.
EDIT: I had printed the posted value of test and I had seen that the value is not encoded. What I don't know is If I can rely on this behaviour and why. I am asking about theory of operation. If I look into the raw post request, I can see that the post data is urlencoded (which is I guess a different type of encoding than htmlentities does). Does that mean that client must perform some recoding before sending the request. Does (client) browser store input values in encoded form or decoded form in memory before sending? (I already know that php automatically decodes urlencoded data in requests so that part is fairly clear to me).
You don't really need a reference because printing htmlspecialchars($_POST['test']) (or just setting Content-Type: text/plain) will immediately reveal that the data inside $_POST is not entity-encoded.
You also don't need to call htmlentities to encode the data in the view -- htmlspecialchars will suffice if your aim is to generate valid markup.
Sending the form, you can do it. Better check
Related
I have input in html like this.
<input name="hoteltaxi" type="text" style="text-transform: uppercase;">
These inputs send the information throughout a post method. The PHP file that receive the information, got to save it in a mysql database.
To this point, is ok. Everything is working, but i have a little question about the form style.
If css can transform the value presentation... can also transform the value that i send to php? ¿Or is just presentation? Because, i really need to see this in uppercase, but i need to store with PHP in the original string format (can also be numbers, lowercases, and uppercases, doesn't matter) because from the original string, previously stored, will use it to make a MD5 hash.
The code is my frenemy.
The answer is No
You can see it clearly in this screenshot
If you really want the data to be transformed to uppercase do it on server side like this
$hoteltaxi = strtoupper($_POST['hoteltaxi']);
more about strtoupper
Or if you want it to be done on client-side a little bit of javascript can help you
$('input[name="hoteltaxi"]').change(function(){
var self = $(this);
self.val(self.val().toUpperCase())
})
When I use
<form method="post" enctype="text/plain" action="proc.php">
form data can not be sent to proc.php file properly. Why? What is the problem? Why I can't use text/plain encoding with post but I can use it with get method?
[Revised]
The answer is, because PHP doesn't handle it (and it is not a bug):
https://bugs.php.net/bug.php?id=33741
Valid values for enctype in <form> tag are:
application/x-www-form-urlencoded
multipart/form-data
The first is the default, the second one you need only when you upload files.
#Alohci provided explanation why PHP doesn't populate $_POST array, but store the value inside a variable $HTTP_RAW_POST_DATA.
Example of what can go wrong with text/plain enctype:
file1.php:
<form method="post" enctype="text/plain" action="file2.php">
<textarea name="input1">abc
input2=def</textarea>
<input name="input2" value="ghi" />
<input type="submit">
</form>
file2.php:
<?php
print($HTTP_RAW_POST_DATA);
?>
Result:
input1=abc
input2=def
input2=ghi
No way to distinguish what is the value of input1 and input2 variables. It can be
input1=abc\r\ninput2=def, input2=ghi, as well as
input1=abc, input2=def\r\ninput2=ghi
No such problem when using the other two encodings mentioned before.
The difference between GET and POST:
in GET, the variables are part of URL and are present in URL as query string, therefore they must be URL-encoded (and they are, even if you write enctype="text/plain" - it just gets ignored by the browser; you can test it using Wireshark to sniff the request packets),
when sending POST, the variables are not part of URL, but are sent as the last header in HTTP request (POSTDATA), and you can choose whether you want to send them as text/plain or application/x-www-form-urlencoded, but the second one is the only non-ambiguous solution.
HTML5 does define how to format form data submitted as text/plain here: https://w3c.github.io/html/sec-forms.html#plain-text-form-data.
At the bottom of that section, it says:
Payloads using the text/plain format are intended to be human
readable. They are not reliably interpretable by computer, as the
format is ambiguous (for example, there is no way to distinguish a
literal newline in a value from the newline at the end of the value).
So it not unreasonable that PHP does not attempt to interpret it and only makes it available in raw form. To me, that seems the correct approach.
When I use
<form method="post" enctype="text/plain" action="proc.php">
form data can not be sent to proc.php file properly. Why? What is the problem? Why I can't use text/plain encoding with post but I can use it with get method?
[Revised]
The answer is, because PHP doesn't handle it (and it is not a bug):
https://bugs.php.net/bug.php?id=33741
Valid values for enctype in <form> tag are:
application/x-www-form-urlencoded
multipart/form-data
The first is the default, the second one you need only when you upload files.
#Alohci provided explanation why PHP doesn't populate $_POST array, but store the value inside a variable $HTTP_RAW_POST_DATA.
Example of what can go wrong with text/plain enctype:
file1.php:
<form method="post" enctype="text/plain" action="file2.php">
<textarea name="input1">abc
input2=def</textarea>
<input name="input2" value="ghi" />
<input type="submit">
</form>
file2.php:
<?php
print($HTTP_RAW_POST_DATA);
?>
Result:
input1=abc
input2=def
input2=ghi
No way to distinguish what is the value of input1 and input2 variables. It can be
input1=abc\r\ninput2=def, input2=ghi, as well as
input1=abc, input2=def\r\ninput2=ghi
No such problem when using the other two encodings mentioned before.
The difference between GET and POST:
in GET, the variables are part of URL and are present in URL as query string, therefore they must be URL-encoded (and they are, even if you write enctype="text/plain" - it just gets ignored by the browser; you can test it using Wireshark to sniff the request packets),
when sending POST, the variables are not part of URL, but are sent as the last header in HTTP request (POSTDATA), and you can choose whether you want to send them as text/plain or application/x-www-form-urlencoded, but the second one is the only non-ambiguous solution.
HTML5 does define how to format form data submitted as text/plain here: https://w3c.github.io/html/sec-forms.html#plain-text-form-data.
At the bottom of that section, it says:
Payloads using the text/plain format are intended to be human
readable. They are not reliably interpretable by computer, as the
format is ambiguous (for example, there is no way to distinguish a
literal newline in a value from the newline at the end of the value).
So it not unreasonable that PHP does not attempt to interpret it and only makes it available in raw form. To me, that seems the correct approach.
I was building a simple web based calculator which takes equations from a HTML form, evaluates it on the server using PHP and sends the result back.
I am using Mootools to send the data via the req.send AJAX operation.
But, each time I have a '+' in an equation, it is not seen on the POST data the server gets.
Any ideas why this is happening and how I can work around it?
eg:
10 + 12 in HTML form is seen as 10 12 in the $_POST data.
The Mootools send command I am using is something like this with
<textarea name="equationTextArea">10+12</textarea>
req.send("eqn="+$('equationTextArea').value);
Upon submit, I see $_REQUEST['eqn'] as 10 12.
Try using the function encodeURIComponent over your text value. It, well.. uri encodes your text.
Set your form's encoding to multipart/form-data - this is an alternative to the default application/x-www-form-urlencoded and doesn't encode a space into a plus sign +.
Example from the w3.org reference:
<form action="http://example.com/cgi/handle"
enctype="multipart/form-data"
method="post">
Your text most likely either need to be URLEncoded.
I have an HTML form POSTing to a PHP page.
I can read in the data using the $_POST variable on the PHP.
However, all the data seems to be escaped.
So, for example
a comma (,) = %2C
a colon (:) = %3a
a slash (/) = %2
so things like a simple URL of such as http://example.com get POSTed as http%3A%2F%2Fexample.com
Any ideas as to what is happening?
Actually you want urldecode. %xx is an URL encoding, not a html encoding. The real question is why are you getting these codes. PHP usually decodes the URL for you as it parses the request into the $_GET and $_REQUEST variables. POSTed forms should not be urlencoded. Can you show us some of the code generating the form? Maybe your form is being encoded on the way out for some reason.
See the warning on this page: http://us2.php.net/manual/en/function.urldecode.php
Here is a simple PHP loop to decode all POST vars
foreach($_POST as $key=>$value) {
$_POST[$key] = urldecode($value);
}
You can then access them as per normal, but properly decoded. I, however, would use a different array to store them, as I don't like to pollute the super globals (I believe they should always have the exact data in them as by PHP).
This shouldn't be happening, and though you can fix it by manually urldecode()ing, you will probably be hiding a basic bug elsewhere that might come round to bite you later.
Although when you POST a form using the default content-type ‘application/x-www-form-encoded’, the values inside it are URL-encoded (%xx), PHP undoes that for you when it makes values available in the $_POST[] array.
If you are still getting unwanted %xx sequences afterwards, there must be another layer of manual URL-encoding going on that shouldn't be there. You need to find where that is. If it's a hidden field, maybe the page that generates it is accidentally encoding it using urlencode() instead of htmlspecialchars(), or something? Putting some example code online might help us find out.