I try to make a editor for a job offer. It must have a preview function. There are 2 form. First form submits the preview, the second one appears when the preview is there and sends the variables to save them in the database. The problem is, that when the second form get submitted, all quotes disappear. I tryed mysql_real_escape_string, htmlspecialchars, htmlentitles, but nothing works. Do you got an idea where the problem is?
Could it be that there's a problem, because I use the variable '$content' to store the site's content, instead to make a direct output with 'echo'?
Thanks!
<td><input style='float:left;' type='submit' name='jobpreview' value='preview' />
</form>";
if(isset($_GET['preview']))
{
$_POST['titel'] = htmlentities($_POST['titel']);
$_POST['elm1'] = htmlentities($_POST['elm1']);
$content .= " <td><form action='?s=intern&sub=neuerjob&preview' method='POST'>
<input type='hidden' name='titel' value='".$_POST['titel']."' />
<input type='hidden' name='elm1' value='".$_POST['elm1']."' />
<input style='float:left;' type='submit' name='jobsave' value='save' />
</form></td></tr></table>";
}
You need to use the second parameter to htmlentities() to encode the quotes.
$titel = htmlentities($_POST['titel'], ENT_QUOTES);
$elm1 = htmlentities($_POST['elm1'], ENT_QUOTES);
<input type='hidden' name='titel' value='".$titel."' />
<input type='hidden' name='elm1' value='".$elm1."' />
For this purpose, htmlentities() is overkill though, and you can use htmlspecialchars()
also with the ENT_QUOTES param.
$titel = htmlspecialchars($_POST['titel'], ENT_QUOTES);
$elm1 = htmlspecialchars($_POST['elm1'], ENT_QUOTES);
Related
<?php
if(isset($_POST['btnLogin'])){
$myVariable = $_POST['fieldParameter'];
if(condition){
//do something
}else{
echo "
<form method='POST' action='submit.php'><br/>
<input type='hidden' name='myVariable' value='<?php echo $myVariable; ?>'/>
<br/>
<input type='submit' name='btnSubmit' id='submit' value='Submit'>
</form>
";
}
}
?>
Notice that the variable $myVariable is contained in the main IF block. I'm trying to send the value of $myVariable to submit.php as hidden field.
Also, i enclosed all the html tags using one echo statement with double quotes.
I found related questions here in SO but can't find similar to embedding php within a long echo of html tags
I tried to put value='<?php echo $studentNo; ?>' with no success.
I want to access it in a submit.php file like this,
submit.php
<?php
$aVariable = $_POST['myVariable'];
echo $aVariable;
?>
How can I pass the value contained in $myVariable as hidden field? Is there something wrong with the way I use double and single quotes?
If you are already echoing a string you shouldn't put <?php echo "" ?> inside it again. You should concatenate your string instead. But in your case you don't even need to do that, because you're using double quotes for echoing which means you can simply just write your variable in it.
echo "<form method='POST' action='submit.php'><br/>
<input type='hidden' name='myVariable' value='$myVariable;'/>
<br/>
<input type='submit' name='btnSubmit' id='submit' value='Submit'>
</form>";
If you were using single quotes for your echo, it would look like this:
echo '<form method="POST" action="submit.php"><br/>
<input type="hidden" name="myVariable" value="' . $myVariable . '"/><br/>
<input type="submit" name="btnSubmit" id="submit" value="Submit">
</form>';
You just need to type $myVariable instead of in your string. Double quotes "" only creates a string literal. It doesn't directly output data like inline HTML. As you can see from the syntax coloring in StackOverflow, the
You can try these variants (simplified):
// code before
echo "<input type='hidden' name='myVariable' value='$myVariable'/>";
// code after
// OR //
// code before
?>
<input type='hidden' name='myVariable' value='<?= $myVariable ?>'/>
<?php
// code after
Note that the quotes you use in HTML don't affect PHP, as long as you escape them properly (use \" and \' where appropriate).
This could be a duplicate, but i couldn't find any one that helped.
I'm trying to pass an array of all the data to another page, throught the post method of a form. It looks like this:
<form method="post" action="../resource_load/export.php" target="_blank">
<input type="hidden" name="tipo" value="<?=$_GET['tipo']?>">
<input type='hidden' name='excel_array' value='<?php echo htmlentities(serialize($_SESSION['excel_array']))?>'>
<input type='submit' class='submit' id='btnExport' value='Export to Excel' />
So here i serialize the $_SESSION data. and this is what it looks like:
value="a:1:{s:12:"dpi_strategy";a:1:{s:5:"Plan1";a:1:{i:0;a:9:{i:0;s:3:"PCR";i:1;s:11:"Description";i:2;s:4:"Task";i:3;s:8:"Resource";i:4;s:13:"Baseline Plan";i:5;s:10:"Trend Date";i:6;s:4:"User";i:7;s:20:"Data Inicialização";i:8;s:6:"Status";}}}}
And here is where i unserialize:
$Excel_array = htmlentities(unserialize($_POST['excel_array']));
Yet, it returns null. Why is that?
If you do this, use htmlentities() to encode and html_entity_decode() to decode with raw values.
Secondly, I don't believe it is a good idea to output the data of serialize and unserialize user submitted data. The reason being is code injection that is a major security issue.
Instead, use json_encode() and json_decode().
Now because I see you have special chars in your array Data Inicialização you are indeed correct to convert those characters to another entity, but aslong if you have everything UTF-8 it will work.
<input type='hidden' name='excel_array' value='<?php echo json_encode($_SESSION['excel_array']) ?>'>
And:
# ../resource_load/export.php
var_dump(json_decode($_POST['excel_array']);
<?php
$temp = array();
$temp['aaa'] = "aaaaaaaaaaaaaaaaaaaaaaa";
$temp['bbb'] = "bbbbbbbbbbbbbbbbbbbbbbb";
$temp['ccc'] = "ccccccccccccccccccccccc";
$arr = array();
$arr['excel_array'] = $temp;
?>
<form method="post" action="">
<input type='hidden' name='excel_array' value='<?php echo htmlentities(serialize($arr['excel_array']))?>'>
<input type='submit' class='submit' id='btnExport' value='Export to Excel' />
</form>
<?php
if( isset($_POST['excel_array']) ) {
echo "<pre>";
$Excel_array = unserialize($_POST['excel_array']);
print_r($Excel_array);
}
?>
remove htmlentities from unserialize because you will unserialize an array and htmlentities use strings
So I have found that this form I have just falls apart and doesn't even submit the content up until the first apostrophe when someone types in an apostrophe to this text area. How do I go about escaping the contents so they make it into my MySQL table? Thanks!
<form action=\"./functions/notes.php\" method='post'>
<input type='hidden' id='ID' name='ID' value='{$row['ID']}' />
<textarea placeholder=\"Add more notes here...\" name=\"notes\"></textarea><br />
<input type='submit' name='formNotes' id='formNotes' value='Add to Notes' />
</form>
then in the notes.php file
$notesID = $_POST['ID'];
$note = $_POST['notes'];
$date= date('Y-m-d');
$result = mysql_query("UPDATE Project_Submissions SET Notes=CONCAT(Notes,'<br />".$date." ".$note."') WHERE ID ='".$notesID."'");
Apostrophes have special meaning to SQL, so to get them into the data they need to be "escaped" PHP has a quick function for this that also does some security checks to help prevent your database from getting hacked.
$note = mysql_real_escape_string($note);
DITTO on moving away from mysql and onto mysqlI
with MySQLI, it's similar you just need to supply the connection variable....
$note = mysqli_real_escape_string($link, $note);
I have this code
require_once("../Packages/Connection.php");
$create_object = mysql_query("SELECT * FROM `Articles` WHERE `group` = 'News' ORDER BY `id` DESC;");
while($row=mysql_fetch_array($create_object))
{
$time = $row[time];
$date = date("H:i M jS o ",$time);
print "<form action='Update.php' method='post' float:left;>
<input hidden='hidden' name='articleId' value='$row[id]'>
<input hidden='hidden' name='method' value='update'>
<textarea name='articleText' rows='3' cols='25'>$row[text]</textarea>
<br />
<input type='submit' value=' Update '>
</form><br />
<form action='Update.php' method='post'>
<input hidden='hidden' name='articleId' value='$row[id]'>
<input hidden='hidden' name='method' value='delete'>
<input type='submit' value=' Delete ' onClick='return confirmDelete()'float:left;'>
</form>
<hr><br />";
}
And it outputs the text alright, it changes the new line to <br /> but every time I update, it adds a new, so first time I enter a text like:
Hi
My name is Jesper
it outputs Hi <br />
My name is Jesper to the database
and second time if i want to change something, like the name..
Hi <br /><br />
My name is JapSeyz
and it continues to add <br />'s.. how do I limit this to only one?
That's because you are using nl2br before storing the text to database. Go and see it there...
The right way is to escape the data (e.g., nl2br) only when viewing. The data in the database should be clear, without any modifications regarding escaping for a particular purpose.
In the <textarea> element, though, new-lines are already handled without need to insert <br> elements in there.
So do not use nl2br when storing data and use it only when printing on a page (not in the form element).
I am fix nl2br bug with my own function:
if (!function_exists('snl2br')) {
function snl2br( $input ) {
return preg_replace('~(\r?\n\s?)+?~',"<br>",$input);
}
}
i hope it will help you.
I am generating links from the following php code. The links appear in the browser, and the generated html code seems fine, however the links are not click-able. I have tested this in IE and FF, and tried to see with FireBug to no avail.
The code to generate my form
$uploadhtml = htmlspecialchars(json_encode("<form action='up.php' method='post'
enctype='multipart/form-data'>
<label for='file'>Filename:</label>
<input type='file' name='file' id='file'/>
<br />
<input type='hidden' name='pk' value='".$pk."'>
<input type='hidden' name='username' value='".$USERNAME."'>
<input type='submit' name='submit' value='Submit' onclick=\"setTimeout(function() {
updateByPk('Layer2', '".$pk."', '".$brand."', '".$pg."'); } ),1250);\" />
</form>"), ENT_QUOTES);
The resultant html code:
<a onclick="makewindows('"<form action='up.php' method='
post'\r\nenctype='multipart\/form-data'>\r\n<label for='
`file'>Filename:<\/label>\r\n<input type='file' name='file' id='`file'\/> \r\n<br \/>\r\n<input type='hidden' name='pk' value='
380118179930'>\r\n<input type='hidden' name='username' value='
janmaybach'>\r\n<input type='submit' name='submit' value='
Submit' onclick=\"setTimeout(function() { updateByPk('Layer2',
'380118179930', 'Ed Hardy', '1'); } ),1250);\"
\/>\r\n<\/form>"'); return false;" href="#">Upload files</a>
I guess it's a JavaScript error, but I don't know how to pinpoint it?
edit: The html code without ENT_QUOTES:
<a href="#" onclick="makewindows('"<form action='up.php' method='post'\r
\nenctype='multipart\/form-data'>\r\n<label for='file'>Filename:<\/label>\r\n<input
type='file' name='file' id='file'\/> \r\n<br \/>\r\n<input type='hidden' name='pk'
value='380118185183'>\r\n<input type='hidden' name='username' value='janmaybach'>\r
\n<input type='submit' name='submit' value='Submit' onclick=\"setTimeout(function()
{ updateByPk('Layer2', '380118185183', 'Ed Hardy', '1'); } ),1250);\"
\/>\r\n<\/form>"'); return false;">Upload files</a>
It still is not clickable..., everything seems to be quoted correctly?
When I try without htmlspecial chars, the following html output is produced:
<input type='submit' name='submit' value='Submit' onclick=" settimeout(function()="" {="" updatebypk(="" layer2="" 380118179930="" ed="" hardy="" ,="" 1="" );="" }="" ),1250);="">
'); return false;">Upload files</a>
As said in the comment to the question, this is absolutely horrendous code, and you're suffering the consequences. The main problem is the number of code levels: server code that renders Javascript, that renders HTML - and difference escapes at every level and interfere with each other.
To improve the situation, have a separate PHP page with the form and have your popup link open that page - no Javascript required. If you really want to avoid having that separate page at all costs, at least have the Javascript function that generates the form in the header of the page (non-dynamic) and have the link contain only a call to that function with your variables as parameters.
The parameter in your makewindows function ist not quoted. Your quotes are escaped (%#39). Replace it with ' and you're done.
Your ENT_QUOTES flag is screwing up the output. If you look closely you'll see that there are no actual quotes in the HTML output - just escaped entities. Make a test that doesn't use htmlspecialchars(). You should escape the quotes with a backslash OR better still add the javascript functionality unobtrusively. jQuery might help you to achieve that http://jquery.com