There's a comment card feature on the website I work at, that after filling out the forms, a php mail call is made to email people the comments. However, one of the strings, "comments" is getting cut off. Could someone look at this code and possibly tell me why?
EDIT: Did some testing and discovered that single and double quotes cause the problem. Any advice on dealing with this would be great. Do I want to use stripslashes or some such?
Here is an example of the problem:
Location: The place
Quality: Good
Comments: The Hot Dog at the Grill was labeled with the \\
Email: someemail#email.com
Date: 05/23/11
Time: 13:34
Here is the confirmation page: (help much appreciated, it's my first day on the job and I can't figure this out!
<?php
$date=date("m/d/y");
$time=date("H:i");
$loc=$_POST['location'];
$qual=$_POST['quality'];
$comm=$_POST['comments'];
$em=$_POST['email'];
echo("<p class=\"bodytext\">You are about to send the following information:<span><br><br><span class=\"bodytextbold\">Location:</span> ".$loc."<br><br><span class=\"bodytextbold\">How was your food?:</span>".$qual."<br><br><span class=\"bodytextbold\">Comments: </span>".$comm."<br><br><span class=\"bodytextbold\">Your email address: ".$em);
echo("<form method=\"post\" action=\"comment_card_email.html\">
<input type=\"hidden\" name=\"location\" value=\"".$loc."\">
<input type=\"hidden\" name=\"quality\" value=\"".$qual."\">
<input type=\"hidden\" name=\"comments\" value=\"".$comm."\">
<input type=\"hidden\" name=\"email\" value=\"".$em."\">
<input type=\"hidden\" name=\"date\" value=\"".$date."\">
<input type=\"hidden\" name=\"time\" value=\"".$time."\">
<input type=\"submit\" class=\"bodytext\" value=\"submit comments\" name=\"submit\"></form>");
?>
And here's the html page php script that receives it:
<?php
$location = $_POST['location'];
$quality = $_POST['quality'];
$comments = $_POST['comments'];
$email = $_POST['email'];
$date = $_POST['date'];
$time = $_POST['time'];
$recipients = "someemail#email.com";
function mail_staff($recipients, $location, $quality, $comments, $email, $date, $time){
mail($recipients, "Comment Card#[".$location."]".time(), "The following comment has been submitted:
Location: $location
Quality: $quality
Comments: $comments
Email: $email
Date: $date
Time: $time
", "From:".$email);
}
Went ahead and pulled my comments together and combined them into this answer.
You might want to consider using heredoc for those long echo statements, it will make it much cleaner and easier.
echo <<<FORM
<form method="post" action="comment_card_email.html">
<input type="hidden" name="location" value="$loc">
<input type="hidden" name="quality" value="$qual">
<input type="hidden" name="comments" value="$comm">
<input type="hidden" name="email" value="$em">
<input type="hidden" name="date" value="$date">
<input type="hidden" name="time" value="$time">
<input type="submit" class="bodytext" value="submit comments" name="submit"></form>
FORM;
Your comment about the "\" makes me think that you've accidentally escaped the rest of the string. Make sure your quotes aren't causing issues. From the look of your sample comment, it looks like the user used a double quote and that escaped the rest of your string. Try using htmlspecialchars to escape those quotes instead. htmlspecialchars is a PHP function that escapes HTML friendly entities from text. So the quotes would be in the &xxxx; format. Thus you would not need to worry about escaping quotes any longer as that would be taken care of with entities. And its reversible with htmlspecialchars_decode. So this should work.
$raw = $_POST['comments'];
$stripped = stripslashes($_POST['comments'];
$comments = htmlspecialchars($stripped, ENT_QUOTES);
Edit: Oops, the form didn't go through for the heredoc, edited it to work.
Related
I am wanting to be able to create links that show up on the links.html page based on user submissions.
The links would follow this format TITLE, so quite simplistic.
Users will submit data via this form:
<form action="links.php" method="post">
<input type="text" placeholder= "URL:" name="url" required><br>
<input type="text" placeholder= "Title:" name="title" required><br>
<input type="submit">
And the PHP I'm using is
<?php
$url = $_POST["url"];
$title = $_POST["title"];
$text = "".$title." <br> \n"
$file = fopen("./data/links.html","a+ \n");
fwrite($file, $text);
fclose($file);
?>
I know that the issue lies with building the ".$url." part as there are also speech marks. How would you get around this given that the URL requires the "URL" format.
Thanks in advance.
You would need to add the proper escape slashes for the quoting issue
$text = "".$title." <br> \n";
becomes
$text = "".$title." <br> \n";
Or you could mix single and double quotes and not use escapes -
$text = "<a href='".$url."'>".$title."</a> <br> \n";
As long as the $text string is in double quotes, you can do this:
$text = "<a href='{$url}'>{$title}</a> <br> \n";
So I have found that this form I have just falls apart and doesn't even submit the content up until the first apostrophe when someone types in an apostrophe to this text area. How do I go about escaping the contents so they make it into my MySQL table? Thanks!
<form action=\"./functions/notes.php\" method='post'>
<input type='hidden' id='ID' name='ID' value='{$row['ID']}' />
<textarea placeholder=\"Add more notes here...\" name=\"notes\"></textarea><br />
<input type='submit' name='formNotes' id='formNotes' value='Add to Notes' />
</form>
then in the notes.php file
$notesID = $_POST['ID'];
$note = $_POST['notes'];
$date= date('Y-m-d');
$result = mysql_query("UPDATE Project_Submissions SET Notes=CONCAT(Notes,'<br />".$date." ".$note."') WHERE ID ='".$notesID."'");
Apostrophes have special meaning to SQL, so to get them into the data they need to be "escaped" PHP has a quick function for this that also does some security checks to help prevent your database from getting hacked.
$note = mysql_real_escape_string($note);
DITTO on moving away from mysql and onto mysqlI
with MySQLI, it's similar you just need to supply the connection variable....
$note = mysqli_real_escape_string($link, $note);
I have a script where a user can input some text, view it, and change it. It looks like that:
if(isset($_POST['change']))
{
$text = $_POST['text'];
echo"
<form method='post' action='datei.php'>
<p>You wrote: $text</p>
<input name='text' type='hidden' size='21' value='$text'>
<input name='submit' type='submit' value='Change'>
</form>";
}else
{
$text = $_POST['text'];
echo"
<form method='post' action='datei.php'>
<p>Write some additional Information</p>
<input name='text' type='text' size='21' value='$text'>
<input name='change' type='submit' value='View'>
</form>";
}
When I load the page the first time, I get the following notification
Notice: Undefined index: text in ...
I found two solutions how to fix the problem:
Ignore Notifications
Use isset()
If I would use isset I would have to change two lines from above to:
if(isset($_POST['text']))$text = $_POST['text'];
and
<input name='text' type='text' size='21' value='"; if(isset($_POST['text'])) echo $text; echo"'>
Since my original form has more then 20 input fields, this would make the code less readable and more likly for erros when editing the code. Is there any better way to get around the notification that I currently miss?
First be sure that you define all the variables before using them, like
$text = false;
Plus, checking that a variable is set is always a good practice. Not to mention that you shouldn't be using $_POST directly.
I have this code
require_once("../Packages/Connection.php");
$create_object = mysql_query("SELECT * FROM `Articles` WHERE `group` = 'News' ORDER BY `id` DESC;");
while($row=mysql_fetch_array($create_object))
{
$time = $row[time];
$date = date("H:i M jS o ",$time);
print "<form action='Update.php' method='post' float:left;>
<input hidden='hidden' name='articleId' value='$row[id]'>
<input hidden='hidden' name='method' value='update'>
<textarea name='articleText' rows='3' cols='25'>$row[text]</textarea>
<br />
<input type='submit' value=' Update '>
</form><br />
<form action='Update.php' method='post'>
<input hidden='hidden' name='articleId' value='$row[id]'>
<input hidden='hidden' name='method' value='delete'>
<input type='submit' value=' Delete ' onClick='return confirmDelete()'float:left;'>
</form>
<hr><br />";
}
And it outputs the text alright, it changes the new line to <br /> but every time I update, it adds a new, so first time I enter a text like:
Hi
My name is Jesper
it outputs Hi <br />
My name is Jesper to the database
and second time if i want to change something, like the name..
Hi <br /><br />
My name is JapSeyz
and it continues to add <br />'s.. how do I limit this to only one?
That's because you are using nl2br before storing the text to database. Go and see it there...
The right way is to escape the data (e.g., nl2br) only when viewing. The data in the database should be clear, without any modifications regarding escaping for a particular purpose.
In the <textarea> element, though, new-lines are already handled without need to insert <br> elements in there.
So do not use nl2br when storing data and use it only when printing on a page (not in the form element).
I am fix nl2br bug with my own function:
if (!function_exists('snl2br')) {
function snl2br( $input ) {
return preg_replace('~(\r?\n\s?)+?~',"<br>",$input);
}
}
i hope it will help you.
I try to make a editor for a job offer. It must have a preview function. There are 2 form. First form submits the preview, the second one appears when the preview is there and sends the variables to save them in the database. The problem is, that when the second form get submitted, all quotes disappear. I tryed mysql_real_escape_string, htmlspecialchars, htmlentitles, but nothing works. Do you got an idea where the problem is?
Could it be that there's a problem, because I use the variable '$content' to store the site's content, instead to make a direct output with 'echo'?
Thanks!
<td><input style='float:left;' type='submit' name='jobpreview' value='preview' />
</form>";
if(isset($_GET['preview']))
{
$_POST['titel'] = htmlentities($_POST['titel']);
$_POST['elm1'] = htmlentities($_POST['elm1']);
$content .= " <td><form action='?s=intern&sub=neuerjob&preview' method='POST'>
<input type='hidden' name='titel' value='".$_POST['titel']."' />
<input type='hidden' name='elm1' value='".$_POST['elm1']."' />
<input style='float:left;' type='submit' name='jobsave' value='save' />
</form></td></tr></table>";
}
You need to use the second parameter to htmlentities() to encode the quotes.
$titel = htmlentities($_POST['titel'], ENT_QUOTES);
$elm1 = htmlentities($_POST['elm1'], ENT_QUOTES);
<input type='hidden' name='titel' value='".$titel."' />
<input type='hidden' name='elm1' value='".$elm1."' />
For this purpose, htmlentities() is overkill though, and you can use htmlspecialchars()
also with the ENT_QUOTES param.
$titel = htmlspecialchars($_POST['titel'], ENT_QUOTES);
$elm1 = htmlspecialchars($_POST['elm1'], ENT_QUOTES);