I am developing a web and want to make it so that the user can create some stuff POSTing XML data. For that purpose there is a <textarea> where the user can write (copy/paste) XML and submit it. The problem is that I am losing data: characters such as <, >, and I think others too, get lost.
Maybe it is a framework problem, not sure, I am using Elgg and receiving the data with get_input().
UPDATE1: some code answering the comment:
<form method="POST" action="http://for.bar/slash" enctype="text/xml">
<input name="add" type="submit" value="Create" />
</form>
to receive the data I use elgg get_input()
$data = get_input('data');
If i where to make a wild guess I'd say that there is some kind of auto-magical xss protection being used by get_input(). You could try doing a print_r($_POST); or perhaps elgg is "sanitizing" all of $_POST as well. In this case you may have to base64 encode the data with JavaScript before submitting the request.
According to MDN, the only standard values that should be used in form's enctype attribute are following:
application/x-www-form-urlencoded
multipart/form-data
text/plain
That being said, you can run into unpredictable situations having it to have value application/xml.
Source: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/form#attr-enctype
Related
I'm trying to send a POST request with part of the webpage URL as the parameter. For instance, in this url:
http://testsite.com/confirmEmail/?token=abcdefg
I want to be able to send the input token with the value abcdefg. I want to make this responsive to different token values. Any ideas?
Thanks
This answer is assuming they will do some action on this page, otherwise you would want a redirect.
<?php
$token=$_GET['token'];
?>
<form method="POST">
<input type="hidden" name="token" value="<?php echo htmlentities($token, ENT_QUOTES);?>" />
<!--other form fields and submit button here-->
</form>
UPDATE:
This was a simple answer, to be easily understood, but of course echoing out a get variable straight from the url opens you up to xss. Someone edited my answer to strip quotes from that variable but htmlentities() is also vulnerable to xss. I believe the appropriate function nowadays is htmlspecialchars($token, ENT_QUOTES, "UTF-8"). If you go this route, you need to be careful about which encoding & characters you put in your tokens now, so they aren't stripped, which would probably break your verification process. Looks like it's numeric in the example, so you should be ok. Also remember someone could still post a modified form, so you need to sanitize this token field to prevent injections, but hopefully that's not relevant to this question.
I could see that this question was being asked a lot of times and I did extensive research on what methods could be used to transfer a couple of Javascript variables to a PHP script.
Post data in a form as hidden values
Post to URL, i.e. '/txt.php?h=' + var
Use a cookie
I'm trying write a piece of code that will let you download what you've written in Wrrrite.com - I'm the developer of this website. (I also did a client-side approach of putting the variables into the URI and setting a header to download stuff)
None of this is working. Either there's a character that's causing an error, or there are html elements.
Is there something I can code to guarantee a 1:1 transfer of the work/variables?
Datatype: HTML + various different Characters "!§!' etc.
Output: .txt File, perferably a 1:1 translation of what was being written on the form
You should maybe use a Base64 encoding of your data, before sending it. Have a look at MDN for the JavaScript part and here for the PHP decoding. This should prevent special characters from breaking your code.
Hope it helps
//PHP
if(isset($_REQUST['submit']))
{
$download=$_REQUEST['download'];
// from database get value of all the downloadable items
// and check if the input is in that array then to the suitable thing.
}
//HTML
<form method="post" action=''>
Type :<input type="text" id="txtField" name="txtField" />
<input type="hidden" name='download' />
<input type="submit" name="submit" onclick="return onSubmit() " />
</form>
//Javascript
<script type="text/javascript">
function onSubmit()
{
if(document.getElementById("txtField").value != '')
{
document.getElementById("download").value=document.getElementById("txtField").value;
return true;
}
else
{
alert("Please enter item to download");
return false;
}
}
Here's the Cookie Approach, which doesn't work http://pastebin.com/SKNtxLi5
That just slaps values together without any consideration for the data format used in cookies.
Quirks Mode has a decent guide to cookies with JS if you want to fix that.
However… the point of cookies is that the data persists. It isn't a sensible transform for one shot messages.
I have the following form in a file called "foobar.html":
<!-- other stuff -->
<form method="post" action="foo.php?cat=1">
<input type="text" name="bar" />
<input type="submit" value="foobar" name="foobar" />
</form>
<!-- other stuff -->
And I open this file in a php script with fopen, how do I fill out and submit this form without any input from the user? Thanks
Parse out the action attribute with a HTML parser, and use curl to perform a POST to the appropriate target URL.
Read the entire fire into a variable. Rather than using fopen you might want to consider file_get_contents for that, it's a bit cleaner.
You'll then want to parse that string as HTML. You could use PHP's DOMDocument for that. Get the action and method of the form by traversing the DOM tree to the form tag and reading out those attributes. Next get the names of any inputs within the form tags. Use those names to generate a query string with your key=value pairs. If the method of the form is GET, then append that query string to the form action, otherwise save it in another variable.
Finally, use CURL to "submit" the form. That is, use the form action as the URL for a CURL request. If the form method was GET, you should have already appended the data to the URL, if the method was POST, you'll want to set the data for the CURL request to the data query string you generated from the form names.
If your question extend to how to know what data to fill into what form fields, that is pretty much impossible to solve. Certainly there are some input names you could look for and guess the required data but a universal solution is an impossible problem to solve.
Are you trying to have the user submit the form on their browser, without user interaction? If that's the case, you'll need to resort to javascript, something like:
<body onLoad="document.getElementById('autoSubmit').submit();">
<form id="autoSubmit">
(insert form here)
</form>
</body>
This will automatically submit the form. Some notes: not everyone has JavaScript enabled, so you might want to change the inputs to type="hidden", as well as add a nice big submit button that says Click Here.
I'm newbie in PHP.I want to know that,I taking data by html form and a .php file.
like:
<form id="form1" name="form1" method="post" action="show.php">
<strong>Please Enter the Unique id</strong><br/><br/>
Unique id:
<!-- name of this text field is "tel" -->
<input name="id" type="text" id="id" />
<p>
<input type="submit" name="Submit" value="Submit" />
</p>
</form>
</html>
Then,I used show.php file to get the 'id'.like:
$id=$_POST['id'];
Is there any way to take input by php code???
Update:
In "C" we take ant input by this way
scanf("%d",a);
is there any way to do so in PHP.I think now all you may be clear what I'm trying to say??
Thanks
Yasir Adnan.
What you are you trying to get is wrong!
HTML:- It is the communicator between the user and the browser. It displays the contents according to the user input or html code.It gets data from user or from html code.
Php :- It is the communicator between server and the browser. It has the capability of collecting from some where else other than the code like mysql data base and then uses html to display the content!
Here you are asking php to do html work which is not correct!!
the html
<input name="sb_id" type="text" id="sb_id" />
php
$id=$_POST['sb_id'];
Well, you do take the input by your php code. Your variable $id took the value of $_POST['id'] which contains the input of the textfield.
After this step you can work with the variable like any other
$id = $_POST["sb_id"]; ?
Remember that $_POST["field_name"] where field_name must be match the name attribute of your <input /> tag.
the id attribute of input tag is not sent to server inside the $_POST array. It`s typically used in client-side.
You can get data in your PHP code through GET and POST parameters. Those parameters are part of the HTTP request.
The GET parameters are in the url :
http://mywebsite.com/id=3&name=test
Then you get them using:
$id = $_GET['id'];
$name = $_GET['name'];
So you can get input data through this way when people visit the URL, call it in AJAX, or call the URL in another application (like a webservice). But no matter how it's called, it's the same for you on the PHP side.
The POST parameters are in the HTTP request, you can't pass them through the URL. You can do that by using an HTML form, or by creating the HTTP request yourself. If you are using Javascript to call your PHP code (and pass data to it), you can use AJAX to do that for example. You, in your PHP code, can get the variables this way:
$id = $_POST['id'];
$name = $_POST['name'];
If you want console-style I/O, you should probably check JavaScript/AJAX. The second one will allow you to write your own wrapper that will help you to process the input by your server "on air".
The problem is, you still need to use $_POST for AJAX. And, which is more important, it's easier (and cheaper for the server) to validate and process input by JS (and to validate and process it further on the server-side after submit).
And if the question is "how can I get the variable from the needed format?", the answer is: try using regexps/parsing the string.
Oh, btw: there IS scanf() in php, and it's called 'sscanf' ('fscanf' for files).
Ok, so usually I would lookup the form's action attribute (ex: request.php) and would do a cURL post request to that page, but what if the form is being processed by jQuery?
Example
<form method="post" action="profile/post/USERNAME" id="postForm"
onsubmit="funct.post('USERNAME'); return false;" >
...
<input type="button" class="sendButton" id="sendBtn" value="Send"
onclick="funct.post('USERNAME')" />
I have no idea how to work with this form, I've tried submitting to the /profile/post/USERNAME page, but that doesn't work.
Am I missing something?
Actually, I was having problems because the form is using AJAX to post the form.
If looking through MASSIVE, unformatted amount of jQuery code (like in my case) is a problem and doesn't lead anywhere, then a good idea is to look at the headers that are being sent to the server.
I used HTTP Live Headers addon for Firefox to see just that, and noticed that the actual query was token=4324234324¬e=My+Note&ajax=1
Both token and note were present in the form, token as hidden and note as text input, but the ajax=1 is inserted somewhere when it's processed by jQuery.
Headers Don't Lie!