Why can't htmlspecialchars() continually encode characters after each form submission? Take a look at the following example:
<?php $_POST['txt'] = htmlspecialchars($_POST['txt']); ?>
<form method="post">
<input name="txt" value="<?=$_POST['txt'] ?>" />
<input type="submit" name="save" value="test" />
</form>
You can see it at running at http://verticalcms.com/htmlspecialchars.php.
Now do the following
1) Type & into the text field
2) Hit the test button once
3) When the page completes post back, hit the test button again
4) When the page completes post back, view the page source code
In the input box, the value is & amp;
I was expecting & amp; amp;
Why is it not & amp; amp; ???
This simply is HTML entity encoding. When using "&" in an HTML attribute, it should be encoded. And this is what you are doing.
So, the browser reads
<input value="&" />
and translates it to an "textbox widget with value '&'".
The same would be true for other special chars:
<input value=""" />
would result in a " character.
When you submit the form, the browser sends these values unencoded, therefore your PHP script receives it like "&", not "&".
The values in $_POST are already html-decoded for convenience. So when your script starts, the following is true:
$_POST['txt'] == '&';
htmlspecialchars('&') == '&'
[edit]
Looks like this needs further explanation
When a form like the one above is submitted to the server by the browser with a single ampersand as the value of 'txt', it puts the following into the body of the request:
txt=&
The value is encoded because the browser would concatenate multiple fields with an ampersand character like
txt=&&user=soulmerge&pass=whatever
PHP takes the transmitted values and decodes them for the convenience of the programmer - it makes an ampersand out of & Now I though this was the reason for the question in the first place - guess I got it wrong. The actual question was answered correctly by Ferdinand.
Related
I have a reservation form and the form action should be:
https://reservations.posthotel.com/smsworld/wc.dll?smsworld~availbox~
But it's not working. When I submit the form, everything from ? is just ignored.
As a solution, I named the first field as
name="smsworld~availbox~&RAD"
It's ALMOST working, the only problem now is that when I submit my form, the "&" is being switched by %26.
The URL that I should get is:
https://reservations.posthotel.com/smsworld/wc.dll?smsworld~availbox~&RAD=10%2F15%2F2014&RDD=10%2F21%2F2014&nights=3&RCA=2
But instead, I'm getting:
https://reservations.posthotel.com/smsworld/wc.dll?smsworld~availbox~%26RAD=10%2F15%2F2014&RDD=10%2F21%2F2014&nights=6&RCA=2
Any suggestions?
Are you using GET or POST (the method attribute on the form) ? If GET, the URL in the action cannot contain query-string parameters. Try using POST instead.
I just made a fiddle for you which has two forms. One using GET (does not work) and the other using POST (Seems to work):
<form action="https://reservations.posthotel.com/smsworld/wc.dll?smsworld~availbox~" method="get">
<input type="submit" value="Submit GET" />
</form>
<form action="https://reservations.posthotel.com/smsworld/wc.dll?smsworld~availbox~" method="post">
<input type="submit" value="Submit POST" />
</form>
http://jsfiddle.net/n80e6Lzv/
What you're observing is URL encoding. Certain characters in URL's are reserved characters, such that you cannot make parts of the URL that contain that character, or else the URL will get misinterpreted. Ampersand is one of those characters.
Consider what a URL with a query string looks like:
http://test.com?name1=value1&name2=value2
As you're probably already aware, the query string variables are separated by an ampersand. URL encoding substitutes a group of characters for a reserved character, to prevent misinterpretations of the URL.
In other words, the URL you're asking for is impossible. Your GET data would be interpreted as:
$_GET = array(
'smsworld~availbox~' => '',
'RAD' => '10/15/2014', //An additional index created by the unencoded ampersand
//etc...
);
If that extra RAD index was your actual intent, that is not possible this way. You should be making use of hidden fields to add RAD as an additional query string variable instead. One form field for each query string variable only.
thanks for all the replies, but I've found a solution for this using a few lines of javascript.
$('.submit-btn').on('click', function(e) {
var checkinDate = $('#checkAvailDate').val(),
guests = parseInt($'#checkAvailAdults').val()) + parseInt($('#checkAvailChildren').val());
var formAction = 'https://reservations.posthotel.com/smsworld/wc.dll?smsworld~availbox~&RAD=10%2F15%2F2014&nights=6&RCA=' + guests;
var win = window.open(formAction, '_blank');
win.focus();
e.preventDefault();
});
I'm not done with formatting all the fields yet, but even then, thank you very much for all the help :)
i have a wordpress plugin that sends a request using file_get_contents() to a url and in-turn receive an image and four variables which ofcoz are already processed so they are just four words. How to i break down this string (using php) so i can take turn the four words into variable again as soon as they are returned, and use them on that page, (page C. )
here is a diagram of what i want to do
http://itmastersworld.com/my_problem.jpg
I have tried placing a form to be part of the string returned but apparently there is no way of manupilating the data inside the form
<form><input id="test" name="avariable" type="hidden" value="<?php echo $xxxx; ?>" /></form>
it works but i cant find a way to use the value="" without submiting the form from the server(using stuff like
$yes = $_REQUEST['avariable']
,) the form is introduced in part B that is, and appears in part c.
Help ???? I basically need my php variable created in part B.!!
Since you already have control on the page B, you can send them with some delimiter and split them? For example lets say the output is
word1,,,word2,,,word3,,,word4
Your code can be
<?php
$vars = explode(",,,", file_get_contents('your_url');
// echo $vars[1];
// echo $vars[2];
// echo $vars[3];
// echo $vars[4];
?>
Ok guys, i've this:
<textarea class="boxCommento1" placeholder="Scrivi un commento.."></textarea>
<input style="width:100%;" type="button" value="Inserisci" onclick="functionThatObtainTextFromTextarea();"/>
When i click on the input button i get the text form the textarea, and i will insert that in my DB using PHP and AJAX, but there's a problem if i write something like this: "What did u do yesterday???" or char like this "&" when i'll get text using php, "?" and "&" won't be recognized of course, because using GET and POST "?" and "&" are used for php url variables... any advice???
PS: Sorry for my english.
Use encodeURIComponent() in the AJAX Javascript.
When you get the variable in PHP with $_GET or $_REQUEST, it'll automatically be decoded, so you don't need to do anything else.
//Javascript
var inserisciValue = encodeURIComponent(theInsertisciValue);
I generate this in a view:
<form method="post">
<input type="hidden"
name="test"
value="<?=htmlentities('<>"&ščé', ENT_QUOTES, 'UTF-8')?>">
<input type="submit>
</form>
Now, should I do this when processing data from the form?
$decodedTest = html_entity_decode($_POST['test'], ENT_QUOTES, 'UTF-8');
I think that this should be allright:
$decodedTest = $_POST['test'];
But I have not found a reference to this.
EDIT: I had printed the posted value of test and I had seen that the value is not encoded. What I don't know is If I can rely on this behaviour and why. I am asking about theory of operation. If I look into the raw post request, I can see that the post data is urlencoded (which is I guess a different type of encoding than htmlentities does). Does that mean that client must perform some recoding before sending the request. Does (client) browser store input values in encoded form or decoded form in memory before sending? (I already know that php automatically decodes urlencoded data in requests so that part is fairly clear to me).
You don't really need a reference because printing htmlspecialchars($_POST['test']) (or just setting Content-Type: text/plain) will immediately reveal that the data inside $_POST is not entity-encoded.
You also don't need to call htmlentities to encode the data in the view -- htmlspecialchars will suffice if your aim is to generate valid markup.
Sending the form, you can do it. Better check
So, I have a basic little script that takes input from an HTML form, is processes by PHP and then writes it to a text file in the form of CSS. I've already got some jerkwad trying to drop tables on the server (There is no SQL but I'd like to keep people from trying none the less) Here is the code that I have thus far, can someone help me block potentially bad input via htmlentities or something else?
The HTML Form
<html><body>
<h4>Codes Form</h4>
<form action="codes.php" method="post">
Username: <input name="Username" type="text" />
Usercode: <input name="Usercode" type="text" />
<input type="submit" value="Post It!" />
</form>
</body></html>
The PHP
<html><body>
<?php
$Friendcode = $_POST['Usercode'];
$Username = $_POST['Username'];
echo "You have recorded the following information on the server ". $Username . " " . $Usercode . ".<br />"; echo "Thanks for contributing!";
$output = ".author[href\$=\"$Username\"]:after { \n"
."content: \" ($Usercode)\" !important\n"
."}";
}
$fp = fopen('file.txt', 'a');
fwrite($fp, $output);
fwrite($fp, "\n");
fclose($fp);
?>
</body></html>
You can use htmlentities to convert html tags to their html equiv. < etc. Or you can use strp_tags to get rid of all html tags. If you are using sql use mysql_real_escape_string to make sql queries safer
Whenever you include data entered by the user in HTML code, it is always a good idea to first encode the data, by passing it into htmlspecialchars().
Think of it as a decontamination chamber. This will ensure that any of the HTML special chacters, such as "<" and ">" (deadly viruses) are properly escaped (killed) and won't show up in your page as "real" HTML tags (won't make your webpage sick).
Similarly, you must also encode user input when including it in SQL queries. The function that you use for this purpose varies depending on the database that you are using. Because of the dynamic nature of PHP, if you are a including numeric value in a SQL query, you must first check to make sure the variable contains a number by using functions such as is_numeric() and ctype_digit().
I think the best way to block HTML is to allow only the characters you think a username or a user code may have.
For example, limit the input to letters, numbers and underscores and trim the whitespaces in the beginning and the end of the string. This validation will fail whenever HTML code is provided as input.
I would suggest doing this on both client and server side, with a regex. A client-side example can be found here: jQuery remove all HTML tags EXCEPT Anchors
What happen if someone directly type the url of code.php in browser. They will get the Notice of undefined offset.
You should make at least a check if $_POST is not empty.
if(isset($_POST['submit']) && !empty($_POST))
{
//do operation
}
Validate the user name and user code for special characters and what you allow them to enter with PHP sever side
#Zer0mod: I'd use strip_tags to get rid of HTML and mysql_real_escape_string to take care of any potential SQL injections.
Use PHP to convert every symbol to HTML numbers! Head on over to htmlentities() for details about doing so.