SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Getting raw HTML in an INPUT to appear in $_POST

    We spend a lot of time ensuring users can't put code into a form input. But I actually want to do this, and have it appear in the $_POST array after submit. I can get it to display in the Input, but the $_POST element is always blank.

    The data starts in MySQL, where (in my case) it's more convenient to save an entire HTML string:
    Code:
    <img class='logo2' src='/graphic/thistlew2010.gif' />
    than just the image name. (This is because it's relatively rare for this DB field to contain anything, and when it does both the class and the image name can vary).

    I can get the HTML string to display in a text input (with or without 'htmlspecialchars' and/or 'strval'), but no matter what I try, when I submit the form, the content of this variable is always blank. If I substitute a plain text string there's no problem, so I think it must be to do with the HTML, the single quotes or the forward slashes.

    Can anyone offer a suggestion, please ?
    Tim Dawson
    Isle of Mull, Scotland

  2. #2
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    try this

    index.php

    Code:
     
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
        <head>
            <title></title>
        </head>
        <body>
     
            <form action="formProcessor.php" method="post">
                  <input type="text" name="txtInp" value="<img src='pic.jpg' />"/>
                  <input type="submit" value="submit" />
            </form>
     
        </body>
    </html>
    formProcessor.php

    Code:
     
    <?php
     
    echo htmlentities($_POST['txtInp'],ENT_QUOTES);
     
    ?>

  3. #3
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Thanks, Kalon. I hadn't got around to thinking about specially DE-coding from the $_POST array (I guess because it always appeared blank).

    I've also found that by cutting out the '<img' and ' />' tags (putting them into the main script) I can get the remaining code:
    Code:
    class='logo2' src='/graphic/thistlew2010.gif'
    to survive its passage to $_POST with just the use of 'stripslashes' when I actually require to display the image.

    That still gives me the freedom to use different styles (according to the image size, colour etc.) embeddedin the MySQL field. I find this cost effective because only about 5% of the records have an entry in this field, and it's easier to hard code the style than to write conditionals to select it later. It would be different if the proportion were higher.
    Tim Dawson
    Isle of Mull, Scotland

  4. #4
    Non-Member Kalon's Avatar
    Join Date
    Aug 2010
    Location
    At my computer
    Posts
    2,012
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you're welcome

    if you want to see exactly what htmlentities does, you can view the html source in your browser for your "formProcessor.php".

    basically it just converts the relevant html chars to html entities.

  5. #5
    SitePoint Addict
    Join Date
    Jul 2006
    Location
    Fionnphort, Isle of Mull, Scotland
    Posts
    334
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Yes, good point.

    I did try applying 'htmlentities' at the point where I put the value in the input, along the lines of:
    Code:
    <input name="logo2"...value="<?php echo htmlentities($listing['logo2'])"; />
    $listing['logo2'] is the string extracted from the database.
    It put the value in looking OK, and 'View Page Source' showed me the '&lt;' etc. (Actually it's intended to be a hidden input, but I made it text for development purposes.)

    But when I submitted the form and looked at the resulting $_POST array the '$logo2' variable was always blank (I expected it to show something, even if garbled).

    The solution I've got now works satisfactorily, so I shan't try to improve it just for its own sake (only if it breaks down somewhere). Thanks for your interest.
    Tim Dawson
    Isle of Mull, Scotland


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •