the function htmlentities is not working in my form
//get data from form
extract($_POST);
the above gets all the data from the form and then the following puts all the separate bits of info into variables:
…
$organisation = "
Organisation: " . $organisation;
$organisation = htmlentities($organisation);
$position = "
Position: " . $position;
$position = htmlentities($position);
$email = "
Email: " . $email;
$email = htmlentities($email);
any ideas what is going wrong ?
Thank you
Looks like the code supplied is doing what your asking but not what you want 
Maybe replace htmlentities(…) with strip_tags(…);
No :mad::mad::mad:
strip_tags don’t work either !!!
it must be my code? strip_tags are commented out …
extract($_POST);
//Set up the email
$to = "Test to me<my email address>";
//put the data into variables
// use the function 'strip_tags' to make it safer
$from_header = "From: $from";
$subject = "CLIENT CONTACT DETAILS VIA WEBSITE";
$text1 = "\
Client contact details: ";
$name = "\
\
Name: " . $title ." ". $firstname ." ". $lastname;
//$name = strip_tags($name);
$organisation = "\
Organisation: " . $organisation;
//$organisation = strip_tags($organisation);
$position = "\
Position: " . $position;
//$position = strip_tags($position);
$address1 = strip_tags($address1);
//$address1 = strip_tags($address1);
$address2 = "\
Addressline2: " . $address2;
//$address2 = strip_tags($address2);
$city = "\
Town/City: " . $city;
//$city = strip_tags($city);
$county = "\
County: " . $county;
//$county = strip_tags($county);
$postcode = "\
Postcode: " . $postcode;
//$postcode = strip_tags($postcode);
$country = "\
Country: " . $country;
//$country = strip_tags($country);
$telephone = "\
Telephone: " . $telephone;
// $telephone = strip_tags($telephone);
PLEASE HELP ME SOMEONE !!:crazy::crazy:
you need to explain the situation better.
Hi JV thanks for responding…
extract($_POST);
is getting data from a completely separate .html file containing an html form.
I have this code at the top of my PHP file (where my code in above posts is situated)
<?php
//checking referer
$ref = $_SERVER["HTTP_REFERER"];
if ($ref != "http://www.domainname.com/FORM.html" ) {
//bad referrer detected, exit script
print ("<div align=center valign=center><b>Warning:</b> Sorry, you are not allowed to access this page<br><br> [ <a href=\\"javascript:window.close()\\">Close this window</a> ] </div>");
exit;
}
The thing is at the moment someone with bad intention can put mischievous content into the fields of this form and all I want to do is SANITIZE the input basically for SECURITY reasons.
For example I have input this line of text into one of the form fields as a test :
I am going to hack your site, hahaha!
<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>';
and it sends the user who input the information off to another site - which isn’t what I want !
So basically I’m looking to strip any tags etc,… that might be bad intentions.
Have i explained it enough for you ? sorry I’m a newbie …
Many thanks
uh oh…
should i put the htmlentities function actually in the .html form file ?
please help ?!
NO JUST TRIED THAT AND IT DOESN’T WORK EITHER
I am unable to reproduce the problem that you provided.
I have just tried the sample text input both locally and online (Johns-Jokes.com) and it does not “send the user off to another site”?
Here is the code that I used locally for testing:
<form action="/search_form" method="post">
<fieldset class='max_width bgs cgs '>
<label><i>Top Three Jokes and funny pictures</i></label>
<label><code class='tar' style='color:#fc9; width:2em; margin-left:15em' ><?php echo $id_day;?></code></label>
<input
type = "submit"
name = "search"
value = 'go'
class = "flr"
style = 'margin-right:1.42em'
/>
<input
title = "search jokes"
type = "text"
name = "filter"
value = ""
size = "28"
class = "flr"
/>
</fieldset>
</form>
// Sample Input
/*
I am going to hack your site, hahaha!
<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>';
*/
// text received
echo '<pre>';
print_r($_POST);
var_dump($_POST);
echo '</pre>';
die;
// output
Array
(
[search] => go
[filter] => I am going to hack your site, hahaha! ';
)
array(2) {
["search"]=>
string(2) "go"
["filter"]=>
string(144) " I am going to hack your site, hahaha! '; "
}
//
Please supply a another sample script hat I can test.
Hi John
not sure I understand your code here. I’ve copied it all into a file using Dreamweaver and it appears to be missing some php tags ?
maybe talking at X purposes…i AM a newbie!
Did you put the whole lot :
I am going to hack your site, hahaha!
<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>';
into an input field ?
it defo runs the javascript and the user ends up at another site which is what i don’t want…
have tried htmlspecialchars, strip_tags and htmlentities functions…
Thanks
newhere
I have not actually put the values in a form and submitted them, but them but this is what I did:
$test = "I am going to hack your site, hahaha!
<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>'";
echo htmlentities($test);
// gives me
I am going to hack your site, hahaha!
<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>'
htmlentities() is an Escaping mechanism designed to protect the viewer of, say, a webpage from abuse – as you have described already.
Escaping is part of the FIEO mantra (Filter Input Escape Output).
Sanitizing (to me) means taking data and removing anything harmful before passing it on.
If you are storing the data in a database you have to Escape it using different methods, say mysql_real_escape_string().
To see what is being put out on a website you have to ideally view the html source code.
This recent blog post might help, although I have not tested any of what the author said - it seems about right.
Yes I input the whole Javascript and there was not a problem.
>>> I’ve copied it all into a file using Dreamweaver and it appears to be missing some php tags ?
Sorry about that, I rely too much on my editor to show me the errors. Here is the amended script.
<form action="/search_form" method="post">
<fieldset class='max_width bgs cgs '>
<label><i>Top Three Jokes and funny pictures</i></label>
<label><code class='tar' style='color:#fc9; width:2em; margin-left:15em' ><?php echo '$id_day';?></code></label>
<input
type = "submit"
name = "search"
value = 'go'
class = "flr"
style = 'margin-right:1.42em'
/>
<input
title = "search jokes"
type = "text"
name = "filter"
value = ""
size = "28"
class = "flr"
/>
</fieldset>
</form>
<?php // ADDED THIS LINE
// Sample Input
/*
I am going to hack your site, hahaha!
<script type='text/javascript'>
window.location = 'http://www.example.com/'
</script>';
*/
// text received
echo '<pre>';
print_r($_POST);
var_dump($_POST);
echo '</pre>';
die;
// output
Array
(
[search] => go
[filter] => I am going to hack your site, hahaha! ';
)
array(2) {
["search"]=>
string(2) "go"
["filter"]=>
string(144) " I am going to hack your site, hahaha! '; "
}
//