Getting raw HTML in an INPUT to appear in $_POST

ramasaig · December 9, 2010, 12:13am

We spend a lot of time ensuring users can’t put code into a form input. But I actually want to do this, and have it appear in the $_POST array after submit. I can get it to display in the Input, but the $_POST element is always blank.

The data starts in MySQL, where (in my case) it’s more convenient to save an entire HTML string:

<img class='logo2' src='/graphic/thistlew2010.gif' />

than just the image name. (This is because it’s relatively rare for this DB field to contain anything, and when it does both the class and the image name can vary).

I can get the HTML string to display in a text input (with or without ‘htmlspecialchars’ and/or ‘strval’), but no matter what I try, when I submit the form, the content of this variable is always blank. If I substitute a plain text string there’s no problem, so I think it must be to do with the HTML, the single quotes or the forward slashes.

Can anyone offer a suggestion, please ?

system · December 9, 2010, 12:32am

try this

index.php

 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title></title>
    </head>
    <body>
 
        <form action="formProcessor.php" method="post">
              <input type="text" name="txtInp" value="<img src='pic.jpg' />"/>
              <input type="submit" value="submit" />
        </form>
 
    </body>
</html>

formProcessor.php

 
<?php
 
echo htmlentities($_POST['txtInp'],ENT_QUOTES);
 
?>

ramasaig · December 9, 2010, 12:55am

Thanks, Kalon. I hadn’t got around to thinking about specially DE-coding from the $_POST array (I guess because it always appeared blank).

I’ve also found that by cutting out the ‘<img’ and ’ />’ tags (putting them into the main script) I can get the remaining code:

class='logo2' src='/graphic/thistlew2010.gif'

to survive its passage to $_POST with just the use of ‘stripslashes’ when I actually require to display the image.

That still gives me the freedom to use different styles (according to the image size, colour etc.) embeddedin the MySQL field. I find this cost effective because only about 5% of the records have an entry in this field, and it’s easier to hard code the style than to write conditionals to select it later. It would be different if the proportion were higher.

system · December 9, 2010, 1:02am

you’re welcome

if you want to see exactly what [fphp]htmlentities[/fphp] does, you can view the html source in your browser for your “formProcessor.php”.

basically it just converts the relevant html chars to html entities.

ramasaig · December 9, 2010, 8:07am

Yes, good point.

I did try applying ‘htmlentities’ at the point where I put the value in the input, along the lines of:

<input name="logo2"...value="<?php echo htmlentities($listing['logo2'])"; />

$listing[‘logo2’] is the string extracted from the database.
It put the value in looking OK, and ‘View Page Source’ showed me the ‘<’ etc. (Actually it’s intended to be a hidden input, but I made it text for development purposes.)

But when I submitted the form and looked at the resulting $_POST array the ‘$logo2’ variable was always blank (I expected it to show something, even if garbled).

The solution I’ve got now works satisfactorily, so I shan’t try to improve it just for its own sake (only if it breaks down somewhere). Thanks for your interest.