We spend a lot of time ensuring users can't put code into a form input. But I actually want to do this, and have it appear in the $POST array after submit. I can get it to display in the Input, but the $POST element is always blank.
The data starts in MySQL, where (in my case) it's more convenient to save an entire HTML string:
<img class='logo2' src='/graphic/thistlew2010.gif' />
than just the image name. (This is because it's relatively rare for this DB field to contain anything, and when it does both the class and the image name can vary).
I can get the HTML string to display in a text input (with or without 'htmlspecialchars' and/or 'strval'), but no matter what I try, when I submit the form, the content of this variable is always blank. If I substitute a plain text string there's no problem, so I think it must be to do with the HTML, the single quotes or the forward slashes.
Can anyone offer a suggestion, please ?
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<form action="formProcessor.php" method="post">
<input type="text" name="txtInp" value="<img src='pic.jpg' />"/>
<input type="submit" value="submit" />
Thanks, Kalon. I hadn't got around to thinking about specially DE-coding from the $_POST array (I guess because it always appeared blank).
I've also found that by cutting out the '<img' and ' />' tags (putting them into the main script) I can get the remaining code:
to survive its passage to $_POST with just the use of 'stripslashes' when I actually require to display the image.
That still gives me the freedom to use different styles (according to the image size, colour etc.) embeddedin the MySQL field. I find this cost effective because only about 5% of the records have an entry in this field, and it's easier to hard code the style than to write conditionals to select it later. It would be different if the proportion were higher.
if you want to see exactly what htmlentities does, you can view the html source in your browser for your "formProcessor.php".
basically it just converts the relevant html chars to html entities.
Yes, good point.
I did try applying 'htmlentities' at the point where I put the value in the input, along the lines of:
<input name="logo2"...value="<?php echo htmlentities($listing['logo2'])"; />
$listing['logo2'] is the string extracted from the database.
It put the value in looking OK, and 'View Page Source' showed me the '<' etc. (Actually it's intended to be a hidden input, but I made it text for development purposes.)
But when I submitted the form and looked at the resulting $_POST array the '$logo2' variable was always blank (I expected it to show something, even if garbled).
The solution I've got now works satisfactorily, so I shan't try to improve it just for its own sake (only if it breaks down somewhere). Thanks for your interest.