Problem / bug with extract() rendering html

RoadKingHD

I seem to have found a problem with extract(). In some situations extract will display the contents of a varible to the screen, the browser renders html code as if it were echoed or parsed by the web server.

Searching php.net and here on phpbuilder I did not find any reference to this probelm.

Here is what I discovered while working up some code to process input from a form which has a texarea element on it.

First, here is the code I started out with, condensed for brevity. This script is used to present the user with their input (display only) to approve or go back and edit.


<?PHP
// script name:  validateAdduser.php

extract($_POST);

$notes = stripslashes($notes);

$notes = htmlspecialchars($notes);

echo '
<form method="post" action="/users/adduser.php" name="edit_user">
<input type="hidden" name="notes"  value="'.$notes.'">
<textarea name="notes" cols="55" rows="6" READONLY>'.$notes.'</textarea>	
<input type="reset" name="action" value="Cancel">&nbsp;
<input type="submit" name="action" value="Edit">&nbsp;
<input type="submit" name="action" value="Add User">

</form>’;

?>

here is part of the script that submits to the code above:

//script name: adduser.php

if ($_SESSION["editAdduser"] )
{
    extract($_POST);

$notes = stripslashes($notes);

$notes = htmlspecialchars($notes);



//$notes = nl2br($notes);

}

//...
echo '<form method="post" action="validateAdduser.php" name="edit_user">

<textarea name="notes" cols="55" rows="6">'.$notes.'</textarea>

<input type="reset" name="reset" value="Clear">&nbsp;
<input type="submit" name="action" value="Add">&nbsp;
<input type="submit" name="action" value="Quit">

Every thing is fine...until a double quote ( " ) is entered in the textarea. From the point of the quote on, this information is displayed!

Further, if the textarea contains <!-- the source of the page is assigned to $notes and then displayed in the textarea (see code above) when $notes is echoed, and the page does not finish rendering.

Note that in the code above I used htmlspecialchars after extract() to prepare $notes for display.

Here is a specific example of what heppens:

on the form (in adduser.php) I entered:

" <b>TEST</b><h1>TEST</h1>

when submitted, before the expected form is displayed you will see this:

TEST

Where the "> comes from, I couldn't tell you??

Stranger yet if I enter:

<!--

in the form and submit the source of the page (validateAdduser.php) is assigned to $notes!

I found the the following code fixes this weirdness.


<?PHP

$_POST["notes"] = stripslashes($_POST["notes"]);

$_POST["notes"] = htmlspecialchars($_POST["notes"]);

extract($_POST);

//...

I then wondered if using output buffering would stop this and tried this:

//...

ob_start();

extract($_POST);

$notes = stripslashes($notes);

$notes = htmlspecialchars($notes);

ob_end_clean();

//...

This did not stop the output from occuring.

Oddly enough, if you select Edit and post back to the first form (adduser.php) extract() does not cause this problem.

Has anyone expereinced this or know anything about it?

Is it me? Is my code at fault??

Kevin