[Resolved] Can someone confirm this...

davidjam

I just need confirmation of this. Is it true that POSTED form data that may contain html special characters are automatically decoded on the next page? I have tested this but I just want to make sure I am not seeing things, or perhaps its a browser idiosyncrocy...?

eoghain

If you display the POSTED data back to the browser (not in a textarea) the browser is going to try an parse that data and display it. If it contains HTML then the HTML will get processed and displayed.

devinemke

any HTML entities that are in the value attribute of a form field will be translated into the special characters when the form is submitted. this is not true of actual text inputs like text and textareas, if you type a HTML entities then it will not be converted.

consider this example:

<form action="" method="POST">
<input type="text" name="text">
<input type="hidden" name="hidden" value="this & a m p; that">
<input type="submit" name="submit" value="submit">
</form>

<?php print_r($_POST); ?>

the hidden field will be converted to an actual ampresand but if you typed the same thing into the text filed then you would still have the HTML entity.

*note: i have added spaces to the ampresand entity so this board won't mangle it.

davidjam

Thank you very much for your replies.

This all appears to be desired behavior. So if the user wants to enter & a m p ; then that is what gets posted and entered to the database. If they want to enter an actual ampersand: "&", then that also is what gets entered in the database. Quotation marks and other special characters also work fine. Furthermore, it appears to work very well even if validation failed and the form is reloaded.

Essentially it boils down to the use of two php functions:

$_POST[$key] = addslashes($_POST[$key]); // the very last thing done before writing to database

print "<input type='text' name='name' value='" . htmlspecialchars($_POST[$key],ENT_QUOTES) . "'>";

Any suggestions? 🙂

(I can't see when stripslashes() or html_entity_decode() would come into the picture, but then again I'm rather new)

devinemke

Originally posted by davidjam
...I can't see when stripslashes() or html_entity_decode() would come into the picture...

[man]stripslashes[/man] is quite handy if your server has magic_quotes turned on and you want to display data in the browser before you stick it in the db.

[man]html_entity_decode[/man] is essentially the opposite of [man]htmlspecialchars[/man]

davidjam

Thanks a lot. Resolved. 🙂