quotes & other characters causing problems in form

gabeanderson

With apologies in advance if there's an easy answer to this question (I know just enough PHP to make stuff work, but I'm no expert! 🙂 ), I have a form that's having several problems when 3 types of characters are used:

1) Double quotes (") along with all text following it disappear when the "click to make changes" link is used or form is submitted.

2) Ampersands ( & ) disappear when the "click to make changes" link is used (but OK if form is just submitted).

3) Percent signs (%) cause below error and disable the "click here to make changes" link (but OK if form is just submitted):

Warning: printf(): too few arguments in /var/www/html/contact/submit_case.php on line 94

You can see a mostly-filled in version of the form here (without the above characters):

http://tinyurl.com/ahfwa

Thanks in advance for any pointers or suggestions!

-Gabe

devinemke

if PHP is not doing it for you (via magic_quotes_gpc) then you need run the submitted data thru [man]stripslashes[/man] and [man]htmlspecialchars[/man] before displaying the data in the browser. remember to [man]addslashes[/man] back before inserting into a database.

gabeanderson

Thanks very much, devinemke! I've implemented the below:

        $description = htmlspecialchars($description, ENT_QUOTES);
        $description = stripslashes($description);

...before the "click here" link and it seems to be OK when submitting with quotes, but slashes still appear if using the "click here" link. Am I on the right track?

I also added this before it sends to the database:

                        <?php addslashes($description); ?>

Also, the % still causes the error and the & still disappears. Any more thoughts?

Thanks again!

-Gabe

halojoy

Originally posted by devinemke
if PHP is not doing it for you (via magic_quotes_gpc) then you need run the submitted data thru [man]stripslashes[/man] and [man]htmlspecialchars[/man] before displaying the data in the browser. remember to [man]addslashes[/man] back before inserting into a database.

This is a very important thing to know for anyone that wants to use PHP
with forms and different databases, like mySQL.

I did start a thread about this issue in another forum, and learned good things
about magic quotes and proper dealing with slashes to avoid problems.
Even if I do not use MySQL, I think this is a fact we have to consider:
MySQL has different need of slashes, than text only displayed in PHP echo.
Also we should encourage WebServers to turn Magic-Quotes OFF!

Most important for me was the following tutorial at http://www.webmasterstop.com

Magic Quotes and Add Slashes in PHP
By : Harry Fuecks

Bookmark!

🙂

Drakla

The whole addslashes / stripslashes / magic_quotes debacle along with verifying forms got so right up my back, as it seems to take up about 50% of development time when it should take none - well I created this class.

As soon as you create an instance of it then $rh->data will already have all request data stripped, and you can then slash / htmlspecialchars up the whole lot in one command, then farm the $rh->data array out to wherever you need it. It's also got in verification functions that you just pass arrays of names to... just see the example for its use.

I only wrote it about 4 months ago and with I'd had the sense to do it years ago.

Weedpacket

Could we also have a look at the offending printf() statement, and the values of its arguments?

gabeanderson

Drakla- Thanks very much for sharing your class! I'm sure that would be great, but for someone like me who can just get by with PHP, I'm not sure how I'd go about implementing this into my existing code.

Weedpacket- You can see where my troubles begin via this link:

http://tinyurl.com/c88t5
(Click the Proceed button, and then the "Click here to make changes" link to see how slashes keep getting added. Also, once the user actually submits the case, if he or she has used quotes, the slashes appear in the email that we receive.)

What else can I provide? I'm sure this is something I can address without too much effort, but I'm just not clear on what I should be doing.

Thanks for bearing with me!

-Gabe

Weedpacket

printf($format, str_replace('%', '%%', $text_that_might_have_percent_signs_in_it))

We're still missing some code. I don't know exactly what you're doing to the submitted data when you're putting it into the database, and I don't know what you're doing to it when you take it out. Without knowing exactly what you're doing it's hard to give an exact answer as to what the problem is.

gabeanderson

Below are some code snippets from the page (submit_case.php) that shows the confirmation, gives the opportunity to "Click here to make changes," then sends an email, which then logs to our database (complicated reasons for passing through email, but not relevant here).

if (
<snip>
	$description == "" ||
<snip>
	) {

<snip>

printf("<p><h1>Whoops!</h1> <p>You left one of the required fields blank or provided an invalid email address. These are  <b><font color=#990000>required fields</font></b>. Please ");
<snip>
	printf("<a href=\"index.php?confirm=yes&customer=yes&finalcheck=$finalcheck&fullname=$fullname&productKey=$productKey&email=$email&product=$product&company=$company&phone=$phone&OS=$OS&PPT=$PPT&version=$version&reason=$reason&otherTopic=$otherTopic&description=$description");
		}
	printf("\">go back</a>. <p>Your case will <b>not</b> be received until you do this.");

<snip>

<font color="#990000">Confirm the below details and submit your case.</font>
<?php

$description = htmlspecialchars($description, ENT_QUOTES);
$description = stripslashes($description);

<snip>

                    <form action="send_case.php" method="POST">

And here's what happens in send_case.php:

	$send_address = "support@articulate.com";

<snip>

    $message_body = "FROM: $name
<snip>
CASE DETAILS: $description";

    mail($send_address,$subject,$message_body,"From: ".$email);

I'm guessing I should be using addslashes in here somewhere, right?

Thanks again for the assistance! I really appreciate it.

-Gabe

Weedpacket

You're passing all that in the URL? You'll need to use [man]urlencode[/man] on all the variables you're putting in there otherwise (for example) ampersands in the description would be mistaken for the end of the description field.

Also, I don't see any textareas where you're putting the description that has the extra slashes in it, or what exactly you're putting in there, so that's still anyone's guess.