Can't control form when I put HTML in it

old_newbie

Hello,

I have a problem with a form using POST which is driving me nuts. When I put <br><br><br> in one of the fields and hit submit I seem to lose all control of the form and the root public_html page of my (shared) server appears. I can't seem to 'trap' what's going on.

The rest of the file is fine. The page reloads nicely and I can do validation, escape special characters, etc. I have error messages appearing nicely. I only get this odd problem when putting HTML in the fields.

I have put little echo "got here"; statements here and there in the code to try and determine exactly how the flow is going. However I can say with some confidence that as soon as the form is submitted the browser redirects from (for example), old_newbie.com/old_newbies_project/form.php to old_newbie.com

Is there perhaps an environment variable or some php setting which is causing this?

Most grateful for any pointers.

old_newbie

halojoy

why not show some code

the relevant parts of form.php (submit page)
and the action page xxxx.php ( <form action="xxxx.php"> )

I was going to suggest use of htmlspecialchars()
but you say you do this already

however, seems like the html tags in input < > trigger something

old_newbie

Hi thanks yes it's definately the tags < > triggering something.

My form statement:

example form field:

The submit button:

Up the the PHP section I have:

if (isset($_POST['submit'])
{
echo "GOT HERE";
.
.
.
}

But I don't get the GOT HERE if I put <br><br><br> in the form field

halojoy

what happens if you change this line

<form method="post" name="form1" action="<?php echo $_SERVER['PHP_SELF']; ?>">

<form method="post" name="form1" action="">

<form method="post" name="form1" action="form.php">

I suppose:
if (isset($_POST['submit'])
is just typo for
if (isset($_POST['submit']))

It is of course very important that you do either of these.
You can test both of them:

$user_comment = htmlspecialchars( $_POST['comment'] );

$user_comment = htmlentities( $_POST['comment'] );

old_newbie

Thank you for your help halojoy.

Yes, some cut and paste errors there.

Changing the action of the form to "form.php" or "" doesn't make a difference. As soon as I click submit a different web page is loaded.

I can't escape any user input if there is <br><br><br> in it because it bombs out before the code gets there.

TheDefender

old_newbie wrote:
Thank you for your help halojoy.

Yes, some cut and paste errors there.

Changing the action of the form to "form.php" or "" doesn't make a difference. As soon as I click submit a different web page is loaded.

I can't escape any user input if there is <br><br><br> in it because it bombs out before the code gets there.

You say a different web page is loaded when you click on the submit button... That is odd behavior. Do you have a redirect scripted in there somewhere?

As halojoy suggested earlier, it may be best if you post the entire code rather than bits and pieces at this point. The behavior you describe is similar to behavior I'd expect to see if you had another form on the page that didn't have it's </form> closed prior to reaching this form, thus inheriting it's action...

Post form.php as a whole so we can pick it all apart. I'd imagine someone could find the problem pretty quick. If nothing else, we can duplicate your code on our own setups in an effort to recreate the problems to troubleshoot.

old_newbie

OK lovely people, I've stripped this right back to highlight the problem.

Here is the code:

<?php

// If the form has been submitted, validate the entries and insert the message into the database
if (isset($_POST['submit']))
{
	// pick up the values entered in the form
	$sender_name 	= trim ($_POST['sender_name']);
	$sender_email 	= trim ($_POST['sender_email']);
	$comment 		= trim ($_POST['message_body']);


// check for blanks
$form_error_msg = "";

if 		($sender_name == "")	{ $form_error_msg = "You must enter your name";	}
elseif 	($sender_email == "")	{ $form_error_msg = "You must enter an email address"; }
elseif 	($comment == "") 		{ $form_error_msg = "You must enter a comment"; }


if ($form_error_msg == "")
{
	// there is data the form and no error message so we can insert the comment in the database 
	// write_new_message ($sender_name, $sender_email, $comment);

	// header ("Location: thanks.php");
}
else
{
	// there is a form_error_msg to display i.e. the user has has entered something wrong
	// strip any slashes added by PHP (if magic quotes is ON).

	if (get_magic_quotes_gpc () == 1)
	{
		$sender_name 	= stripslashes ($_POST['sender_name']);
		$sender_email 	= stripslashes ($_POST['sender_email']);
		$comment 		= stripslashes ($_POST['comment']);
	}
}
}

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Post a new comment</title>

</head>

<body onLoad="document.forms.form1.sender_name.focus()">
<p>Please leave a comment</p>
<p><?php echo $form_error_msg ?></p>

<form method="post" name="form1" action="newpost.php">

	<table border="0" cellpadding="0" cellspacing="0">

	<tr>
  		<td>Your name:</td>
  		<td><input name="sender_name" type="text" value="<?php echo $sender_name?>"></td>
  	</tr>

	<tr>
  		<td>Your email:</td>
		<td><input name="sender_email" type="text" value="<?php echo $sender_email?>"></td>
	</tr>

	<tr>
		<td nowrap class="formtag">Comment:</td>
		<td><textarea name="comment" cols="41" rows="10" wrap="hard" class="form_field" value="<?php echo $comment?>"></textarea></td>
	</tr>

	<tr>
		<td ></td>
		<td><input name="submit" type="submit" class="form_button" id="submit" value="Submit Comment" /></td>
	</tr>
	</table>
</form>
</body>
</html>

If I just click submit, without filling anything in, I get an error message - so I conclude the page is reloading, $_POST is being set as I expect, and so on.

If I enter <br><br><br> into the Your Name field the browser redirects to the 'home' public_html directory, for example if this file is old_newbie.com/test/newcomment.php after entering the <br>s it redirects to old_newbie.com.

I've removed all PHP and HTML, commented other lines and left in relevant comments - I hope my error is clear to someone!

NogDog

When you echo out the user input back into the form, you need to escape any special characters that might mess up the HTML:

<input name="sender_name" type="text" value="<?php 
echo html_entities($sender_name, ENT_QUOTES); ?>">

Also, it looks like you have a mismatch in variables names and form element names for the comment/message body:

$comment         = trim ($_POST['[color=red]message_body[/color]']);
...
<td><textarea name="[color=red]comment[/color]" cols="41" rows="10" 
wrap="hard" class="form_field" value="<?php echo $comment?>">

old_newbie

Thanks NogDog, I made those changes, still got the same problem ...

I am a newbie alright, but intuitively I feel it is something to do with the way PHP is configured on the server - could that be the case?

halojoy

old_newbie wrote:
Thanks NogDog, I made those changes, still got the same problem ...

I am a newbie alright, but intuitively I feel it is something to do with the way PHP is configured on the server - could that be the case?

I am out of ideas.
Can not see anything in your code, that should cause this malfunction.

This I have said several times and also NogDog now.
Anything that should be displayed, resubmitted, into the form fields should be
treated with htmlspecialchars() or htmlentities()
before echoed again into form.
Like this

<?php

$comment = htmlspecialchars( $comment );
$name = htmlspecialchars( $name );
?>
<input type="text" value="<?php echo $name ?>">
</form>

What both htmlspecialchars() and htmlentities() does is
they remove tags '<' '>' and some other executing chars, writing them in a safe way instead.
It takes the power out of HTML tags.
[man]htmlspecialchars[/man]

[man]htmlentities[/man]

I have one try you could do:
Write a new similar script, with form + submit processor.
And see if this new script does the same.
Write it from scratch. Do not copy and paste!

Another thing you can check:
If you have any .htaccess file with Rewrite

Regards 🙂

NogDog

Don't forget to add the ENT_QUOTES constant as the 2nd parameter to htmlentities() so that it escapes all quotes as well, in order to avoid messed up quoting in your HTML in addition to extraneous angle brackets.

ahundiak

If you still have problems then do a "View Source" on the form from within your browser and paste the results in here. You probably just have a simple unbalanced tag somewhere.

old_newbie

Here is the page source from the browser

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Post a new comment</title>

</head>

<body onLoad="document.forms.form1.sender_name.focus()">
<p>Please leave a comment</p>
<p></p>

<form method="post" name="form1" action="newpost.php">

	<table border="0" cellpadding="0" cellspacing="0">


	<tr>
  		<td>Your name:</td>
  		<td><input name="sender_name" type="text" value=""></td>
  	</tr>

	<tr>
  		<td>Your email:</td>
		<td><input name="sender_email" type="text" value=""></td>

	</tr>

	<tr>
		<td>Comment:</td>
		<td><textarea name="comment" cols="41" rows="10"></textarea></td>
	</tr>

	<tr>
		<td ></td>
		<td><input name="submit" type="submit" class="form_button" id="submit" value="Submit Comment"></td>

	</tr>
	</table>
</form>
</body>
</html>

ahundiak

Your input elements really should end with a /> i.e.
<input name="whatever" type="text" />

I am not seeing any of these <br> elements which you said were messing things up. Are you saying that when <br> is entered into the input file then the form does not post correctly? Thats a bit bizarre.

NogDog

ahundiak wrote:
Your input elements really should end with a /> i.e.
<input name="whatever" type="text" />
...

They most definitely should NOT end with "/>". The specified doctype is "HTML 4.01 Transitional", not a XHTML DTD.

NogDog

With a few minor fixes, the following ran fine for me in both Firefox and IE7. If it does not run correctly for you, please let me know exactly what inputs you used and exactly what unexpected behavior occurred. Also let me know what browser(s) you tested it with.

<?php

// If the form has been submitted, validate the entries and insert the message into the database
if (isset($_POST['submit']))
{
    // pick up the values entered in the form
    $sender_name     = trim ($_POST['sender_name']);
    $sender_email     = trim ($_POST['sender_email']);
    $comment         = trim ($_POST['comment']);


// check for blanks
$form_error_msg = "";

if         ($sender_name == "")    { $form_error_msg = "You must enter your name";    }
elseif     ($sender_email == "")    { $form_error_msg = "You must enter an email address"; }
elseif     ($comment == "")         { $form_error_msg = "You must enter a comment"; }


if ($form_error_msg == "")
{
    // there is data the form and no error message so we can insert the comment in the database
    // write_new_message ($sender_name, $sender_email, $comment);

    // header ("Location: thanks.php");
}
else
{
    // there is a form_error_msg to display i.e. the user has has entered something wrong
    // strip any slashes added by PHP (if magic quotes is ON).

    if (get_magic_quotes_gpc () == 1)
    {
        $sender_name     = stripslashes ($_POST['sender_name']);
        $sender_email     = stripslashes ($_POST['sender_email']);
        $comment         = stripslashes ($_POST['comment']);
    }
}
}

?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Post a new comment</title>

</head>

<body onLoad="document.forms.form1.sender_name.focus()">
<p>Please leave a comment</p>
<p><?php echo $form_error_msg ?></p>

<form method="post" name="form1" action="newpost.php">

    <table border="0" cellpadding="0" cellspacing="0">

    <tr>
          <td>Your name:</td>
          <td><input name="sender_name" type="text" value="<?php echo $sender_name?>"></td>
      </tr>

    <tr>
          <td>Your email:</td>
        <td><input name="sender_email" type="text" value="<?php echo $sender_email?>"></td>
    </tr>

    <tr>
        <td nowrap class="formtag">Comment:</td>
        <td><textarea name="comment" cols="41" rows="10" wrap="hard" class="form_field"><?php echo $comment?></textarea></td>
    </tr>

    <tr>
        <td ></td>
        <td><input name="submit" type="submit" class="form_button" id="submit" value="Submit Comment" /></td>
    </tr>
    </table>
</form>
</body>
</html>

old_newbie

Thanks folks, for all your efforst, but I still get the problem (Firefox 2.0.07 and IE6).

You can see it here http://www.kenpeel.com/test/newpost.php

I really think something is not right on the (shared) server - I'm moving to a new host on Friday.

NogDog

Hmm...that is weird. My suspicion is that it is some sort of filtering going on at the web server level, but one thing to check would be if there is a PHP auto_prepend_file in use. You could run the following in a file to find out:

<?php
echo "Prepend file: " . ini_get('auto_prepend_file');
?>

If no pathname is output, then I would guess it's something in the web server configuration. If there is a value, then it might be interesting to view the contents of that file.

halojoy

there is a setting
force cgi redirect
Could this have something to do with this?
But if all your other php pages work normal
then it should not be anything like this.