form trouble

jasondavis

<input type="hidden" name="message" value="<font size="+1">Congratulations you just received <font color="#336699" face="Arial, Helvetica, sans-serif" size="+2">$2  Dollars </font>from <a href="p=profile&userid=1" class="bluelinkboldlg">JasonDavis</a>.<BR>You can use this money in the  Store or send it to other members, <BR>You can view your Money by clicking <a href="?p=account.money" class="bluelinkboldlg">[HERE]</a></font>">

above is my form the problem is I try toi send a message body in a hidden field but you can see sometimes this will include html and fonts, how to I make it where this will not mess up my page? even though the form field says hidden it does not hide items when there are fonts and things in the body text

bradgrafelman

That's because the syntax is invalid; you need to escape double quotes since you used that as your string delimiter.

Alternatively (and much better), you could store the message in a session. Otherwise, you're allowing the users to manipulate the message however they want (and running into problems like this).

jasondavis

another example please help

$subject = $_GET['subject'];

<input type="hidden" name="subject" value="' .$subject. '">

will turn into this which creates major problems

$subject = $_GET['subject'];

<input type="hidden" name="subject" value="
CRUNK vs T"ECHNO! Lo"ve this ...!! withoutcutting it off">

What function do I run on $subject to fix this, also $subject will be inserted into mysql

zabmilenko

What you see is an example of an injection attack.

Try mysql_real_escape_string()

Weedpacket

Actually, in this case, it's just a matter of the fact that certain characters have special meaning in HTML. <, >, ", and so on; which is why [man]htmlspecialchars[/man] was invented. Use that when you go to write the string into the HTML page.

Or, as bradgrafelman recommends, keep it in a session so that there's no risk of it being accidentally damaged or deliberately manipulated in the first place.