Using forms when user enters " or '

AJArmstron

I would be grateful for some help.

I have built a form to collect details about customers which passes information using $_POST. However, I have noticed a problem when speech marks (") are used in the text.

The situation giving me a problem is when I try to allow the user to edit the information they have just entered the value shown is just what comes before the speech mark.

For example if the user typed Hello"there! When the editable form appears the text appears as just Hello

I would be grateful for a solution!

Many thanks!

dagon

htmlentities

AJArmstron

Thank you for recommending to use htmlentities.

However, I am having a problem getting this to work.

To be precise I am using a form. At the moment this is the below code being used:

From this you can see that I am trying to put the contents of the variable $_POST[address1] onto an editable form on the screen. The problem is when the user has previously input a (double) speech mark (") the characters that were input after the speech mark are removed. (So Hello"World becomes shown when using the code above as Hello.)

I am not sure how to use the htmlentities command here. Do I need to use the htmlentities as a php script? If so how do I put it in the line. For example when I try the below the program does not work.

<input type="text" name="address1" value="'.<?php htmlentities($_POST[address1]); ?>.'" style="width: 220px; height: 24px" />

Nothing else seems to work using this command either.
I would be grateful for any suggestions!

Many thanks!

Weedpacket

<?php htmlentities($_POST[address1]); ?>

If this is already inside a PHP block you don't need to start another one. If it isn't, you left out the [man]echo[/man] statement.

AJArmstron

This is my latest line. (However, the problem still remains.)

<?php echo'<input type="text" name="address1" value="'.htmlentities($_POST[address1]).'" style="width: 220px; height: 24px" />'; ?

The problem of entering (earlier in the form which is stored in $_POST[address1]): Hello"World

Using the above code it still displays just Hello

TheoGB

Maybe you need to have Magic Quotes turned on:

http://php.net/manual/en/security.magicquotes.php

You can set this inside the PHP file itself. But I don't remember ever having to turn these on.

bradgrafelman

TheoGB wrote:
Maybe you need to have Magic Quotes turned on:

?!?!?!

You linked to the PHP manual page that explains exactly why you should NEVER intentionally enable magic quotes.. in fact, you should make every effort to disable magic quotes if it is enabled.

@: Post several lines above and below that part of the code that you're working with, and don't forget to use the board's [noparse]

..

[/noparse] bbcode tags as they make your code much easier to read and analyze.

EDIT: Also...

TheoGB wrote:
You can set this inside the PHP file itself.

No, you can't - magic_quotes_gpc does its damage before the script is even executed, so changing the directive's value inside the script would have no effect.

TheoGB

Actually there's no harm in having them turned on beyond how annoying they are. I only mentioned them because it was the only thing I could think of that had affected input from forms for me in the past. It's hardly in the same league as leaving yourself wide open for a SQL-injection, which is what your response seems to imply.

I don't use them and I disable them in my PHP.INI file. I'm pretty sure I tried turning them off in a site where I couldn't set the PHP.INI. I did it by having that as the first line in the global include file on all PHP files.

bradgrafelman

TheoGB;10952513 wrote:
Actually there's no harm in having them turned on beyond how annoying they are.

Actually, there is. magic_quotes_gpc destroys the integrity of incoming data... and for what? It doesn't properly sanitize data for use in DB queries, so you can't even argue that, really.

Besides, if there was "no harm" in having them turne don, why would the PHP manual use the word DEPRECATED in big capital letters like that? Plus, look at the third bullet in the link (to the Security section of the PHP manual) you posted above: "Why not to use Magic Quotes."

TheoGB;10952513 wrote:
It's hardly in the same league as leaving yourself wide open for a SQL-injection, which is what your response seems to imply.

I never implied that you shouldn't sanitize user-supplied data when using it in a SQL query (search for "user-supplied data" posted by "bradgrafelman" - I guarantee you'll find hundreds of threads where I mentioned this over the years).

Besides, as I mentioned above, magic_quotes_gpc doesn't even properly sanitize data for SQL queries.

TheoGB;10952513 wrote:
I'm pretty sure I tried turning them off in a site where I couldn't set the PHP.INI. I did it by having that as the first line in the global include file on all PHP files.

Sorry, but I have to disagree. As the manual says ([man]ini.list[/man]), magic_quotes_gpc can only be set in a .htaccess, httpd.conf, or php.ini file - not within a script itself. This should make sense, since magic_quotes_gpc's role is to alter the GPC data before your script is executed.

Still don't believe me? Click on the link on the fourth bullet ("Disabling Magic Quotes") of the page you linked to above and you'll find this:

PHP Manual wrote:
The magic_quotes_gpc directive may only be disabled at the system level, and not at runtime. In otherwords, use of ini_set() is not an option.

AJArmstron

I still cannot find a solution to the problem of having a user enter " in a form. When they later decide to edit the text any words after the " disappear.

I am not sure that posting the several lines above and below the one provided will be of any use. Really you need the whole lot!?

This must be a common problem. I would be grateful for a solution!

bradgrafelman

AJArmstron;10952544 wrote:
I am not sure that posting the several lines above and below the one provided will be of any use. Really you need the whole lot!?

Posting a few lines above and below will help us see the context that the code is in. Do we need them? No. But then again, we don't need to try to understand your code to help you. :p

Using [man]htmlentities/man should safely convert double quotes to " so that it doesn't break your HTML. Can you show us the resulting HTML when the data gets cut off (e.g. hello"world seems to come out as hello)?

AJArmstron

I have been asked to print several lines of code before and after the line I had used before (and wrote about below using htmlentities). This is it!

<td class="style4" style="width: 179px">
<strong>Last Name:</strong></td>
<td class="style4" style="width: 179px">
<?php echo'<input type="text" name="lname" value="'.$_POST[lname].'" style="width: 180px; height: 24px" /></td>'; ?>
</tr>
<tr>
<td class="style4" style="width: 179px">&nbsp;</td>
<td class="style4" style="width: 179px">&nbsp;</td>
</tr>
<tr>
<td class="style4" style="width: 179px"><strong>Address Line 1:</strong></td>
<td class="style4" style="width: 179px">

<!-- below is the line I used! -->
<?php echo'<input type="text" name="address1" value="'.htmlentities($_POST[address1]).'" style="width: 220px; height: 24px" />'; ?
<!-- aboveis the line I used! -->

</tr>
<tr>
<td class="style4" style="width: 179px">&nbsp;</td>
<td class="style4" style="width: 179px">&nbsp;</td>
</tr>
<tr>
<td class="style4" style="width: 179px"><strong>Address Line 2:</strong></td>
<td class="style4" style="width: 179px">
<?php echo'<input type="text" name="address2" value="'.$_POST[address2].'" style="width: 220px; height: 24px" /></td>'; ?>
</tr>
<tr>

I hope this helps!

Many thanks.

bradgrafelman

Okay, so if you enter a double and/or single quote in for 'address1', what does the resulting HTML look like?

TheoGB

htmlentities works when I try it. You could try using a textarea if you really can't find whatever bug is causing you issues.

Brad, you're right about the magic quotes thing not turning off. I don't agree about the security: turning them on isn't a security risk in and of itself: that's down to the common sense of the coder.

Weedpacket

Two things:
First, [font=monospace]$POST[lname][/font] should be [font=monospace]$POST['lname'][/font] and similarly for the others.

More significantly, the [font=monospace]>[/font] that should be at the end of the problem line is missing (note how the syntax highlighting goes wonky and doesn't straighten itself out until the next [font=monospace]?>[/font]).

AJArmstron

Weedpacket - sorry the key line should have read (as earlier)

<?php echo'<input type="text" name="address1" value="'.htmlentities($_POST[address1]).'" style="width: 220px; height: 24px" />'; ?

You write -
First, $POST[lname] should be $POST['lname']

Are you sure? Won't this somehow clash with the echo ' .... ?

bradgrafelman

The quotes around the array index have nothing to do with the echo statement - they are completely separate.

The reason you need quotes there is because the index 'address1' is a string, and strings are delimited with quotes in PHP.

Weedpacket

AJArmstron wrote:
Weedpacket - sorry the key line should have read (as earlier)
<?php echo'<input type="text" name="address1" value="'.htmlentities($_POST[address1]).'" style="width: 220px; height: 24px" />'; ?

So the [font=monospace]>[/font] that should be at the end of the problem line is still missing (note how the syntax highlighting goes wonky and doesn't straighten itself out until the next [font=monospace]?>[/font]).