Problem passing html within php variable

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Ness
Forum Newbie
Posts: 2
Joined: Wed Sep 14, 2005 6:04 pm

Problem passing html within php variable

Post by Ness »

I have a msg box that accepts html code, then once submitted the preview msg page grabs the msg such as $msg=$_POST['msg'].

Now, using this method somewhere in the process any html code with a " will get a \ automatically added to it, so img src="image.jpg" will become img src=\"image.jpg\" this itself isnt too much of problem yet as I can do this:

Code: Select all

<?php 		
	$trans = array("\\" => "");
	$msg=strtr($msg, $trans);
	
	echo $msg;
 ?>
and it will convert back to standard html form with out the \.

However, if the user approves the post by pressing the submit button I want to pass $msg on the the final page such as insert.php?post=$msg
This is where the proble arises, here is my submit button code:

Code: Select all

echo "<center><form action=\"insert.php?email=$email&title=$title&post=$msg\" method=\"post\"><p><input type=\"submit\" /></p></form>";
Now, before i pass $msg, i need to put the \'s back in so that the "'s are treated correctly, so I do this:

Code: Select all

$trans = array("\"" => "\\\"");
		$msg=strtr($msg, $trans);
		echo $msg;
Which will correctly place the \'s back in front of the "'s within the html string, however my 'form action' line will look like this when ran by the browser:

Code: Select all

<form action="email=a@a.com&title=imagetest&post=<IMG SRC=\"http://img377.imageshack.us/img377/6724/comic14bv9ws.jpg\>" method="post">
Notice the " after .jpg has been removed, the \ is there however. Everything else in the html code is correct.


Why is the " being removed? Since it has a \ in front of it should it not be skipped like all the other " in the statement?

Do I need someway to designate that the variable contains html and therefore should not be evaluated, simply passed?
ryanlwh
Forum Commoner
Posts: 84
Joined: Wed Sep 14, 2005 1:29 pm

Post by ryanlwh »

first of all, i dont recommend you to allow users to submit html codes directly. They could exploit this and put malicious javascripts into your pages.

for the "\". Your php is set to add slashes to any special characters in the post-data automatically. i'd recommend you to use the php functions addslashes() and stripslashes() instead of strstr.
Ness
Forum Newbie
Posts: 2
Joined: Wed Sep 14, 2005 6:04 pm

Post by Ness »

ryanlwh wrote:first of all, i dont recommend you to allow users to submit html codes directly. They could exploit this and put malicious javascripts into your pages.

for the "". Your php is set to add slashes to any special characters in the post-data automatically. i'd recommend you to use the php functions addslashes() and stripslashes() instead of strstr.


I really just need images and links.

So it would be a better idea to have simple tags like [img] and [url] before displaying parse those into appropriate html code?


In that case Im not sure how to strip html from the user input.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

strip_tags() or the smarter version I linked to from the "Useful Posts" thread (link in my signature) if you want to wipe ~all HTML from the input. If you want to be able to post HTML, htmlentities()
ryanlwh
Forum Commoner
Posts: 84
Joined: Wed Sep 14, 2005 1:29 pm

Post by ryanlwh »

strip_tags($str) will strip all the html tags.
htmlentities($str) will turn html special characters into ascii code (like <javacript> becomes <javascript> so it is not harmful)
Post Reply