Page 1 of 1

Problem passing html within php variable

Posted: Wed Sep 14, 2005 6:27 pm
by Ness
I have a msg box that accepts html code, then once submitted the preview msg page grabs the msg such as $msg=$_POST['msg'].

Now, using this method somewhere in the process any html code with a " will get a \ automatically added to it, so img src="image.jpg" will become img src=\"image.jpg\" this itself isnt too much of problem yet as I can do this:

Code: Select all

<?php 		
	$trans = array("\\" => "");
	$msg=strtr($msg, $trans);
	
	echo $msg;
 ?>
and it will convert back to standard html form with out the \.

However, if the user approves the post by pressing the submit button I want to pass $msg on the the final page such as insert.php?post=$msg
This is where the proble arises, here is my submit button code:

Code: Select all

echo "<center><form action=\"insert.php?email=$email&title=$title&post=$msg\" method=\"post\"><p><input type=\"submit\" /></p></form>";
Now, before i pass $msg, i need to put the \'s back in so that the "'s are treated correctly, so I do this:

Code: Select all

$trans = array("\"" => "\\\"");
		$msg=strtr($msg, $trans);
		echo $msg;
Which will correctly place the \'s back in front of the "'s within the html string, however my 'form action' line will look like this when ran by the browser:

Code: Select all

<form action="email=a@a.com&title=imagetest&post=<IMG SRC=\"http://img377.imageshack.us/img377/6724/comic14bv9ws.jpg\>" method="post">
Notice the " after .jpg has been removed, the \ is there however. Everything else in the html code is correct.


Why is the " being removed? Since it has a \ in front of it should it not be skipped like all the other " in the statement?

Do I need someway to designate that the variable contains html and therefore should not be evaluated, simply passed?

Posted: Wed Sep 14, 2005 6:40 pm
by ryanlwh
first of all, i dont recommend you to allow users to submit html codes directly. They could exploit this and put malicious javascripts into your pages.

for the "\". Your php is set to add slashes to any special characters in the post-data automatically. i'd recommend you to use the php functions addslashes() and stripslashes() instead of strstr.

Posted: Wed Sep 14, 2005 6:46 pm
by Ness
ryanlwh wrote:first of all, i dont recommend you to allow users to submit html codes directly. They could exploit this and put malicious javascripts into your pages.

for the "". Your php is set to add slashes to any special characters in the post-data automatically. i'd recommend you to use the php functions addslashes() and stripslashes() instead of strstr.


I really just need images and links.

So it would be a better idea to have simple tags like [img] and [url] before displaying parse those into appropriate html code?


In that case Im not sure how to strip html from the user input.

Posted: Wed Sep 14, 2005 6:50 pm
by feyd
strip_tags() or the smarter version I linked to from the "Useful Posts" thread (link in my signature) if you want to wipe ~all HTML from the input. If you want to be able to post HTML, htmlentities()

Posted: Wed Sep 14, 2005 6:50 pm
by ryanlwh
strip_tags($str) will strip all the html tags.
htmlentities($str) will turn html special characters into ascii code (like <javacript> becomes <javascript> so it is not harmful)