Odd thing with Form and "Quotes"

Forum Moderators: coopster

Message Too Old, No Replies

Odd thing with Form and "Quotes"

In a PHP Script

Nick_W

7:02 am on Apr 9, 2003 (gmt 0)

Hi all,

Anyone spot the gotcha here?

I have a function that draws a form. It might look vaguely like this:

[pre]
function draw_form() {
  $field2show=$_POST['field'];
  $output=<<<EOF
<form method="post" action="blah.php">
<input type="text" name="field" value"$field2show" />
</form>
EOF;  return $output;
}[/pre]

Trouble is that when a double quote is entered in the form field and it's submitted and drawn again the text is cut off from the first quote onward.

Example: th"is -> becomes th when the form is submitted and reprinted.

I've used stripslashes() on it and it doesn't work. I've noticed it has no trouble with single quotes...

SO, where's the idiot mistake?

Many thanks....

Nick

Nick_W

7:24 am on Apr 9, 2003 (gmt 0)

Ok, solution found, but why?

Using single quotes around the value like this works fine:

I just don't see why?

Nick

magicsoftware

7:46 am on Apr 9, 2003 (gmt 0)

i dont know alot of PHP or Perl but seems that you need to encode the printed value of $field2show as HTML, in order to escape the quotes. i.e. to replace the value of " -> "

otherwise the browser sees something like: <...value="th"is"...>

DrDoc

8:06 pm on Apr 9, 2003 (gmt 0)

magicsoftware is absolutely right.

Also, remember that this can cause security problems. For example, what happens if the user enters this:

"><?php echo "blah";?> <font size="7

Try it ;)

DrDoc

8:08 pm on Apr 9, 2003 (gmt 0)

Oh, and replacing the double quotes with single won't solve the problem...

try

haven't