How to deal with special html characters in self-calling form

[dkindler]

I have the following form that is self-calling that needs to be able to handle special characters like ' or ".  Not sure what the right combination of htmlspecialchars or urlencode is to get this to work properly.  Any help would be greatly appreciated!

 

Thanks, David

<form action="mini_banner.php" method="get">
<table>
   <tr>
     <td colspan="5">
         <input type="text" name="text1" style="width: 185px; height:17px;" 
             value="<?php echo $_GET[text1]; ?>" /> 
       </textarea>
</td>
   </tr>
</table>
<input type="submit" value="Create banners" />

</form>

<table cellpadding="10">
<?php
if ($_GET[text1]) {

$text1=$_GET[text1];

echo "<tr><td><IMG src='mini_off.php?text1=$text1'></td></tr>";
}
?>
</table>

[haku]

What exactly is the problem?

[dkindler]

Special characters like single and double quotes are not handled properly.  Not sure how to handle these characters when passing to the other file that creates the banner image.

[haku]

Dude, you are going to have to be more specific than 'not handled properly' if you want help. The amount of help you receive is directly proportional to the amount of information you give when asking for help.

 

You should:

 

1) State what you want to happen.

2) State what is happening

3) State what you have tried that failed

4) Give code

5) Give a link to code in action

 

For each one of these that you leave out, you cut your chances of getting help significantly.

 

So far you have done number 4 only.

[dkindler]

Hi Haku, thanks for your help.  The application is a web page that creates a simple banner using the GD library.  It accepts some text, calls itself and runs the banner creating program (mini_off.php).  When the page is loaded it checks if the form variable has been submitted (text1), if so, it runs mini_off.php and the image appears and the text is also redisplayed in the input textarea, in case the user wants to make any changes.  here is the basic code for mini_on.php

<?php
header('Content-type: image/gif');

session_cache_limiter('public');

// Create the image
$imgname1 = 'mini_banner_on.gif';
$im1 = @imagecreatefromgif($imgname1);
$gel = imagecolorallocate($im1, 36, 35, 35);
imagefilledrectangle($im1, 200, 1, 209, 64, $gel);
$grey1 = imagecolorallocate($im1, 101, 118, 131);

// The text to draw
$text1 = $_GET[text1];

// Replace path by your own font path
$font1 = 'HelvNeue_reg1.ttf';

// Add the text
imagettftext($im1, 10.5, 0, 16, 23, $grey1, $font1, $text1);

imagegif($im1);
imagedestroy($im1);

?

 

This runs fine if the text inputed has no special characters.  If a single quote is entered, for example, the quote is replaced with 2 forward slashes and the input text area on the form also gets a forward slash in front of the quote since it is calling itself.  I have tried using htmlspecialchars when calling mini_on.php and using various combinations of urlencode and urldecode to get both the form text input value and the banner text to show up properly and I cannot get it to work.  I think if I were to separate the pages and have the form call another page that might work better but I want to keep it this way in case the banner text is incorrect the user can make a quick change.

I can not provide a link to the code in action because it is on an internal site behind a firewall.

thanks again for any help you can provide.

[haku]

Can you give us the HTML form as well?

 

I'm guessing the method of the form is set to get - have you tried setting it to post? By setting it to get, the text is passed in the URL, and I suspect that it is automatically URL encoded. But I'm half guessing here, it will be easier to understand if you can show us the rest of your code.

[dkindler]

Hi Haku,  All the code is already presented in separate posts.  Here is all of it:

 

Main page: mini_banner.php

<form action="mini_banner.php" method="get">
<table>
   <tr>
     <td colspan="5">
         <input type="text" name="text1" style="width: 185px; height:17px;" 
             value="<?php echo $_GET[text1]; ?>" /> 
       </textarea>
</td>
   </tr>
</table>
<input type="submit" value="Create banners" />

</form>

<table cellpadding="10">
<?php
if ($_GET[text1]) {

$text1=$_GET[text1];

echo "<tr><td><IMG src='mini_off.php?text1=$text1'></td></tr>";
}
?>
</table>

 

Graphic banner program:

 

<?php
header('Content-type: image/gif');

session_cache_limiter('public');

// Create the image
$imgname1 = 'mini_banner_on.gif';
$im1 = @imagecreatefromgif($imgname1);
$gel = imagecolorallocate($im1, 36, 35, 35);
imagefilledrectangle($im1, 200, 1, 209, 64, $gel);
$grey1 = imagecolorallocate($im1, 101, 118, 131);

// The text to draw
$text1 = $_GET[text1];

// Replace path by your own font path
$font1 = 'HelvNeue_reg1.ttf';

// Add the text
imagettftext($im1, 10.5, 0, 16, 23, $grey1, $font1, $text1);

imagegif($im1);
imagedestroy($im1);

?>

 

I tried using post instead of get.  That made it worse.  Seems like the text is not being passed at all, although I am not sure why.

 

Thanks.

[haku]

I have a couple ideas on your problem. Not 100% sure of which one it is.

 

I think that it's probably using get. The reason post didn't work is because you were using

 

$_POST[text1]

 

instead of

 

$_POST['text1']

 

(I'm making some assumptions here). If you use post, nothing is encoded, and it should work fine.

 

It may also be because you are setting the header at the top of your script.

 

 

[Sudden]

Also the function:

 

htmlspecialchars(); 

 

might help him handle the ' and ". It reads predefined php characters and turns them into HTML entities.

[BioBob]

wrong usage of htmlspecialchars

 

htmlspecialchars($var,ENT_NOQUOTES,ISO-8859-1);

 

then it wont do anything to your quotes.

 

http://us2.php.net/htmlspecialchars

 

The optional second argument, quote_style , tells the function what to do with single and double quote characters. The default mode, ENT_COMPAT, is the backwards compatible mode which only translates the double-quote character and leaves the single-quote untranslated. If ENT_QUOTES is set, both single and double quotes are translated and if ENT_NOQUOTES is set neither single nor double quotes are translated.