Re-Submitting Form Problems

[zachatk1]

My site is nearly done. This is the last bug I have to work out.

 

I have a form and a user can fill out all the fields. I have the data $_POST over onto the verify page into $_SESSION variables (no reason really... it can just be a variable I suppose and no need for a session). Each variable is checked to see if it is filled out. If it is not, it re-displays that input field that wasn't filled in. The input fields that are filled in are put into a hidden input so when the user re-submits the form after filling out the forgotten field, the already filled in data is there.

 

Now here's the problem. There is a large textarea form. The problem is with quotes. I'll give an example with some code:

 

//Bunch of variables...
$_SESSION['type'] = $_POST["type"]; //radio buttons
//ect...

//Large text form

$_SESSION['details'] = $_POST["details"]; //not escaping strings, explanation and example later


//TYPE
if ( empty($_SESSION['type']) )
{
$flag[] = 1;
?>
  <input type="radio" name="type" value="Modification" /> Modification
  <input type="radio" name="type" value="Maintenance" /> Maintenance
<?php
}
else
{
echo $_SESSION['type'];
?>
<input type="hidden" name="type" value="<?php print $_SESSION['type'] ?>" /> //put back in form
<?php
}


//DETAILS
if ( empty($_SESSION['details']) )
{
$flag[] = 1;
?>

//this is a tinymce form, not sure if that makes a difference, but it could output something different.

<textarea name="details" style="width:100%">
</textarea>

<?php
}
else
{
echo $_SESSION['details'];
?>
<input type="hidden" name="details" value="<?php print $_SESSION['details'] ?>" />
<?php
}
?>

//theres a bunch of other error checking with the other variables...

<input type="submit" value="Submit" name="different" class="btn" /> //submit button


//now check if flag = 1 which means theres an error

<?php
if ( in_array ( 1, $flag ) )
{
}
else
{

//this is where the data will be sanitized, escaped and submitted to the database...

}

 

So for example if I were to type this into the details box WITHOUT mysql_real_escape_string:

 

_{This is a "quote".}

 

It would output this the first time:

 

_{This is a "quote".}

 

This is perfect and how it should be. But lets say the user forgot another text box. This is now sending the data again through the whole $_SESSION POST deal.

 

This is how it looks sending it through again:

 

_{This is a}

 

That's it! No quotes and everything past the first quote is gone. What's the deal with that!?

 

Now if I were to do mysql_real_escape_string on the $_SESSION variable $_POST, it'd work the first time like this:

 

_{This is a \"quote\".}

 

But the the second time it's this:

 

_{This is a \\}

 

Now there's multiple ways to fix this I believe... except I don't really know how to use these methods.

 

I believe I could check if the characters are entities, then convert them to entities if they aren't. So a quote would be " instead of ".

 

My original plan was to have the data that was submitted go onto a session that would store it until everything was correct. Then pull it off the session and sanitize and submit. For some reason I couldn't get that to work because if I have those $_SESSION['var'] = $_POST["var"]; at the top of the page it will overwrite the existing data on the session. To fix this I'd have to check if that specific variable was $_POST'ed, but I don't exactly know how to do that (if you even can).

 

Wow, that was long... hopefully you understand, thanks!

 

 

 

 

 

[zachatk1]

I hate to be the guy to bump this... perhaps I worded the question a little bit too long!

[PFMaBiSmAd]

Any content/data that you output on a web page needs to be passed through htmlentities with the second parameter set to ENT_QUOTES, so that any special characters in the content are converted to HTML entities so that they don't break the HTML on your page (if you do a 'view source' in your browser, you will see that the data is there but the quotes in it is causing the browser to stop rendering the output.)

 

If you already have the previously entered values saved in session variables, why go to the trouble of putting them back into hidden form fields? Since they are being passed through the form, you must re-validate them on each form submission since they can be altered by the visitor before the form gets submitted.