Slash added to Session variable when submit button is pressedd

[louiscb]

I am trying to create a page for customers to enter their details. I am using a html form.

 

When the submit button is pressed the form posts the inputs to the same page, which then checks if the inputs are empty. If they are not then each post variable is allocated a session variable so this info can be accessed late on in the system.

 

If some of the inputs are empty then the value of the input forms become equal to the session variables that they were just allocated to so that the customer doesn’t have to retype their information.

 

This is where the problem occurs. When I load the page each input box has a slash inside it and when the submit button is pressed a mother slash is added. 

 

My code is below:

<?php

session_start();

if(isset($_POST['NextPage'])){

if (!empty($_POST['CName'])){

$_SESSION["CName"] = $_POST['CName'];

if (!empty($_POST['CStreet'])){

$_SESSION["CStreet"] = $_POST['CStreet'];

if (!empty($_POST['CTown'])){

$_SESSION["CTown"] = $_POST['CTown'];

if ($_POST['Counties'] != "-"){

$_SESSION["CCounty"] = $_POST['Counties'];

if (!empty($_POST['CPostcode'])){

$_SESSION["CPostcode"] = $_POST['CPostcode'];			

if (!empty($_POST['CEmail'])){

$_SESSION["CEmail"] = $_POST['CEmail'];

if (!empty($_POST['CNumb'])){

$_SESSION["CNumb"] = $_POST['CNumb'];

$NotEmpty = true;

}else{	

$ErrorMsg = "Number is empty. </br>";

}

}else{	

$ErrorMsg = "Email is empty. </br>";

}

}else{	

$ErrorMsg = "Postcode is empty. </br>";

}

}else{	

$ErrorMsg = "County is empty. </br>";

}

}else{	

$ErrorMsg = "Town is empty. </br>";

}

}else{	

$ErrorMsg = "Street is empty. </br>";

}

}else{	

$ErrorMsg = "Name is empty. </br>";

	}

}

$content = 	' <h3 id="CTitle"> Customer Details </h3>

			<p><i>'.$ErrorMsg.'</i></p>		

			<form action=" " method="POST" name="CDetails" id="CDetails">

				Name: * <input type="text" name="CName" size="30" value='.$_SESSION["CName"].'/></br>

				First line of your address: * <input type="text" name="CStreet" size="40" value='.$_SESSION["CStreet”];.’/></br>

				Town: * <input type="text" name="CTown" size="25" value='.$_SESSION["CTown"].'/></br>

				Postcode: * <input type="text" name="CPostcode" size="11" value=‘.$_SESSION["CPostcode"].'/></br>

				Email address: * <input type="text" name="CEmail" size ="35" value='.$_SESSION["CEmail”];.’/></br>

				Phone Number: * <input type="text" name="CNumb" value='.$_SESSION["CNumb"].'/></br>

				<input type="submit" name="NextPage" value="Next" id="Next”/>

			</form>

?>

[Jacques1]

There's a lot wrong with this, and the slashes are really your least problem.

 

First of all, you can't just drop user input into your HTML document. Never heard of cross-site scripting? All dynamic values need to be escaped before they can be inserted. Secondly, HTML attributes need to be quoted. If you don't quote them, then you're almost asking for trouble, because it's more or less unclear where the value will end. In your case, the slash of your HTML tag is also assigned to the form value.

 

Fix the escaping, fix the quotes, and the problem will go away.

[louiscb]

Wow I'm an idiot. I have never actually heard of that,  I only started using php very recently. What is the purpose of escaping values? Thanks

[Jacques1]

Escaping makes sure that the browser interprets the variable contents as literal text rather than HTML markup. For example, the character “<” is replaced with the HTML entity “<” which represents a literal less-than sign.

 

If you don't escape the values, than you allow anybody to manipulate the HTML document. They could insert malicious JavaScript code, redirect the form data to another website, deface your page and whatnot.