Jump to content

Recommended Posts

I am trying to create a page for customers to enter their details. I am using a html form.


 


When the submit button is pressed the form posts the inputs to the same page, which then checks if the inputs are empty. If they are not then each post variable is allocated a session variable so this info can be accessed late on in the system.


 


If some of the inputs are empty then the value of the input forms become equal to the session variables that they were just allocated to so that the customer doesn’t have to retype their information.


 


This is where the problem occurs. When I load the page each input box has a slash inside it and when the submit button is pressed a mother slash is added. 


 


My code is below:



<?php
session_start();
if(isset($_POST['NextPage'])){
if (!empty($_POST['CName'])){
$_SESSION["CName"] = $_POST['CName'];
if (!empty($_POST['CStreet'])){
$_SESSION["CStreet"] = $_POST['CStreet'];
if (!empty($_POST['CTown'])){
$_SESSION["CTown"] = $_POST['CTown'];
if ($_POST['Counties'] != "-"){
$_SESSION["CCounty"] = $_POST['Counties'];
if (!empty($_POST['CPostcode'])){
$_SESSION["CPostcode"] = $_POST['CPostcode'];
if (!empty($_POST['CEmail'])){
$_SESSION["CEmail"] = $_POST['CEmail'];
if (!empty($_POST['CNumb'])){
$_SESSION["CNumb"] = $_POST['CNumb'];
$NotEmpty = true;
}else{
$ErrorMsg = "Number is empty. </br>";
}
}else{
$ErrorMsg = "Email is empty. </br>";
}
}else{
$ErrorMsg = "Postcode is empty. </br>";
}
}else{
$ErrorMsg = "County is empty. </br>";
}
}else{
$ErrorMsg = "Town is empty. </br>";
}
}else{
$ErrorMsg = "Street is empty. </br>";
}
}else{
$ErrorMsg = "Name is empty. </br>";
}
}
$content = ' <h3 id="CTitle"> Customer Details </h3>
<p><i>'.$ErrorMsg.'</i></p>
<form action=" " method="POST" name="CDetails" id="CDetails">
Name: * <input type="text" name="CName" size="30" value='.$_SESSION["CName"].'/></br>
First line of your address: * <input type="text" name="CStreet" size="40" value='.$_SESSION["CStreet”];.’/></br>
Town: * <input type="text" name="CTown" size="25" value='.$_SESSION["CTown"].'/></br>
Postcode: * <input type="text" name="CPostcode" size="11" value=‘.$_SESSION["CPostcode"].'/></br>
Email address: * <input type="text" name="CEmail" size ="35" value='.$_SESSION["CEmail”];.’/></br>
Phone Number: * <input type="text" name="CNumb" value='.$_SESSION["CNumb"].'/></br>
<input type="submit" name="NextPage" value="Next" id="Next”/>
</form>
?>

There's a lot wrong with this, and the slashes are really your least problem.

 

First of all, you can't just drop user input into your HTML document. Never heard of cross-site scripting? All dynamic values need to be escaped before they can be inserted. Secondly, HTML attributes need to be quoted. If you don't quote them, then you're almost asking for trouble, because it's more or less unclear where the value will end. In your case, the slash of your HTML tag is also assigned to the form value.

 

Fix the escaping, fix the quotes, and the problem will go away.

Escaping makes sure that the browser interprets the variable contents as literal text rather than HTML markup. For example, the character “<” is replaced with the HTML entity “<” which represents a literal less-than sign.

 

If you don't escape the values, than you allow anybody to manipulate the HTML document. They could insert malicious JavaScript code, redirect the form data to another website, deface your page and whatnot.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.