louiscb Posted December 13, 2014 Share Posted December 13, 2014 I am trying to create a page for customers to enter their details. I am using a html form. When the submit button is pressed the form posts the inputs to the same page, which then checks if the inputs are empty. If they are not then each post variable is allocated a session variable so this info can be accessed late on in the system. If some of the inputs are empty then the value of the input forms become equal to the session variables that they were just allocated to so that the customer doesn’t have to retype their information. This is where the problem occurs. When I load the page each input box has a slash inside it and when the submit button is pressed a mother slash is added. My code is below: <?php session_start(); if(isset($_POST['NextPage'])){ if (!empty($_POST['CName'])){ $_SESSION["CName"] = $_POST['CName']; if (!empty($_POST['CStreet'])){ $_SESSION["CStreet"] = $_POST['CStreet']; if (!empty($_POST['CTown'])){ $_SESSION["CTown"] = $_POST['CTown']; if ($_POST['Counties'] != "-"){ $_SESSION["CCounty"] = $_POST['Counties']; if (!empty($_POST['CPostcode'])){ $_SESSION["CPostcode"] = $_POST['CPostcode']; if (!empty($_POST['CEmail'])){ $_SESSION["CEmail"] = $_POST['CEmail']; if (!empty($_POST['CNumb'])){ $_SESSION["CNumb"] = $_POST['CNumb']; $NotEmpty = true; }else{ $ErrorMsg = "Number is empty. </br>"; } }else{ $ErrorMsg = "Email is empty. </br>"; } }else{ $ErrorMsg = "Postcode is empty. </br>"; } }else{ $ErrorMsg = "County is empty. </br>"; } }else{ $ErrorMsg = "Town is empty. </br>"; } }else{ $ErrorMsg = "Street is empty. </br>"; } }else{ $ErrorMsg = "Name is empty. </br>"; } } $content = ' <h3 id="CTitle"> Customer Details </h3> <p><i>'.$ErrorMsg.'</i></p> <form action=" " method="POST" name="CDetails" id="CDetails"> Name: * <input type="text" name="CName" size="30" value='.$_SESSION["CName"].'/></br> First line of your address: * <input type="text" name="CStreet" size="40" value='.$_SESSION["CStreet”];.’/></br> Town: * <input type="text" name="CTown" size="25" value='.$_SESSION["CTown"].'/></br> Postcode: * <input type="text" name="CPostcode" size="11" value=‘.$_SESSION["CPostcode"].'/></br> Email address: * <input type="text" name="CEmail" size ="35" value='.$_SESSION["CEmail”];.’/></br> Phone Number: * <input type="text" name="CNumb" value='.$_SESSION["CNumb"].'/></br> <input type="submit" name="NextPage" value="Next" id="Next”/> </form> ?> Quote Link to comment https://forums.phpfreaks.com/topic/293075-slash-added-to-session-variable-when-submit-button-is-pressedd/ Share on other sites More sharing options...
Jacques1 Posted December 13, 2014 Share Posted December 13, 2014 There's a lot wrong with this, and the slashes are really your least problem. First of all, you can't just drop user input into your HTML document. Never heard of cross-site scripting? All dynamic values need to be escaped before they can be inserted. Secondly, HTML attributes need to be quoted. If you don't quote them, then you're almost asking for trouble, because it's more or less unclear where the value will end. In your case, the slash of your HTML tag is also assigned to the form value. Fix the escaping, fix the quotes, and the problem will go away. Quote Link to comment https://forums.phpfreaks.com/topic/293075-slash-added-to-session-variable-when-submit-button-is-pressedd/#findComment-1499484 Share on other sites More sharing options...
louiscb Posted December 13, 2014 Author Share Posted December 13, 2014 Wow I'm an idiot. I have never actually heard of that, I only started using php very recently. What is the purpose of escaping values? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/293075-slash-added-to-session-variable-when-submit-button-is-pressedd/#findComment-1499486 Share on other sites More sharing options...
Jacques1 Posted December 13, 2014 Share Posted December 13, 2014 Escaping makes sure that the browser interprets the variable contents as literal text rather than HTML markup. For example, the character “<” is replaced with the HTML entity “<” which represents a literal less-than sign. If you don't escape the values, than you allow anybody to manipulate the HTML document. They could insert malicious JavaScript code, redirect the form data to another website, deface your page and whatnot. Quote Link to comment https://forums.phpfreaks.com/topic/293075-slash-added-to-session-variable-when-submit-button-is-pressedd/#findComment-1499488 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.