Form Problem

[derbyshiresoftware]

Hello,

Having a problem when putting an xml tag in an input field. The field shows blank in $_POST. Heres some sample code

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>
    
<body>
    <?php print_r($_POST);
    ?>
<form method="post" action="" >
    <input type="text" name="data" value="some data" maxlength="200"/>
    <input type="submit" name="process"/>
</form>
</body>
</html>

 

If I put <test in the field it shows up blank in the print of POST.

I actually want to pass xml in a hidden field, and it wouldnt work. Tracked it down to this problem.

Thanks in Advance

Edited May 14, 2020 by derbyshiresoftware
error

[gw1500se]

It is consider best practice to either leave the action parameter out or if you use it to specify a filename. As an aside, I don't think I've ever seen the method in lower case, it is always POST or GET. Perhaps someone can confirm if that is case sensitive.

Also please use the code icon (<>) for your code and select HTML or PHP.

Edited May 14, 2020 by gw1500se

[derbyshiresoftware]

Hello

I changed my code to what you said and it doesnt make any difference

<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>
    
<body>
    <?php print_r($_POST);
    ?>
<form method="POST" >
    <input type="text" name="data" value="some data" maxlength="200"/>
    <input type="submit" name="process"/>
</form>
</body>
</html>

 

[gw1500se]

The first time the page is displayed I would expect it to be blank since nothing has been entered yet. Normally that print should only be executed AFTER the submit.

if (isset($_POST['process'])) {
   echo "<pre>";
   print_r($_POST);
   echo "</pre>";
}

 

Edited May 14, 2020 by gw1500se

[derbyshiresoftware]

Yes I know thats good practice but it doesn’t work when you put the <text value value in and submit it. I was just trying to keep the code short.

Edited May 14, 2020 by derbyshiresoftware

[derbyshiresoftware]

Could it be a server. Setting? I could swear this used to work?

[gw1500se]

It works for me.

Array ( [data] => test [process] => Submit Query )

[derbyshiresoftware]

If I put in. <test it doesn’t work. Makes me think it could be a server setting if it works for others. It’s the < character it doesn’t like

 

[gw1500se]

Sorry, I didn't realize you meant '<' literally. You need to use htmlspecialchars for that.

if (isset($_POST['process'])) {
   print(htmlspecialchars($_POST['data']));
}

 

[derbyshiresoftware]

Thanks. That fixed it. Think the data was being returned, but not displaying properly in debug.

[Phi11W]

20 hours ago, derbyshiresoftware said:

If I put <test in the field it shows up blank in the print of POST.

Is the value actually blank or does your web browser display it as "blank", by trying to interpret the value as HTML? 

Either escape [the characters in] the value, preventing it from being shown "as" HTML or use your browser's "Developer" tools to examine the value - that will allow you to see "raw" value. 

Accepting Html-like values in this way can be extremely risky.  It's all too easy for a [malicious] client to slip in <script> tags which, if you display them without proper "protection" will execute that script code!  

Regards, 
   Phill  W.