how to use htmlspecialchars in a form

[leegold2]

Newbie question I guess. Please show me how to use htmlspecialchars in the form below, Thanks:

<form action="formtest1.php?c=1" method=POST>
<b>Find Results with:
These words: <input type="text" length=40 name="keywords">
input type="submit" value="Search">
</form>

 

[DRJ478]

I'm not entirely sure what you are looking for.
So, here are some questions for clarification:
1. What is the search subject?
2. WHat kind of special chars are you thinking of?

In the way above you can type in anything you want.

 

[leegold2]

I want to apply htmlspecialchars function to the strings I am POSTING. I want to do this within the form before I POST. I assume I can with PHP.

I am getting weird results when I POST strings with ampersands - this is a possible fix. How can I do this please?

 

[Olavxxx]

uhm..
You cant change something *before* you make an action.. (post).

Since PHP is Server-side, your client has to invoke some kind of action.

You can however submit to self and wrap the form in:

<?php
if (!isset($submit))
  {
    echo "<form action=\"?c=1\" method=\"post\">
  <b>Find Results with: 
  These words: <input type=\"text\" length=\"40\" name=\"keywords\" /> 
  <input type=\"submit\" value=\"Search\" name=\"submit\" />
</form>
";
  }
else
  {
   // convert to specialchars / htmlentities

  }
?>

ps... I also saw that your submit button had invalid html!
you forgot <..

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[DRJ478]

As DaButcher says, PHP is a server side technology. You can't do anything with PHP in the client.
When you POST data it is encoded by the browser and decoded by the receiving web server.
My question still remains:
What do you expect to happen with the search when you HTML encode?
If the entire searched data is itself not encoded the same way you'll be unable to find anything.

 

[leegold2]

when i POST foo&amp;bar the search works.
When I POST foo&bar the search breaks, therefore i want to POST the first case. Therefore i want encoding before i post.

 

[chessbot]

You would need to use client-side scripting. See Forum216 for Javascript.

--Chessbot

"See the TURTLE of enormous girth!"
-- Stephen King, The Dark Tower series

 

[DRJ478]

You still haven't answered the question what the subject of the search is. That is an extremely important question.
Here's an example why.
Let's say the content is in a table in a database and is some kind of plain text which is displayed on a page. For simplicity let's assume there are no HTML tags.

# the text to be searched is something like this (haystack)
$haystack = "Yes, I want to be able to search for foo&bar within some string like this.";
# posted or not, the encoded needle
$needle = "foo&bar";
# the check fails:
if (strstr($haystack,$needle)){
   echo("Found.");
} else {
   echo("No luck.");
}

What you have to decide is some kind of normalization mechanism to put the haystack and needle in an identical format. That means the haystack needs to be encoded the same way the needle is encoded.

 

[Olavxxx]

Therefore i want encoding before i post.

I dont see why you have to do it before you post?
Do it in your script, before you run the search function?

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[leegold2]

It's related to another post were I explained the issue i had with ampersand entities in my text fields. I got normal results when I searched/queried with eg. a string literally:
ND&amp;SD
but I got weirdness when I searched with the string: ND&SD, and things only worked correctly when I POSTED from the search form with NA&amp;SD ... after the fact converting & to &amp; did not work and caused strange results. So I was looking for a way to convert & to &amp; before the POST. If it sounds messed-up ... it probably is. Thanks for the help.

 

[chessbot]

If you're still looking for a before POST function, PHP cannot do that. Try looking in forum216, the JavaScript forum, or an alternate method.

--Chessbot

"See the TURTLE of enormous girth!"
-- Stephen King, The Dark Tower series

 

[Olavxxx]

I would never rely my searchscript on something that is client dependent!

Then I would rather not use entities!

ps. you can (as I said in your other post) also make your own function for replacing & with &amp;, etc.
I guess it's slower then using htmlentities, but if htmlentities does not do the job for you, try to do it yourself?

You can then be a bit 1337, base it on a mysql table, where you can also define other things you want it to replace.
(kindof like a smiley script)

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[Olavxxx]

This one works for me:

<?php
if (!isset($submit))
  {
    echo "<form action=\"?\" method=\"post\">
  <b>Find Results with: 
  These words: <input type=\"text\" length=\"40\" name=\"keywords\" /> 
  <input type=\"submit\" value=\"Search\" name=\"submit\" />
</form>
";
  }
else
  {
   // convert to specialchars / htmlentities
    $new = htmlentities($_POST['keywords'], ENT_QUOTES);
    echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
  }
?>

ps. it will look regular,but try to view source!

try to input: 1 < 2 > 1 && a != b

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster

 

[Olavxxx]

I forgot one note:
htmlentities(stripslashes($_POST['keywords']), ENT_QUOTES);

You can add the stripslashes in there, if you dont want '\"' replacing '"' and likewise for the '. (single and double quotes.)

Olav Alexander Mjelde

http://www.volvo-power.net

Admin & Webmaster