PHP vars being used in hidden form fields!

[Leozack]

Right, I've thought of jsut about everything, and everything I think of seems flawed. The problem is this - if you have a text area in a form to save to a file, you can stripslashes() and str_replace &quot;\r&quot; with &quot;<br />&quot; and then the browser will display it properly just by reading the text file. However, to display it again in a textarea, for editing etc, I have to replace &quot;<br />&quot; with &quot;\r&quot;. But that's ok, I can write a MuliLine(textorhtml) function to turn it either to text or to html friendly versions.

The problem is, how do I include it in a form hidden input field!!! The problem lies in that any variable you've taken from a form could contain a &quot;, and even if it is escaped, if you try putting it in a input type=&quot;hidden&quot; value=&quot;$whatever&quot; then you'll find it still goes wrong and ends the value at the escaped &quot; in the variable if there is one. Anyone got any bright ideas? *mutters he wouldn't have this problem if he had access to mysql for free* =/ _________________________________
Leozack

MakeUniverse($infinity,1,42);

 

[sleipnir214]

PHP provides a function nl2br() (

http://www.php.net/manual/en/function.nl2br.php)

for converting newlines in text to &quot;<br />&quot; tags. Actually, it leaves the newlines there, and adds &quot;<br />&quot; after each one.

Take a look at htmlspecialchars() (

http://www.php.net/manual/en/function.htmlspecialchars.php)

for dealing with the quote problem. Want the best answers? Ask the best questions:

http://www.tuxedo.org/~esr/faqs/smart-questions.html

TANSTAAFL!

 

[rizza]

I'm not sure what your trying to do but, if it's some kind off Content Management Thing - take a look at this...

http://www.interactivetools.com/products/htmlarea/

It's free, supports CSS, and works great.

Rizza

 

[Leozack]

Thanks for the replies, for some reason I just couldn't work on it anymore without motivation of someone replying!

I've already looked through the php docs on htmlentities and htmlspecialchars n stuff many times and not found them useful at all =/

But now finally I do. Basically, I pass EVERYTHING I am given through this included funtion :

function StripStuff($thetext) {
	$thetext = htmlspecialchars(stripslashes($thetext));
	$thetext = str_replace("£","£",$thetext);
	return $thetext;
}

The reason for escaping the GBPound sign is they aren't allowed in XML files without being escaped! Grrr.

Then, whenever I have passed a value on to another page via a forms hidden input field, as is the title of this post, I have to run it through StripStuff() again.

Then, whenvner I want to display content taken from a text area, ie, multiple lines, I just say:

$nameshow = nl2br($name);

Then I show the $nameshow whilst still keeping the $name for further passing around or writing to xml or whatever.

I find it far better to not striptags or anything like that, as I'd rather see if a user has tried putting in font tags or anything more malicious and have it proudly sitting there in escaped equivilants doing no harm =)

Now ... just gotta write the code so that when someoen presses a 'cancel' button to go back and change their form inputs, it selects the checkboxes from the array that are already checked, and selects the right pulldown menu options (done that before) from dynamicaly generated (second dependant on first) pulldowns. Doh =/ Any prewritten code for that would save hours but don't worry otherwise _________________________________
Leozack

MakeUniverse($infinity,1,42);