开发者

Sending special characters in HTML form

I have an input field (which is filled automatically) with the format name <myemail@host.com>. I gave the form enctype="application/x-www-form-urlencoded", but when I retrieve it in PHP, it shows only the name. Please help me retrieving the email too.

My HTML form:

<fo开发者_如何学运维rm action="{$path_site}{$index_file}" method="POST" enctype="application/x-www-form-urlencoded">
    <table>
        <tr>
            <td>Your Name</td>
            <td><input type="text" name="sender_name" size="37" /></td>
        </tr>
        <tr>
            <td>To</td>
            <td><input type="text" name="reciever_name" size="37" id="inputString" onkeyup="lookup(this.value)" onblur="fill()" /></td>
        </tr>
    </table>
</form>

And PHP code:

echo $msg_sender_name = $info[reciever_name];


Extracting the information from comments, where you say:

if the text is like "myName<myEmail@email.com>", info['reciever_name'] displays only "myName"

I would say that your problem is related to the displaying the results, and is not related to the form.

You probably display the received string as HTML, where the characters "<" and ">" are special.

Instead of

echo $info['reciever_name'];

you should use the htmlspecialchars function:

echo htmlspecialchars($info['reciever_name'], ENT_QUOTES);

This is the most common bug in PHP (and in many other languages).

You should escape all the text you are displaying, especially when it comes from untrusted sources - and every value provided by the user is untrusted.

Failing to escape the output you risk the security of your users - you may want to read about Cross-site-scripting on Wikipedia.


The following PHP code

echo $msg_sender_name = $info[reciever_name];

seems to be missing a couple of quotes. Try this instead:

echo $msg_sender_name = $info['reciever_name'];
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜