PHP :: Bug #13953 :: HTML Entities and $HTTP_POST

Bug #13953	HTML Entities and $HTTP_POST_VARS
Submitted:	2001-11-06 09:17 UTC	Modified:	2001-12-08 18:54 UTC
From:	markm at sprintout dot com	Assigned:
Status:	Not a bug	Package:	Arrays related
PHP Version:	4.0.4pl1	OS:	Free BSD 4.2
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 19 + 50 = ?
Subscribe to this entry?

[2001-11-06 09:17 UTC] markm at sprintout dot com

I'm experiencing a strange problem with HTML entities in form input using PHP v. 4.0.4pl1 on Apache v. 1.3.17.

My form consists of three fields:
  A "select" pulldown menu to enable users to select an existing record (field name: "InfoID");
  A text field in which users enter a headline (field name: "InfoTitle");
  A textarea field in which users enter text (field name: "InfoText").
  
The input from the form is saved in a MySQL database (v. 3.23.33). Everything was working fine until I started adding HTML entities (e.g., &#153;, &#149;, etc.) to represent the trademark symbol, bullets, etc. in the textarea field. I'm able to add a record to the database with HTML entities. However, when I retrieve an existing record, make modifications in the textarea field, and submit the input, the "selected" value from the pulldown menu is somehow lost.

When I say "lost", I mean that the key for the pulldown input field is actually missing when I print out $HTTP_POST_VARS (through the print_r function) at the top of the script. If there are no HTML entities in the textarea field, the value for the pulldown menu shows up and everything works fine.

I can't figure out the source of the problem. The encoding type within the <form> tag is standard: 
enctype="multipart/form-data". I'm not altering the input from the pulldown input field before submittal.

Even odder, the same form works fine with HTML entities on older versions of PHP.

Any ideas what's going on?

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-11-06 10:29 UTC] sander@php.net

Why are you using multipart/formdata? That shouldn't be necessary. Try using a simple <form> tag like <form action="script.php" method="post">. 

Does it work this way?

[2001-11-06 13:30 UTC] markm at sprintout dot com

Removing enctype="multipart/form-data" from the form tag does seem to solve the problem. However, it creates another. I was planning to add a "file" input type field to the form to enable users to upload images. To accomplish that, I'll need to include enctype="multipart/form-data". What then? Also, I was hoping to get to the bottom of the problem and figure out what's going on with HTML entities and form input. Thanks.

[2001-11-06 16:10 UTC] jeroen@php.net

Please submit the shortest reproducing script which does something strange. It's very hard to track down the problem if you don't show us exactly what you did.

[2001-11-06 16:43 UTC] markm at sprintout dot com

Below is a stripped-down version of the form that causes the problems. Note that values have been inserted into the form fields, including HTML entities in the "InfoText" field. When I click the "Modify" button, "InfoID" does not show up in $HTTP_POST_VARS.
Thanks.

<html>
<head>
<title>Administration Page</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<form action="index.html?selection=Description" method="post" enctype="multipart/form-data">
<p>
<b>Select an Existing Product Description Title</b><br>
<SELECT NAME="InfoID">
<option value="0">Click On a Product Description</option>
<option value="63">Product1</option>
<option value="67" selected>Product2</option>
<option value="69">Product3</option>
<option value="55">Product4</option>
<option value="65">Product5</option>
</select>
&nbsp;<input type="submit" name="option" value="Find">
</p>
<p>
<b>Product Description Title/Headline</b><br>
<input type="text" name="InfoTitle" size="30" maxlength="200" value="Product2">
</p>
<p>
<b>Product Description Text</b><br>
<textarea name="InfoText" cols="40" rows="10" wrap="VIRTUAL">Blah blah blah blah? Blah blah blah blah<sup>&#8482;</sup> Blah blah blah blah.
Blah blah blah blah<sup>&#8482;</sup>. Blah blah blah blah.
Blah blah blah blah<sup>?</sup>. Blah blah blah blah;</textarea>
</p>
<p>
<input type="submit" name="option" value="Modify"><br><br>
<input type="submit" name="option" value="Delete"><br><br>
<input type="submit" name="option" value="Clear">
</p>
</form>
</body>
</html>

[2001-11-06 17:16 UTC] jeroen@php.net

With 4.0.3pl1, I cannot reproduce.

Use var_dump($HTTP_POST_VARS) to check out what vars are submitted and which are not. I get:

HTTP_POST_VARS:

array(4) {
  ["InfoID"]=>
  string(2) "67"
  ["InfoTitle"]=>
  string(8) "Product2"
  ["InfoText"]=>
  string(196) "Blah blah blah blah? Blah blah blah
blah? Blah blah blah blah.
Blah blah blah blah?. Blah blah blah blah.
Blah blah blah blah?. Blah blah blah blah;"
  ["option"]=>
  string(6) "Modify"
}

HTTP_GET_VARS:

array(1) {
  ["selection"]=>
  string(11) "Description"
}

[2001-11-07 09:12 UTC] markm at sprintout dot com

I get the same output with both var_dump($HTTP_POST_VARS) and print_r($HTTP_POST_VARS): "InfoID" is missing from $HTTP_POST_VARS when I submit the form. The strange thing about this problem is that I can't reproduce it on earlier versions of PHP.

Perhaps, we should look at the broader question of how PHP deals with HTML entities.

I just placed the following text in the textarea box of the form:
  This is a &#149; test.

When the form is submitted, the script inserts the content into a "text" field in a MySQL (v. 3.23.33) database. I checked the record through phpMyAdmin and found that the field held exactly what I submitted. No surprises there.

However, when I updated the record, my line of text was changed to:
 This is a &#8226; test.

In other words, the representation of the HTML entity was changed from &#149; to &#8226;, either by PHP or MySQL.

This transformation seems to be the source of my problems. Any ideas what's going on?

P.S. -- The MySQL gurus argue that this is a PHP problem.

[2001-12-08 18:54 UTC] cardinal@php.net

I can't reproduce any part of this bug report on 4.0.6.  My $HTTP_POST_VARS matches jeroen's exactly for the product description script, and the following script does not translate html entities from their user-entered value.

<form method="post" action="<?= $PHP_SELF ?>" enctype="multipart/form-data">
<textarea name="text" wrap="virtual"><?= htmlentities($HTTP_POST_VARS['text'])?></textarea>
<br><input type="submit" value="Submit multipart">
</form>

<form method="post" action="<?= $PHP_SELF ?>">
<textarea name="text" wrap="virtual"><?= htmlentities($HTTP_POST_VARS['text'])?></textarea>
<br><input type="submit" value="Submit not multipart">
</form>

<?
  
if (count($HTTP_POST_VARS))
{
    echo '<pre>';
    print_r($HTTP_POST_VARS);
    echo '</pre>';
}
 
?>

I suggest taking this up on a support forum (php-general@lists.php.net,
#php on irc.php.net) if it's still an issue.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 03:00:01 2025 UTC