Menu
Input field for password usually accepts a wide range of characters compared to text inputs. The normal way of escaping an input on HTML form involves using htmlspecialchars($_POST['content']) on the input contents.
What if, in the scenario of a failed validation of a password update process, I require the new password to repopulate on the HTML form? Something like '> yeah would have caused the form to malfunction and using htmlspecialchars would produce a totally different password.
Any suggestions?
The html portion as shown:
<INPUT type=password name=password1 value=''><script>try' size=15 maxlength=15>
The corresponding php code:
function h($str) {echo htmlspecialchars($str);}
echo "<INPUT type=password name=password1 value='", h(@$_POST['password1']), "' size=15 maxlength=15>";
Blank is shown in the form input field.
UPDATE
The problem lies with my htmlspecialchars which does not escape single quotes by default. Now adding the ENT_QUOTES parameters allow the single quote to be escaped and solve my problem. deceze and CodeCaster are right that htmlspecialchars does not change the password. Thanks all.
879
No, htmlspecialchars would not produce a totally different password. It would produce value="> yeah" which, when parsed by the browser, is read as > yeah. Password fields are not in any way special in the treatment of special or non-special characters.
155
Separate display logic from data logic.
Before you want to display data on an html page, use htmlspecialchars(). If you're about to store it in a database, use the appropriate sql escaping method (like mysql_real_escape_string().
By the way, if an input element contains for example >, it will be seen as > when posted;
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
