tags:

views:

60

answers:

3
Q: 

PHP removing HTML from POST data

I am trying to submit a form with HTML data in it to my server, but it appears to be stripping it out and I cant seem to figure out why.

If I do file_get_contents("php://input") I can see my content in the raw form:

action=submit&content=%3Cp%3EAnteater+Alumni%3A+Help+current+UCI+students+reach+their+goal+of+raising+%2...registration+form%3C%2Fa%3E.%3C%2Fp%3E

But If I do print_r($_POST['content']); I see the text WITHOUT any html formatting. It is like PHP is stripping it out somehow.

I tried the following:

$data = file_get_contents("php://input");
$output = array();
parse_str($data, $output);

But this just outputs an empty array

magic_quotes_gpc is off. I have nothing else in the script modifying the content in any way.

Any ideas at all?

UPDATE: I am aware of the HTML being displayed in the browser. I am using a browser as well as curl, and dumping the content as text/plain -- the HTML formatting in the browser is not the problem.

+1  A: 

It's going to sound silly but... did you try to open the generated page with "View source"?

rmontagud  2010-07-11 21:34:17
@rmontagud: That should be a comment, not an answer :)
Sarfraz  2010-07-11 21:35:34
Yea, I tried that. I used WFetch and Firebug. That isn't the issue
webdestroya  2010-07-11 21:35:43
+1  A: 

Are you using a Framework? Check nothing is iterating through the array beforehand ie.

foreach ($_POST as $key=>$val)
{
  $_POST[$key] = strip_tags($val);
}

also check you've not got any defunct mod_security rules enabled (http://www.modsecurity.org/) of course that depends on if you're using mod_sec!

try doing this 

echo '<pre>';
print_r($_REQUEST);
echo '</pre>';

and 

foreach ($_POST as $key=>$val)
{
  echo $key .' = '. htmlentities($val) . '<br />';

}

just to make double check you're not missing something :)

EDIT: try this:

foreach ($_REQUEST as $key=>$val)
{
  echo $key .' = '. htmlentities($val) . '<br />';

}
Kieran Allen  2010-07-11 21:47:18
Did that. There is no framework, there is nothing else iterating the POST loop (that I can see)
webdestroya  2010-07-11 21:48:40
Ok, can you run the edited code sample and tell me the output cheers!
Kieran Allen  2010-07-11 21:50:13
@Kieran - http://pastebin.com/TAcpcvC3
webdestroya  2010-07-11 21:54:01
wow thats very strange - you've tried just creating another independant script with just a simple form, right? Double check the form action is set to POST (as mod_security might be escaping _GET only.)
Kieran Allen  2010-07-11 22:04:05
@Kieran - I have a single PHP file just to test this problem, I am using POST - not GET. So far my solution is to just use explode and a loop to parse the raw `php://input` to work around the problem.
webdestroya  2010-07-11 22:07:32
@Kieran: Your code is missing concatenation operators after `$key`.
nikic  2010-07-11 22:12:33
thanks, updated.
Kieran Allen  2010-07-11 22:17:24
+2  A: 

Remember that print_r()'s output will be viewed in the browser. Unless you take special steps to handle the HTML, the browser's going to see HTML and render it as such. Unless you view the source of the page, all you'll see is the text content.

To view the uploaded HTML directly, you'd have to run it through htmlentities()/htmlspecialchars() first, which'll encode any HTML metacharacters (e.g. > to &gt;).

As well, unless you have a special need for it, there's no reason to retrieve form submission data from php://input. That's the raw data, and most likely you'd just be parseing it anyways, which PHP has already done for you with the _GET/_POST arrays. On top of that, if the submission includes a file upload, you'll be slurping that entire file into memory, which could very well exceed your script's memory_limit and kill things right there.

There's also a note in the I/O streams PHP man page that php://input can only be read once. If your script's doing it multiple times, the second and subsequent reads will get a null.

Marc B  2010-07-12 01:03:59
@Marc B - The HTML in the browser is not the problem. I have viewed the source/used `curl` and many other things. I read `php://input` just to verify that my submission wasn't being cleaned by `mod_security` or something.
webdestroya  2010-07-12 16:23:43
mod_security would do its thing long before PHP ever received the data from Apache. Not much poitn to having mod_security standing guard at the front door if PHP's out on the front lawn with a ladder leading up to the 2nd floor.
Marc B  2010-07-13 04:02:36

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?