[ak4744710]

I have entered my code below I am trying to make my form save users information if they for get another field so when they are told to submit something they missed they do not loose the data they already entered (example: they fill in everything except user name and when they click send all the other fields will still show what they have already typed) This seems to be working fine by using value="\"".$_POST['fieldname']. When I test this though it is not saving the comments field is there a different code I do not know about or is it a placement issue any help would be most appreciated.

Code:

<?php function printForm($strMessage){ echo "<strong>" .$strMessage."</strong>"; echo "<form method=\"post\" action=\"" .$_SERVER['PHP_SELF']. "\" name=\"form\">\n<br>"; echo "Your Name: <input type=\"text\" Name=\"yname\" value=\"" .trim($_POST['yname'])."\"><br>"; echo "Your Email: <input type=\"text\" Name=\"yemail\" value=\"" .trim($_POST['yemail'])."\"><br>"; echo "Username: <input type=\"text\" Name=\"yusername\" value=\"" .trim($_POST['yusername'])."\"><br>"; echo "Password: <input type=\"password\" Name=\"pword\" value=\"" .trim($_POST['pword'])."\"><br>"; echo "Confirm Password: <input type=\"password\"  Name=\"cpword\" value=\"" .trim($_POST['cpword'])."\"><br>";   echo "Comments: <textarea name=\"comments\" rows=\"5\" cols=\"20\" value=\"" .trim($_POST['comments'])."\"></textarea><br>";       echo "<input type=\"submit\" value=\"send\" Name=\"submit\"/>\n<br>"; echo "</form>\n"; } ?> <html> <head> <title>Self Submitting Sticky Form</title> <style>body { 				background-color:red; 				}  </style> </head> <body>     <?php     if(isset($_POST['submit'])){         $yourname=trim($_POST['yname']);         $youremail=trim($_POST['yemail']);         $yourusername=trim($_POST['yusername']); 		$yourpassword=trim($_POST['pword']);         $yourcpassword=trim($_POST['cpword']);          if ($yourname==''){         $strMessage='Please enter your name.';         printForm($strMessage);         }         elseif ($youremail==''){ 		        $strMessage='Please enter your email.'; 		        printForm($strMessage);         }         elseif ($yourusername==''){ 				        $strMessage='Please enter your username.'; 				        printForm($strMessage);         }         elseif ($yourpassword==''){ 				        $strMessage='Please enter your password.'; 				        printForm($strMessage);         }         elseif ($yourcpassword==''){ 				        $strMessage='Please confirm your password.'; 				        printForm($strMessage);         }         elseif ($yourcpassword != $yourpassword){ 				        $strMessage='passwords must match.'; 				        printForm($strMessage);         }         elseif(strlen($yourpassword) <= 3 ){         $strMessage='passwords must be at least 4 characters.';         printForm($strMessage);         }           else{         $strMessage='Thank you. your information was sent.';         echo $strMessage;         }      }      else{      $strMessage='Please enter all fields below:';      printForm($strMessage);      }        ?>      </body>      </html>

Also I am sorry for my code showing up like this I tried to wrap it in the code tags and this is how it displayed I am also going to copy and paste below with out the code tags becuase I think I used them wrong.
<?php
function printForm($strMessage){
echo "<strong>" .$strMessage."</strong>";
echo "<form method=\"post\" action=\"" .$_SERVER['PHP_SELF']. "\" name=\"form\">\n<br>";
echo "Your Name: <input type=\"text\" Name=\"yname\" value=\"" .trim($_POST['yname'])."\"><br>";
echo "Your Email: <input type=\"text\" Name=\"yemail\" value=\"" .trim($_POST['yemail'])."\"><br>";
echo "Username: <input type=\"text\" Name=\"yusername\" value=\"" .trim($_POST['yusername'])."\"><br>";
echo "Password: <input type=\"password\" Name=\"pword\" value=\"" .trim($_POST['pword'])."\"><br>";
echo "Confirm Password: <input type=\"password\" Name=\"cpword\" value=\"" .trim($_POST['cpword'])."\"><br>";


echo "Comments: <textarea name=\"comments\" rows=\"5\" cols=\"20\" value=\"" .trim($_POST['comments'])."\"></textarea><br>";






echo "<input type=\"submit\" value=\"send\" Name=\"submit\"/>\n<br>";
echo "</form>\n";
}
?>
<html>
<head>
<title>Self Submitting Sticky Form</title>
<style>body {
background-color:red;
}

</style>
</head>
<body>
<?php
if(isset($_POST['submit'])){
$yourname=trim($_POST['yname']);
$youremail=trim($_POST['yemail']);
$yourusername=trim($_POST['yusername']);
$yourpassword=trim($_POST['pword']);
$yourcpassword=trim($_POST['cpword']);


if ($yourname==''){
$strMessage='Please enter your name.';
printForm($strMessage);
}
elseif ($youremail==''){
$strMessage='Please enter your email.';
printForm($strMessage);
}
elseif ($yourusername==''){
$strMessage='Please enter your username.';
printForm($strMessage);
}
elseif ($yourpassword==''){
$strMessage='Please enter your password.';
printForm($strMessage);
}
elseif ($yourcpassword==''){
$strMessage='Please confirm your password.';
printForm($strMessage);
}
elseif ($yourcpassword != $yourpassword){
$strMessage='passwords must match.';
printForm($strMessage);
}
elseif(strlen($yourpassword) <= 3 ){
$strMessage='passwords must be at least 4 characters.';
printForm($strMessage);
}


else{
$strMessage='Thank you. your information was sent.';
echo $strMessage;
}
}
else{
$strMessage='Please enter all fields below:';
printForm($strMessage);
}


?>
</body>
</html>

[Jacques1]

Hi,

a textarea doesn't have a value attribute. Its content is what you write between the tags (that's why it's a non-empty element).

Apart from that, you seriously need to work on the security of your script:

The 6 worst sins of security.

Check 2. especially, but the other vulnerabilities might apply as well.

Also, do not use $_SERVER['PHP_SELF'], as this can often be controlled by the visitor and used to inject arbitrary content. Simply hard code the script name.

[ak4744710]

Originally Posted by Jacques1

Hi,

a textarea doesn't have a value attribute. Its content is what you write between the tags (that's why it's a non-empty element).

Apart from that, you seriously need to work on the security of your script:

The 6 worst sins of security.

Check 2. especially, but the other vulnerabilities might apply as well.

Also, do not use $_SERVER['PHP_SELF'], as this can often be controlled by the visitor and used to inject arbitrary content. Simply hard code the script name.

Thank you very much this does help a bit and I will be reading into this security as I am sure it can help me greatly can you tell me however to make my form save the persons comments if they miss a field because the way it is set right now if they miss something on the form their comments are gone too that's whats really confusing me. Thanks

[Jacques1]

Did you read the first sentence about the "value" attribute?

[ak4744710]

Originally Posted by Jacques1

Did you read the first sentence about the "value" attribute?

Yes I know I should be taking this out

[ak4744710]

by tinkering with my code I found if I place the value before or after my text area it will save the comment but not in the comment box so I am assuming I am getting closer to getting it right.

[Jacques1]

Please post your code (the textarea should be enough).

[ak4744710]

Originally Posted by Jacques1

Please post your code (the textarea should be enough).

I have been messing with it trying so many different combinations I can not seem to figure out how I had it but like this it does work but it is still not saving users comments

Code:

echo "Comments: <textarea name=\"comments\" rows=\"5\" cols=\"20\"></textarea><br>";

I am assuming this is because I am not using .trim($_POST['comments']) but I can not figure out how to place it exactly.

[Jacques1]

Originally Posted by ak4744710

I am assuming this is because I am not using .trim($_POST['comments']) but I can not figure out how to place it exactly.

In the textarea element, between <textarea> and </textarea> (just like with "div" elements or "span" or whatever).

PHP Code:

<?php 

// put this in some global script and use it whenever you output a variable
function html_escape($raw_input) { 
    return htmlspecialchars($raw_input, ENT_QUOTES | ENT_HTML401, 'UTF-8'); 
}  

echo 'Comments: <textarea name="comments" rows="5" cols="20">' . html_escape(trim($_POST['comments'])) . '</textarea><br>';