stackoom
  简体   繁体   中英

Validation errors when using echo PHP variable as value of input field

 原文  2018-02-04 23:46:53       php/ w3c-validation

Question

I have a simple HTML form and I use PHP to validate user input. If there are errors in the form I redisplay the form, keeping the values that are okay so the user can modify only the fields that have errors. Everything works as expected but when I tried validating the markup I got errors on this line:

<input type="text" name="hours" value="<?php echo $hoursWorked; ?>" />

Here's the function that redisplays the form:

  function redisplayForm($hoursWorked, $hourlyWage) {
    ?> <h2 style = "text-align:center">Paycheck Form</h2>
    <form action="process_Paycheck.php" method="post">
    <p>Hours Worked: <input type="text" name="hours" value="<?php echo $hoursWorked;?>" /></p>
    <p>Hourly Wage: <input type="text" name="wage" value="<?php echo $hourlyWage;?>" /></p>
    <p><input type="reset" value="Clear Form" />&nbsp;
        &nbsp;<input type="submit" name="Submit" value="Send Form" /></p>
    </form>
    <?php }

When I uploaded the .php source file to validate the markup I got these error messages and for each of these errors the opening " after value= is highlighted in red:

Character "<" is the first character of a delimiter but occurred as data

Unescaped '<' not allowed in attributes values

Attributes construct error

How can I fix this so I don't get validation errors?

1 answers

solution1
 0  2018-02-05 06:57:00

As you have already known from the comments, the W3C Validator cannot be used to validate the PHP files. If the page can be accessed from the Internet then use its URL, otherwise use the browser's "View Source" command to view the generated HTML and copy-paste the HTML into the validator.

This is not a limitation of W3C Validator. There is no way to validate the HTML by looking at the PHP source. PHP is a dynamic language, by executing the code you can get different HTML output depending on the input.

Without using any validator, the code you posted has one strong flaw: if $hoursWorked is a string that contains " (double quotes), the generated HTML is incorrect pieces of markup are rendered as text by the browser.

Imagine what happens if $hoursWorked is '2">' . The generated HTML is:

<input type="text" name="hours" value="2">" />

and the fragment " /> becomes visible in the rendered output because it is not part of the markup any more.

This is what happens when dynamic content is rendered as HTML without being properly encoded as HTML. PHP provides the function htmlspecialcharacters() that must always be used to properly encode (as HTML) content that is used to generate HTML. Especially when the content is retrieved from an outside source (from the browser, fe). The code should be:

<input type="text" name="hours" value="<?php echo htmlspecialchars($hoursWorked); ?>" />
<input type="text" name="wage" value="<?php echo htmlspecialchars($hourlyWage); ?>" />

Other than that, the HTML generated by the posted code looks fine.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Echo PHP variable as an value of input field How to echo a PHP variable in a HTML input field? echo html in php with input value as php variable Get value of input field using php into variable Echo an input field value in a php page PHP echo variable validation echo value is different when that variable is passed in php Echo the input value in Php Shorthand check if variable isset or not and echo them to value of input field Echo PHP Variable to Button Value Then Send Button Value to Input text
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM