0

I am trying to submit a form with HTML data in it to my server, but it appears to be stripping it out and I cant seem to figure out why.

If I do file_get_contents("php://input") I can see my content in the raw form:

action=submit&content=%3Cp%3EAnteater+Alumni%3A+Help+current+UCI+students+reach+their+goal+of+raising+%2...registration+form%3C%2Fa%3E.%3C%2Fp%3E

But If I do print_r($_POST['content']); I see the text WITHOUT any html formatting. It is like PHP is stripping it out somehow.

I tried the following:

$data = file_get_contents("php://input");
$output = array();
parse_str($data, $output);

But this just outputs an empty array

magic_quotes_gpc is off. I have nothing else in the script modifying the content in any way.

Any ideas at all?

UPDATE: I am aware of the HTML being displayed in the browser. I am using a browser as well as curl, and dumping the content as text/plain -- the HTML formatting in the browser is not the problem.

Improve this question
4
  • are you using some framework? Commented Jul 11, 2010 at 21:33
  • No, no framework at all. (I just have this in a bare php file) Commented Jul 11, 2010 at 21:36
  • Use phpinfo() and look for any strange stuff. Also, what host service are you using? If it's shared hosting,it might be some funny stuff their side. Commented Jul 11, 2010 at 21:47
  • @Christian - I can't see anything in phpinfo that seems out of the ordinary. I am using my own hosting (I have a VM dedicated). I thought it could be mod_security, but then php://input would have been cleaned, but it is not - so it's not mod_security. Commented Jul 11, 2010 at 21:51

2 Answers 2

Reset to default
3

Remember that print_r()'s output will be viewed in the browser. Unless you take special steps to handle the HTML, the browser's going to see HTML and render it as such. Unless you view the source of the page, all you'll see is the text content.

To view the uploaded HTML directly, you'd have to run it through htmlentities()/htmlspecialchars() first, which'll encode any HTML metacharacters (e.g. > to >).

As well, unless you have a special need for it, there's no reason to retrieve form submission data from php://input. That's the raw data, and most likely you'd just be parseing it anyways, which PHP has already done for you with the _GET/_POST arrays. On top of that, if the submission includes a file upload, you'll be slurping that entire file into memory, which could very well exceed your script's memory_limit and kill things right there.

There's also a note in the I/O streams PHP man page that php://input can only be read once. If your script's doing it multiple times, the second and subsequent reads will get a null.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

The HTML in the browser is not the problem. I have viewed the source/used curl and many other things. I read php://input just to verify that my submission wasn't being cleaned by mod_security or something.
mod_security would do its thing long before PHP ever received the data from Apache. Not much poitn to having mod_security standing guard at the front door if PHP's out on the front lawn with a ladder leading up to the 2nd floor.
1

Are you using a Framework? Check nothing is iterating through the array beforehand ie.

foreach ($_POST as $key=>$val)
{
  $_POST[$key] = strip_tags($val);
}

also check you've not got any defunct mod_security rules enabled (http://www.modsecurity.org/) of course that depends on if you're using mod_sec!

try doing this 

echo '<pre>';
print_r($_REQUEST);
echo '</pre>';

and 

foreach ($_POST as $key=>$val)
{
  echo $key .' = '. htmlentities($val) . '<br />';

}

just to make double check you're not missing something :)

EDIT: try this:

foreach ($_REQUEST as $key=>$val)
{
  echo $key .' = '. htmlentities($val) . '<br />';

}
Improve this answer

5 Comments

Did that. There is no framework, there is nothing else iterating the POST loop (that I can see)
Ok, can you run the edited code sample and tell me the output cheers!
wow thats very strange - you've tried just creating another independant script with just a simple form, right? Double check the form action is set to POST (as mod_security might be escaping _GET only.)
@Kieran - I have a single PHP file just to test this problem, I am using POST - not GET. So far my solution is to just use explode and a loop to parse the raw php://input to work around the problem.
@Kieran: Your code is missing concatenation operators after $key.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.