1

I have a PHP code as shown below in which on POST call, I am getting encrypted value instead of the character. For example, on entering Hello World' I get this Hello World' instead of Hello World' on console (from Line Z).

In the form_validator.php, I am using the following:

if (isset($_POST["response"]))
    $response = $_POST["response"];
print_r($response);

In the form.php, I have the following code:

<form id="acbdef" name="abcdef" action="#" method="post">
  <table width="100%" class="wb-tables table">
    <tr>
      <td>
        <?php echo SECRET_RESPONSE;?>:
      </td>
      <td colspan="2"><input type="text" id="response" name="response" value="" /></td>
    </tr>
  </table>
</form>

<script>
  $("#save").click(function () {
    $.post('form_validator.php', $("#abcdef").serialize(), function (data) {
      console.log(data); // Line Z
    });// end function(data)
  });
</script>

In the config.php, I have the following:

$_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
$_REQUEST = (array) $_POST + (array) $_GET + (array) $_REQUEST;

Problem Statement :

I am wondering what changes I need to make in the php code above so that it takes the character itself instead of HTML coded apostrophe.

Improve this question
5
  • 3
    print_r formats results, try just use echo Commented Aug 11, 2022 at 19:34
  • You can try to set the encoding of the page containing the form to e. g. <meta charset="utf-8" />. IMHO this should tell the jquery post function to encode properly. Commented Aug 11, 2022 at 20:08
  • Have you looked into html_entity_decode() and htmlspecialchars_decode()? Commented Aug 11, 2022 at 20:19
  • 2
    I cannot reproduce this at all. jQuery doesn't transform the request data and PHP doesn't encode the response, no matter if you use print_r or echo. There must be something else involved with your particular setup Commented Aug 12, 2022 at 2:04
  • @Phil I have included config.php file. Let me know if that helps. Commented Aug 14, 2022 at 14:55

3 Answers 3

Reset to default
8
+50

The problem is in your config.php where you have the following line:

$_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

This will HTML-encode single and double quotes in the input, as defined in chapter Sanitize filters:

FILTER_SANITIZE_STRING

Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. (Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.)

If you don't want to convert any single or double quotes in their respective HTML-encoded strings, then use the flag FILTER_FLAG_NO_ENCODE_QUOTES or don't use the FILTER_SANITIZE_STRING filter (it is deprecated anyway).

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

@Progman's answer is how to fix your issue with configuration, and covers which argument flags you might want to use.

I wanted to ensure the why was better understood.

Your string is technically not encrypted, rather it has been encoded, it has been transformed to an HTML "safe" equivalent -- using HTML character entities. You can read more about that here https://developer.mozilla.org/en-US/docs/Glossary/Entity

But essentially, the ' has been converted to an HTML entity code &#39. The idea being, it has become safe to embed in an HTML document, without it itself being interpreted as HTML, but as simply text.

It's a very simular concept to escaping strings, only specificly for HTML documents and Web Browsers.

All HTML entities can be represented as there literals or their entity codes. In this case ' can be written literally as ' or as &#39.

Most scripting languages have functions to perform these conversions for you. Such as PHP's html_entity_decode and htmlentities functions.

--

PHP Frameworks. Some frameworks will hook into your $_GLOBALS very early on, as the request is first recieved, and perform basic Sanitization on your request data. If you are using such a framework, perhaps that would explain where the initial encoding is being performed.

The basic idea here, is perhaps, since such conversions are generally needed anyways, for reuse of the request information, why not ensure it is normalized early on, and perhaps stored in any database in such a manner to remain HTML "safe".

Improve this answer

Comments

-3

You seems to be serializing the input. In jquery before you send it to your php. You will need to decode it before you print it.

Check out https://www.php.net/manual/en/function.html-entity-decode as a place to start

Improve this answer

1 Comment

api.jquery.com/serialize is explicitly made to create "a text string in standard URL-encoded notation", which is exactly what you want for a normal application/x-www-form-urlencoded data submission.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.