Reputation: 11255
How to properly escape password field on HTML form?
Input field for password usually accepts a wide range of characters compared to text inputs. The normal way of escaping an input on HTML form involves using htmlspecialchars($_POST['content']) on the input contents.
What if, in the scenario of a failed validation of a password update process, I require the new password to repopulate on the HTML form? Something like '> yeah would have caused the form to malfunction and using htmlspecialchars would produce a totally different password.
Any suggestions?
The html portion as shown:
<INPUT type=password name=password1 value=''><script>try' size=15 maxlength=15>
The corresponding php code:
function h($str) {echo htmlspecialchars($str);}
echo "<INPUT type=password name=password1 value='", h(@$_POST['password1']), "' size=15 maxlength=15>";
Blank is shown in the form input field.
UPDATE
The problem lies with my htmlspecialchars which does not escape single quotes by default. Now adding the ENT_QUOTES parameters allow the single quote to be escaped and solve my problem. deceze and CodeCaster are right that htmlspecialchars does not change the password. Thanks all.
Upvotes: 4
Views: 7133
Answers (4)
Reputation: 151604
Separate display logic from data logic.
Before you want to display data on an html page, use htmlspecialchars(). If you're about to store it in a database, use the appropriate sql escaping method (like mysql_real_escape_string().
By the way, if an input element contains for example >, it will be seen as > when posted;
Upvotes: 3
Reputation: 157889
The normal way of escaping an input on HTML form involves using htmlspecialchars($_POST['content']) on the input contents.
That's not normal but rather wrong way.
Escaping HTML is normally used for output, not for input.
What if, in the scenario of a failed validation of a password update process, I require the new password to repopulate on the HTML form?
That's dangerous practice and most services ask a user to re-enter password on such occasion.
to repopulate on the HTML form?
Here goes HTML escaping. Unlike other cases, HTML escaping is obligatory here, when you are to populate form values.
Upvotes: 1
Reputation: 522165
No, htmlspecialchars would not produce a totally different password. It would produce value="> yeah" which, when parsed by the browser, is read as > yeah. Password fields are not in any way special in the treatment of special or non-special characters.
Upvotes: 3
Reputation: 258618
You can use htmlspecialchars_decode() to decode your password.
http://www.php.net/manual/en/function.htmlspecialchars-decode.php
I however don't see the reason of repopulating the password input if the password was wrong, nor do I think it's safe. I also hope you're not saving passwords in text format in your database.
Upvotes: 1
Related Questions
- PHP Escape All Characters In String
- Escaping for username and URL text boxes
- Get password safely from HTML
- I Need Tips to make my PHP password work
- echoed password input field shows as text
- PHP login form sometimes escapes special characters from password
- Escaping Form Data
- input type password value?
- value in the password field with out entering the value
- Password input element problem