By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,326 Members | 2,873 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,326 IT Pros & Developers. It's quick & easy.

Code revealed to user!

P: n/a
I am collecting information from users.

In one box they can enter a name, as this can have a pre existing
value read in from a MySql database I read in a value and suggest it
in the box. The user can accept this name or enter their own.

However, as much as I test I can not recreate an error some users are
experiencing. It seems some browsers are revealing my php source code
to the user or at the very least entering the source code as the
value.

The offending row of code is..

<td class="scfboxtext" width="700" colspan="2">
<input name="acceptnmn" type="text" class="scfmfrm_inp" id="acceptnmn"
value="<?= $acceptnmn ?>" size="80" maxlength="100">
</td>

The value $acceptnmn is read in from a mysql database and displayed, a
null value displays a null value and any name entered is displayed
correctly.

In about 20% of cases the users decides not to enter a value in this
box. Usually (and everytime I test) a blank value is entered into the
mysql database. However in some of the cases where no name is entered
I am astonshised to see the following value in the mysql database...

<?= $acceptnmn ?>

Exactly that, nothing else, nothing less.

When the user then reuses this entry form the value

<?= $acceptnmn ?>

..... is now suggested as a value, revealing more than I want to reveal
to the user.

(ie in these cases the code <?= $acceptnmn ?actually reads in <?=
$acceptnmn ?as the value.

The browser is thus displaying <?= $acceptnmn ?as the assigned value
to $acceptnmn

I have always thought that browsers will not show this code to the
user. That is only happening on some may be because firefox or
something else is mis reading the code.

Any help greatly appreciated

Garry Jones
Sweden
Dec 16 '07 #1
Share this Question
Share on Google+
16 Replies


P: n/a
"GarryJones" <mo****@algonet.sewrote in message
news:06**********************************@r60g2000 hsc.googlegroups.com...
I am collecting information from users.

In one box they can enter a name, as this can have a pre existing
value read in from a MySql database I read in a value and suggest it
in the box. The user can accept this name or enter their own.

However, as much as I test I can not recreate an error some users are
experiencing. It seems some browsers are revealing my php source code
to the user or at the very least entering the source code as the
value.

The offending row of code is..

<td class="scfboxtext" width="700" colspan="2">
<input name="acceptnmn" type="text" class="scfmfrm_inp" id="acceptnmn"
value="<?= $acceptnmn ?>" size="80" maxlength="100">
</td>
Try replacing "<?= $acceptnmn ?>" with <? echo $acceptnmn ?>.
The browsers only show what they recieve in the doc returned by the server.
HTH
Vince
Dec 16 '07 #2

P: n/a
GarryJones wrote:
I am collecting information from users.

In one box they can enter a name, as this can have a pre existing
value read in from a MySql database I read in a value and suggest it
in the box. The user can accept this name or enter their own.

However, as much as I test I can not recreate an error some users are
experiencing. It seems some browsers are revealing my php source code
to the user or at the very least entering the source code as the
value.

The offending row of code is..

<td class="scfboxtext" width="700" colspan="2">
<input name="acceptnmn" type="text" class="scfmfrm_inp" id="acceptnmn"
value="<?= $acceptnmn ?>" size="80" maxlength="100">
</td>

The value $acceptnmn is read in from a mysql database and displayed, a
null value displays a null value and any name entered is displayed
correctly.

In about 20% of cases the users decides not to enter a value in this
box. Usually (and everytime I test) a blank value is entered into the
mysql database. However in some of the cases where no name is entered
I am astonshised to see the following value in the mysql database...

<?= $acceptnmn ?>

Exactly that, nothing else, nothing less.

When the user then reuses this entry form the value

<?= $acceptnmn ?>

.... is now suggested as a value, revealing more than I want to reveal
to the user.

(ie in these cases the code <?= $acceptnmn ?actually reads in <?=
$acceptnmn ?as the value.

The browser is thus displaying <?= $acceptnmn ?as the assigned value
to $acceptnmn

I have always thought that browsers will not show this code to the
user. That is only happening on some may be because firefox or
something else is mis reading the code.

Any help greatly appreciated

Garry Jones
Sweden
Hi, Garry,

The problem is you're using short tags (bad), and your server has short
tags disabled (short_open_tag=off in your php.ini file) (good).

You should get in the habit of using long open tags, like Vince
indicated. Short open tags can get confusing, especially if you use XML
(which has the same <? open tag).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 16 '07 #3

P: n/a
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:m6******************************@comcast.com. ..
Hi, Garry,

The problem is you're using short tags (bad), and your server has short
tags disabled (short_open_tag=off in your php.ini file) (good).

You should get in the habit of using long open tags, like Vince
indicated. Short open tags can get confusing, especially if you use XML
(which has the same <? open tag).
Actualy I overlooked/missed the short tag. And Jerry is being more kind to
me than I deserve.

Vince
Dec 16 '07 #4

P: n/a
On Sun, 16 Dec 2007 13:26:09 +1000, Vince Morgan wrote:
Actualy I overlooked/missed the short tag. And Jerry is being more kind
to me than I deserve.

Vince
Thanks for the question and the answer. My server had that set to On,
just fixed it.

--
// This is my opinion.
Dec 16 '07 #5

P: n/a
GarryJones wrote:
>
The offending row of code is..

<td class="scfboxtext" width="700" colspan="2">
<input name="acceptnmn" type="text" class="scfmfrm_inp" id="acceptnmn"
value="<?= $acceptnmn ?>" size="80" maxlength="100">
</td>
an unrelated question from a newbie:

why do you use the equal sign in <?= $acceptnmn ?>
instead of just <?php $acceptnmn ?>

Wouldn't the variable just be replaced by the value ?

bill
Dec 16 '07 #6

P: n/a
jebblue wrote:
On Sun, 16 Dec 2007 13:26:09 +1000, Vince Morgan wrote:
>Actualy I overlooked/missed the short tag. And Jerry is being more kind
to me than I deserve.

Vince

Thanks for the question and the answer. My server had that set to On,
just fixed it.
But you miss the fact you do not WANT it turned on. It will cause
problems if you ever have an XML page on your site. I expect the option
will be removed in a future release.

You should turn it off and use <?php start tags, instead.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 16 '07 #7

P: n/a
bill wrote:
GarryJones wrote:
>>
The offending row of code is..

<td class="scfboxtext" width="700" colspan="2">
<input name="acceptnmn" type="text" class="scfmfrm_inp" id="acceptnmn"
value="<?= $acceptnmn ?>" size="80" maxlength="100">
</td>

an unrelated question from a newbie:

why do you use the equal sign in <?= $acceptnmn ?>
instead of just <?php $acceptnmn ?>

Wouldn't the variable just be replaced by the value ?

bill
Bill,

That statement is a no-op. Sure, the variable will be replaced by the
value, but there is nothing to tell PHP to display it.

You need to tell PHP you want it displayed. In this specific instance
the '=' acts as an output operator. It's equivalent to

<?php echo $acceptnmn; ?>

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 16 '07 #8

P: n/a
Thanks guys, one further question.
You need to tell PHP you want it displayed. In this specific instance
the '=' acts as an output operator. It's equivalent to

<?php echo $acceptnmn; ?>
Is that the same as

<?php echo $acceptnmn ?>

ie do you need the semicolon.
.... and one further question...

I have only ever used <?= and never <?php echo and I have used this
methond with short tags on many forms for a couple of years so why I
have never seen this actual error before and can there be more to it?

In this particular case users are signing in a name if the person who
has keyed in the data for future reference. In same cases they dont
need to (trusted users) and then a blank name or omitted name is okay,
but in other cases they need to and it is just with these that I am
having problems.

Garry Jones
Sweden
Dec 16 '07 #9

P: n/a
GarryJones wrote:
Thanks guys, one further question.
>You need to tell PHP you want it displayed. In this specific instance
the '=' acts as an output operator. It's equivalent to

<?php echo $acceptnmn; ?>

Is that the same as

<?php echo $acceptnmn ?>

ie do you need the semicolon.

The semicolon isn't absolutely required here, but don't get lazy and
omit it. It's only one character, and you'll have a lot more trouble if
you don't put it in when needed.
... and one further question...

I have only ever used <?= and never <?php echo and I have used this
methond with short tags on many forms for a couple of years so why I
have never seen this actual error before and can there be more to it?
It only works with short tags enabled. So either the servers you were
on had short takes enabled or you never saw the php code on your page.

Additionally, most shared hosts now run with short tags disabled. It's
been the default since PHP 4.1 or so (I don't remember the exact release).
In this particular case users are signing in a name if the person who
has keyed in the data for future reference. In same cases they dont
need to (trusted users) and then a blank name or omitted name is okay,
but in other cases they need to and it is just with these that I am
having problems.

Garry Jones
Sweden
You need some other way to determine of the name is required or not.
How do you tell if they are a trusted user or not?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 16 '07 #10

P: n/a
Vince Morgan wrote:
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:m6******************************@comcast.com. ..
>Hi, Garry,

The problem is you're using short tags (bad), and your server has short
tags disabled (short_open_tag=off in your php.ini file) (good).

You should get in the habit of using long open tags, like Vince
indicated. Short open tags can get confusing, especially if you use XML
(which has the same <? open tag).
Actualy I overlooked/missed the short tag. And Jerry is being more kind to
me than I deserve.

Vince
Naw, Vince, it was just an honest misteak :-)

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 16 '07 #11

P: n/a
Jerry Stuckle wrote:
But you miss the fact you do not WANT it turned on. It will cause
problems if you ever have an XML page on your site.
I think you're overstating the problems slightly.

It will cause a minor inconvenience if you ever want to generate XML via
PHP, in that processing instructions will need to be explicitly echoed.

--
Toby A Inkster BSc (Hons) ARCS
[Geek of HTML/SQL/Perl/PHP/Python/Apache/Linux]
[OS: Linux 2.6.17.14-mm-desktop-9mdvsmp, up 9 days, 1:18.]

Sharing Music with Apple iTunes
http://tobyinkster.co.uk/blog/2007/1...tunes-sharing/
Dec 16 '07 #12

P: n/a
It will cause a minor inconvenience if you ever want to generate XML via
PHP, in that processing instructions will need to be explicitly echoed.
It will cause a major inconvinience, if you ever want to use PHP6.

Guys, just get it: Just because it works somehow, it's not less bad.
Dec 16 '07 #13

P: n/a
On Sun, 16 Dec 2007 08:14:45 -0500, Jerry Stuckle wrote:
jebblue wrote:
>Thanks for the question and the answer. My server had that set to On,
just fixed it.

But you miss the fact you do not WANT it turned on. It will cause
problems if you ever have an XML page on your site. I expect the option
will be removed in a future release.

You should turn it off and use <?php start tags, instead.
I'm confused, I said I fixed it meaning I turned it off, it was set to
on, that's what to do right?

--
// This is my opinion.
Dec 16 '07 #14

P: n/a
Jonas Werres wrote:
>It will cause a minor inconvenience if you ever want to generate XML via
PHP, in that processing instructions will need to be explicitly echoed.

It will cause a major inconvinience, if you ever want to use PHP6.
Let's not spread misinformation here. Short tags *will* stay in Php6:
http://www.php.net/~derick/meeting-n...nd-add-php-var

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Nothing he's got he really needs
Twenty first century schizoid man.
***********************************

Dec 16 '07 #15

P: n/a
jebblue wrote:
On Sun, 16 Dec 2007 08:14:45 -0500, Jerry Stuckle wrote:
>jebblue wrote:
>>Thanks for the question and the answer. My server had that set to On,
just fixed it.

But you miss the fact you do not WANT it turned on. It will cause
problems if you ever have an XML page on your site. I expect the option
will be removed in a future release.

You should turn it off and use <?php start tags, instead.

I'm confused, I said I fixed it meaning I turned it off, it was set to
on, that's what to do right?
OK, I misunderstood that. I thought you meant you fixed your code to
run with it on.

Just a slight misunderstanding. You are correct to have it off.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 17 '07 #16

P: n/a
Toby A Inkster wrote:
Jerry Stuckle wrote:
>But you miss the fact you do not WANT it turned on. It will cause
problems if you ever have an XML page on your site.

I think you're overstating the problems slightly.

It will cause a minor inconvenience if you ever want to generate XML via
PHP, in that processing instructions will need to be explicitly echoed.
Toby,

Much more than a "minor inconvenience" if you ever do anything with XML.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Dec 17 '07 #17

This discussion thread is closed

Replies have been disabled for this discussion.