1

I have a piece of php code inside html tag which is supposed to change the tag's style in accordance with the contents of the URL.

There is an html login form which looks like this:

<form class="userdata" action="login.php" method="post">
    <input type="text" name="email" placeholder="E-mail" <?php fillin('email'); enlight_unfilled('email');?>><br>
    <input type="password" name="pwd" placeholder="Password"><br>
    <button type="submit" name="login-submit">Login</button>
</form>

Here are the functions fillin and enlight_unfilled:

<?php
function fillin($key) {
    if (isset($_GET[$key])) echo "value=".$_GET[$key];
    else echo NULL;
}

function enlight_unfilled($key) {
    if (isset($_GET['error']))
        if (isset($_GET[$key]) and $_GET[$key] !== "") echo NULL;
        else echo "style='border-color: red'";
    else echo NULL;
}
?>

If I only apply one of the functions within the tag, they both do what they are expected to – either save the email in the field if it has been already typed in or enlighten the email field if it has been left empty. But if I apply them together, when the field is empty, php assigns the field value 'style='border-color:. I also tried to use functions like print and printf, but the result is the same:

enter image description here

I am a beginner at php coding and mixing it with html, so the question may appear to be dumb, but I did not manage to find any sort of a solution to this issue, so thanks for help and patience in advance!

Improve this question
7
  • Your problem lies in quoting. Check the generated HTML (page source) and you should see where you're going wrong. Commented Jan 7, 2021 at 15:04
  • @El_Vanja well it does what I described: <input type="text" name="email" placeholder="E-mail" value="style='border-color:"> The point is that I haven't got a clue why such a code gets generated Commented Jan 7, 2021 at 15:07
  • I'm guessing you didn't look at the page source, but rather inspected the element in the browser toolbar. The difference is that when you inspect, you see the HTML after the browser applied some fixes. When you take a look at the source, you should see this: value=style='border-color: red'. This would tell you that you don't have quotes for your value attribute. Commented Jan 7, 2021 at 15:10
  • 1
    You also are open to XSS injections with this code. Commented Jan 7, 2021 at 15:13
  • @El_Vanja where can I check the source code? Commented Jan 7, 2021 at 15:14

1 Answer 1

Reset to default
1

It looks like you don't properly encase value in quotes, so it just renders the 'style='border-color:.

Let's assume that $_GET[$key] has a value of [email protected]. What your PHP & HTML renders is the following:

[email protected]

See the problem? There are no quotes. That's why the renderer goes forward searching for a valid value. To fix the issue you must add quotes around your $_GET[$key] in the fillin function. Something like this should do the job:

if (isset($_GET[$key])) echo "value='".$_GET[$key] . "'";

It works when ran alone because it reaches the end > and just assumes the value to be [email protected]

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

You are welcome. Take a good look at this line: "value='".$_GET[$key] . "'";. It might be a bit hard at first, but do you notice a single quote after = and before double quotes? Then there is another single quote encased in double-quotes afterward. These single quotes enclose the value of $_GET[$key] with quote marks. I used single quote because you are using double quotes from start. See the first double quote, right before value.
As far as I got that, for HTML attribute values must always be enclosed with quotation marks, right? So the resulting HTML code must appear so that all the attribute values are surrounded by quotes
Yes and no. Like you have seen, when using just fillin function you were getting correct results without the quotes. It is a complicated subject to discuss here. However, it is always a good practice to use quote marks in order to avoid such problems as the one you have encountered + IMO it is a good practice to do so in general. Here is a link to an answer that explains it better than I could right now: Quote Marks - HTML

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.