I have hidden fields which contain a very large amount of serialized data (I’m talking around 1300 records from a database). With all of this data, the hidden fields become visible as text boxes containing the serialized data. When, on the other hand, I limit this data to say, 200 records, the fields remain hidden as they should. I went ahead and inspected this issue in Chrome’s “inspect element” and I noticed that many of the HTML characters throughout the page are all out of place.
For example:
class="cont_buffer" turned into class="”cont_buffer”"
The extra quotation marks are messing up the input type=”hidden” and thus showing the fields.
What could I do to get around this issue?
Two things:
First, it sounds like you should be html encoding the value of the hidden input with
htmlentities($value, ENT_QUOTES)to make sure quotes are properly encoded for use as an HTML attribute value.However, there is probably a better way to do what you are doing rather than to pass thousands of records back to the browser so they can be returned by the browser to the server. Instead of passing to a hidden input, you are probably better off storing the rows temporarily in
$_SESSION. In some cases, it may even be faster to just requery that many rows when the form post is recieved, rather than have the browser pass them back.If you are serializing the rows in PHP with
serialize(), I assume you intend tounserialize()them in PHP. Use extreme caution when doing so, because this opens the possibility that the browser could send malicious data back that would unserialize into something harmful to your application. If you must send serialized data from the browser tounserialize(), be certain to validate the object or array you receive — make sure it contains all the keys or properties you expect, and only those you expect so that you don’t have problems when iterating over it.