Input field for password usually accepts a wide range of characters compared to text inputs. The normal way of escaping an input on HTML form involves using htmlspecialchars($_POST['content']) on the input contents.
What if, in the scenario of a failed validation of a password update process, I require the new password to repopulate on the HTML form? Something like '> yeah would have caused the form to malfunction and using htmlspecialchars would produce a totally different password.
Any suggestions?
The html portion as shown:
<INPUT type=password name=password1 value=''><script>try' size=15 maxlength=15>
The corresponding php code:
function h($str) {echo htmlspecialchars($str);}
echo "<INPUT type=password name=password1 value='", h(@$_POST['password1']), "' size=15 maxlength=15>";
Blank is shown in the form input field.
UPDATE
The problem lies with my htmlspecialchars which does not escape single quotes by default. Now adding the ENT_QUOTES parameters allow the single quote to be escaped and solve my problem. deceze and CodeCaster are right that htmlspecialchars does not change the password. Thanks all.
No,
htmlspecialcharswould not produce a totally different password. It would producevalue="> yeah"which, when parsed by the browser, is read as> yeah. Password fields are not in any way special in the treatment of special or non-special characters.