How do I echo POST data into a javascript descriptor in currency format? Stripe checkout

Question

I have a Stripe form I am trying to add a display for the purchase amount:

data-description="<?php echo $_POST['plan']; ?>"

but the above outputs errors in the display 'notice undefined variables', even with isset.

The following code work without errors, except once I try and echo POST data.

<form action="pages/scharge.php" method="post">
    <div>

        <input type="radio" name="plan" value="2500"> Beta membership <br>
        <input type="radio" name="plan" value="3500"> VIP membership <br>

    </div>
    <div>

                <label for="plan"> If you would like to pay another amount, enter the amount here:</label>
                <input type="text" name="plan" />
                <label for="invoice_num"> Enter the invoice number here:</label>
                <input type="text" name="invoice_num" />

        </div>
        <div>
        <script src="https://checkout.stripe.com/checkout.js" class="stripe-button"
                data-key="<?php echo $stripe['publishable_key']; ?>"
                data-amount="<?php if(isset($_POST['plan'])); echo $_POST['plan']; ?> " data-description=" ">
        </script>

        </div>
</form>

How would I echo the POST data in data-description=" " in currency format (stripe is $18.00 = 1800) so that customers can see the proper amount before clicking purchase?

`if(isset($_POST['plan']));` Actually means "If $_POST['plain'] is set, then do absolutely nothing". — briosheje, Mar 23 '15 at 21:04
@briosheje just echo'ing it barfs up an 'invalid integer' exception in the checkout code. By dumb luck, isset fixed that error and allowed it to actually carry that POST data to my scharge.php . — mine, Mar 23 '15 at 21:11
Is this really the *exact* code you're using? I'm asking because, as briosheje notes, `if(isset($_POST['plan']));` with the semicolon at the end is a no-op, and should not have any effect on anything. Or did you accidentally add the semicolon while copy-pasting the code here? — Ilmari Karonen, Mar 23 '15 at 21:20
@IlmariKaronen the semicolon is an error, ironically I receive behavior with or without it. I just realized my radio button were broke though. — mine, Mar 23 '15 at 21:41
There is no way without really fancy tricks to get POST data into data-descriptions because POST happens last. I had to create a separate form page in front with it's own submit button. From there I used a header forward and set $_SESSION['plan'] = $_POST['plan']. From there the checkout used SESSION with data already present, and everything worked fine — mine, Mar 24 '15 at 21:14

score 0 · Answer 1 · edited May 23 '17 at 10:10

This should work:

data-description="<?php 
  if (isset($_POST['plan'])) echo htmlspecialchars($_POST['plan']);
?>"

Note that there is no ; after if (isset($_POST['plan'])). If you do put a semicolon there, PHP interprets that semicolon as the (empty) statement that the if is supposed to conditionally execute.

If you're feeling confused about the semicolons, another, perhaps safer way of writing that would be:

data-description="<?php 
  if (isset($_POST['plan'])) {
      echo htmlspecialchars($_POST['plan']);
  }
?>"

Here, you can include as many statements as you want (separated by semicolons) between the curly braces, and they will all be executed only if $_POST['plan'] is set. Make sure there's still no semicolon between the if condition and the {, though!

Also, note the htmlspecialchars(). Without it, your code is wide open to cross-site scripting (XSS) attacks, by an attacker passing in a parameter like plan="><script>alert("XSS");//.

Any time you embed a string (that isn't meant to be parsed as HTML code) in your HTML output, you should always escape it with htmlspecialchars(). Preferably, do this even if you're sure that the string cannot contain any characters that could be parsed as HTML markup; it's just a good habit, and may save your code from breaking if you ever decide to change the string later.

@IImari Karonen still no output using the following code https://bpaste.net/show/a555f275456f — mine, Mar 23 '15 at 22:03
@mine: What does the HTML output look like? Are you actually getting an empty `data-description` attribute, but a non-empty `data-amount`? — Ilmari Karonen, Mar 23 '15 at 22:07
@IImari Karonen yes, empty http://i.imgur.com/CpcK1aW.png vs. http://i.imgur.com/dMu6Roj.png — mine, Mar 23 '15 at 22:22
OK, but what does the *HTML* look like, if you use View Source (or Inspect Element) in your browser? — Ilmari Karonen, Mar 23 '15 at 22:27

How do I echo POST data into a javascript descriptor in currency format? Stripe checkout

1 Answers1