0

I have a string of HTML that I want to dynamically replace with PHP variables from a $_POST.

Here is my string:

$message = '<html><body><font face="Arial, Helvetica" size=2><strong>Name:</strong> {$first} {$last}<br/><br/>';

Here is my PHP:

foreach ($_POST as $key=>$value) {
        $$key = mysql_real_escape_string(strip_tags(ucfirst(strtolower($_POST[$key]))));
        $text = str_replace('{'.$key.'}', $value, $message);
        //echo $text;
    }

But my str_replace is not working right. I've tried doing the string like this:

 $message = '<html><body><font face="Arial, Helvetica" size=2><strong>Name:</strong> {' . $first .'} {' . $last . '}<br/><br/>';

But that doesn't work either. I've tried numerous other combinations and none of them seem to work. Some help would be appreciated. Thanks.

sehummel
  • 5,476
  • 24
  • 90
  • 137

2 Answers2

3

There are some things I don't understand from the following line:

$$key = mysql_real_escape_string(strip_tags(ucfirst(strtolower($_POST[$key]))));
  • Why do you use variables variables? $$key
  • Why do you sanitize $_POST[$key] when you have access to $value?
  • Why do you use mysql_real_escape_string to "escape" HTML?

I think it's all unnecessary.

One of the reasons it may not work is because you are saving the modified $message into $text, instead of saving it back into $message to ensure that all keys will eventually be replaced. Also, I you forgot the literal $ in the pattern, it should have been:

$text = str_replace('{$'.$key.'}', $value, $message);
______________________^

Here's how I would do it:

$_POST = array('first'=>'foo', 'last'=>'bar');

$dbData = array(); // don't forget to initialize your array
foreach ($_POST as $key => $value) {
    $sanitizedValue = strip_tags(ucfirst(strtolower($value)));
    $message = str_replace('{$'.$key.'}', $sanitizedValue, $message);

    // save the mysql-sanitized values to an array for future use
    $dbData[$key] = mysql_real_escape_string($sanitizedValue);
}

echo $message;
// outputs 
//    <html><body><font face="Arial, Helvetica" size=2><strong>Name:</strong> Foo Bar<br/><br/>';

I actually tested it and it works.

netcoder
  • 66,435
  • 19
  • 125
  • 142
  • Thanks netcoder. I'm kind of new, so I appreciate the help. How do access those variables in the loop so I can insert them into the DB? That's why I did the dynamic variable assignment, so I could have a static sql query lower down in the code. – sehummel Dec 15 '10 at 21:10
  • Use an array, see my update (`$dbData`). The reason why you should use an array is because it is a data structure made specifically for that kind of task (and way more). It also prevents one from injecting variables in your code, because using `$$key` in a `foreach $_POST` actually somewhat mimics [register_globals](http://php.net/register_globals), which is indeed very bad. – netcoder Dec 15 '10 at 21:15
  • THANKS NETCODER! That's brilliant. – sehummel Dec 15 '10 at 21:18
  • Is there a dynamic way using your example to generate an sql query? – sehummel Dec 15 '10 at 22:06
1

You are overwriting your $text variable on every loop with the str_replace on $message.

Try this:

foreach ($_POST as $key=>$value)
{
    $message = str_replace('{$'.$key.'}', $value, $message);
}
István Ujj-Mészáros
  • 3,228
  • 1
  • 27
  • 46