0

I'm trying to call PHP variable into HTML input field. Please see below code.

<html>
<?php
    $A_variable = $_GET['some text'];

echo "<script type='text/javascript'>";
echo "document.getElementById('A_input').value = ";$A_variable;
echo "</script>";
?>
<input type="text" id="A_input" name="A_input" placeholder="input" Readonly>
</html>

Please, advice am I trying in a proper way? Your assistance is highly appreciated.

Thaju
  • 37
  • 1
  • 10
  • 1
    You have there syntax error in JS (missing quotes around, if `$A_variable` isn't a number), syntax error in PHP (`;` instead of `.`) and you call the script before `input` exists. Check the console. – pavel Mar 29 '18 at 08:08
  • **Danger**: This code is [vulnerable to XSS](https://www.owasp.org/index.php/XSS) User input needs escaping before being inserted into an HTML document!. – Quentin Mar 29 '18 at 08:27
  • https://stackoverflow.com/questions/14028959/why-does-jquery-or-a-dom-method-such-as-getelementbyid-not-find-the-element covers *one* of the several things that are wrong with tthis code. – Quentin Mar 29 '18 at 08:30

1 Answers1

2

You don't need Javascript to achieve that,

simply,

<html>
<?php
    $A_variable = $_GET['some text'];
?>
<input type="text" id="A_input" name="A_input" value="<?php echo $A_variable; ?>" placeholder="input" Readonly>
</html>

[Edited] Looking at code above we can make it even simpler

<html>
<input type="text" id="A_input" name="A_input" value="<?php echo $_GET['some text']; ?>" placeholder="input" Readonly>
</html>

PS: This way is not advisable since it vulnerable to XSS attack.

Simplest way to prevent XSS attack is by using stip_tags()

<html>
<input type="text" id="A_input" name="A_input" value="<?php echo strip_tags($_GET['some text']); ?>" placeholder="input" Readonly>
</html>
anasceym
  • 238
  • 1
  • 9
  • 3
    1. XSS. 2. Why `$A_variable`, when you can echo `$_GET['some text']` directly inside `value` attribute?? – pavel Mar 29 '18 at 08:10
  • 1. XSS - Obviously yes, but it is whole different topic. 2. Agree. Just to make question owner can see how a variable can easily be outputted to html tags. – anasceym Mar 29 '18 at 08:13
  • 1
    _"XSS - Obviously yes, but it is whole different topic"_ - It should be included in the answer. People tend to just copy/paste answers here, thinking they are totally fine. If we see security issues, we should point them out and, at least, give them a reference to where they can read more about them. – M. Eriksson Mar 29 '18 at 08:16
  • You're quite new here. When the code is vulnerable (XSS in this case), the answer should solve that, if it's just in adding one PHP function more around echoes variable. – pavel Mar 29 '18 at 08:18
  • Thank you for the comments. Yes I am quite new here. I will update the answer accordingly – anasceym Mar 29 '18 at 08:20
  • @panther I have updated the answer based on your comment. Please let me know if it is good enough or can be corrected. – anasceym Mar 29 '18 at 08:26
  • 2
    `strip_tags` will not protect this code from XSS attacks. `some+text="%20onmouseover="alert('xss')"` – Quentin Mar 29 '18 at 08:28
  • 1
    @anasceym: strip_tags doesn't solve XSS and modify value (why '2 > 1' (two is greater than 1) should be invalid input?). The right way is to use http://php.net/manual/en/function.htmlspecialchars.php – pavel Mar 29 '18 at 08:33
  • **Always** use [`htmlspecialchars()`](http://php.net/manual/en/function.htmlspecialchars.php) to properly encode as HTML the data you use to generate HTML. Without it, the generated HTML is invalid in many situations. – axiac Mar 29 '18 at 10:14