Jump to content

Forms: Cant Use A Dollar Sign In Thier Input


wolfshaven

Recommended Posts

I'm currently updating a form mod for Simple Machines Forum. It allows forum admins to create simple custom forms that serve as a template for their users posts. In other words a user fills out a form and pre-formatted forum post is created based on the users answers.The problem I'm running into is If a user is filling out a field for input type="text" or a textarea and they enter a dollar sign somewhere in their answer the form treats it as a string variable. This is mostly common if the user enters some thing like...

Bill made $12.43 and Joe made $15.98
It will output to the forum post as...
Bill made .43 and Joe made .98
Is there something I can do to prevent this from happening?Thanks in advanceJim
Link to comment
Share on other sites

What code are you using? I don't think it's possible for form data to be parsed like that.
Its a large complicated mod split up over multiple files. The package can be found at...http://custom.simplemachines.org/mods/index.php?mod=1279Version 1.5 is the latest and the bug happens in both the versions for SMF 1.1.x and 2.xIm not sure if this helps but the code looks something like this...
		// Large Text box?		elseif ($field_data['type'] == 'largetextbox')		{			echo '								<textarea rows="5" cols="45" name="', $field_name, '" id="', $field_name, '">', $field_data['value'], '</textarea>';		}

		// Int, Float or text box?		else			echo '								<input type="text" name="', $field_name, '" id="', $field_name, '" value="', $field_data['value'], '" />';

					//	Do the formating for both large and normal textboxes. 					default:						$value = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : '';						//	If value is empty then set it to the default.						if(($value == '')						&& !$required)							$value = $default;						//	Only bother with further formating if there is now some text. - This avoids huge errors with the parse_bbc() function returning all bbc. 						if(!($value == ''))						{							//	Remove all bbc code if we don't need to parse it.							if(!in_array('parse_bbc', $type_vars))								$value = strip_tags(parse_bbc($value, false), '<br>');							//	Restrict the length of value if necessary, can stuff up html, but hey...							if(($size != ''))								$value = substr($value, 0, $size);						}				}

					//	Do the formating for both large and normal textboxes. 					default:						$value = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : '';						//	If value is empty then set it to the default.						if(($value == '')						&& !$required)							$value = $default;						//	Only bother with further formating if there is now some text. - This avoids huge errors with the parse_bbc() function returning all bbc. 						if(!($value == ''))						{							//	Remove all bbc code if we don't need to parse it.							if(!in_array('parse_bbc', $type_vars))								$value = strip_tags(parse_bbc($value, false), '<br>');							//	Restrict the length of value if necessary, can stuff up html, but hey...							if(($size != ''))								$value = substr($value, 0, $size);						}				}								//	Do we have an invalid value? Is this field required?				if(($required				&& (($value == '') || ($value == '0'))				&& ($field['type'] != 'checkbox'))				//	Failing for selectboxes is far more simple, If there is no valid value, it fails.				|| (($field['type'] == 'selectbox') && ($value == '')))				{					//	Do the 'fail form/field' stuff.					$data[$i]['failed'] = true;					$fail_submit = true;					continue;				}								//	Add this fields value to the list of variables for the output post.				$vars[] = '/\{'.$field['title'].'\}/';				$replace[] = $value;								//	Also add this data back into the data array, just in case we can't actually submit the form.				$data[$i]['value'] = $value;								//	Do a small fix for the last line, if this is a checkbox.				if($field['type'] == 'checkbox')					$data[$i]['value'] = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : false;					if (($required) && (!$data[$i]['value']))					{						//   Do the 'fail form/field' stuff.						$data[$i]['failed'] = true;						$fail_submit = true;						continue;					}				//	Do a small fix for the last line, if this is a largetextbox.				if(($field['type'] == 'largetextbox'))					$data[$i]['value'] = isset($_REQUEST[$field['title']]) ? $_REQUEST[$field['title']] : '';			}						//	Do we have completly valid field data?			if(!$fail_submit)			{				require_once($sourcedir.'/Subs-Post.php');				//	Replace all vars with their correct value, for both the message and the subject.				$output = preg_replace($vars, $replace, $output);				$subject = preg_replace($vars, $replace, $subject);								// Collect all necessary parameters for the creation of the post.				$msgOptions = array(					'id' =>  0,					'subject' => $subject,					'body' => $output,					'smileys_enabled' => true,				);								$topicOptions = array(					'id' => 0,					'board' => $board,					'mark_as_read' => true,				);								$posterOptions = array(					'id' => $user_info['id'],				);								//	Finally create the post!!! :D				createPost($msgOptions, $topicOptions, $posterOptions);								//	Redirect this user as well.				redirectexit('board=' . $board . '.0');			}		}

Note: this is only part of the entire mod but I think this might be where its getting hung up. *undecided*

Link to comment
Share on other sites

Are you using preg_replace() or some other kind of regular expression function?The only thing that would parse a $ with numbers next to it is a regular expression when using it as a backreference.

Link to comment
Share on other sites

// Replace all vars with their correct value, for both the message and the subject. $output = preg_replace($vars, $replace, $output); $subject = preg_replace($vars, $replace, $subject);
Yep Just those two lines, I just assumed that that would just take the data from the form and then converts it to the template for the post. I don't see anyplace in the mod where it changes any of it with regular expressions. Actually as I look through the entire code for the mod I don't see any regular expressions at all.I did find...
			//	Format the form output, so that the WYSIWYG editor works correctly			if (!empty($_REQUEST['message_mode']) && isset($_REQUEST['output']))			{				require_once($sourcedir . '/Subs-Editor.php');				$_REQUEST['output'] = html_to_bbc($_REQUEST['output']);				$_REQUEST['output'] = un_htmlspecialchars($_REQUEST['output']);				$_REQUEST['output'] = $smcFunc['htmlspecialchars']($_REQUEST['output'], ENT_QUOTES);				preparsecode($_REQUEST['output']);			}

Perhaps use htmlentities instead? Either way I didn't think they effected dollar signs. :-/

Link to comment
Share on other sites

preg_replace() stands for "Perl-compatible regular expressions replace"Here's an example of what it can do:

$input = "XZN59";echo preg_replace("/^([A-Z]*)/", "Letters: $1", $input);// Outputs "Letters: XZN"// $1 is a backreference to the first group of parenthesis in the regular expression

Link to comment
Share on other sites

Ok I found a regular expression in the mod

				//	Add this fields value to the list of variables for the output post.				$vars[] = '/\{'.$field['title'].'\}/';				$replace[] = $value;								//	Also add this data back into the data array, just in case we can't actually submit the form.				$data[$i]['value'] = $value;

To me it looks like it says....Find the fields "title" between { } and replace it with the users input. I don't see where it lists characters that any characters to be included or excluded. Should I add one in there someplace or is the syntax some what off?If that doesn't get it I'm not sure what to do other then re-release the mod with that particular bug still remaining.

Link to comment
Share on other sites

Ok I found a regular expression in the mod
				//	Add this fields value to the list of variables for the output post.				$vars[] = '/\{'.$field['title'].'\}/';				$replace[] = $value;								//	Also add this data back into the data array, just in case we can't actually submit the form.				$data[$i]['value'] = $value;

To me it looks like it says....Find the fields "title" between { } and replace it with the users input. I don't see where it lists characters that any characters to be included or excluded. Should I add one in there someplace or is the syntax some what off?If that doesn't get it I'm not sure what to do other then re-release the mod with that particular bug still remaining.

The quick fix is to escape the $ symbols. Try this:
$replace[] = str_replace('$','\$',$value);

Hmm, but I think that there should be a better way to do it, thought it might require changing a lot of code.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...