Submitting html/php code through an html form

[fewkesy]

I'm trying to submit html/php code through an html form and then insert it into a mysql database. I've got the following code so far (without the insert into database query), however when I submit the form I get pushed through to my 403 page. If i comment out the textarea that contains the code I am trying to submit, then it goes through fine.

 

Any ideas?

 

 

<?
if (isset($_POST['optone'])) {$optone=$_POST['optone']; $opttwo=$_POST['opttwo'];}
if (isset($_POST['type'])) {if ($_POST['type']=='Theory') {$optone=1;} if ($_POST['type']=='Demo') {$optone=2;} $opttwo=$_POST['module'];}

?>

<h3>Module administration</h3>
<script>
function setOptions(chosen) {
var selbox = document.myform.opttwo;

selbox.options.length = 0;
if (chosen == " ") {
  selbox.options[selbox.options.length] = new Option('Please select an option first',' ');
  document.myform.go.disabled=true;

}
if (chosen == "1") {
  selbox.options[selbox.options.length] = new Option('Module 1','1');
  selbox.options[selbox.options.length] = new Option('Module 2','2');
  selbox.options[selbox.options.length] = new Option('Module 3','3');
  selbox.options[selbox.options.length] = new Option('Module 4','4');
  selbox.options[selbox.options.length] = new Option('Module 5','5');
  selbox.options[selbox.options.length] = new Option('Module 6','6');
  selbox.options[selbox.options.length] = new Option('Module 7','7');
  selbox.options[selbox.options.length] = new Option('Module 8','8');
  selbox.options[selbox.options.length] = new Option('Module 9','9');
  selbox.options[selbox.options.length] = new Option('Module 10','10');
  document.myform.go.disabled=false;
}
if (chosen == "2") {
  selbox.options[selbox.options.length] = new Option('Module 1','1');
  selbox.options[selbox.options.length] = new Option('Module 2','2');
  selbox.options[selbox.options.length] = new Option('Module 3','3');
  selbox.options[selbox.options.length] = new Option('Module 4','4');
  selbox.options[selbox.options.length] = new Option('Module 5','5');
  selbox.options[selbox.options.length] = new Option('Module 6','6');
  selbox.options[selbox.options.length] = new Option('Module 7','7');
  selbox.options[selbox.options.length] = new Option('Module 8','8');
  selbox.options[selbox.options.length] = new Option('Module 9','9');
  selbox.options[selbox.options.length] = new Option('Module 10','10');
  document.myform.go.disabled=false;
}
}
</script>
<br />
<center>
<form name="myform" method='post'>
Edit:
<select id="optone" name="optone" size="1" onchange="setOptions(document.myform.optone.options[document.myform.optone.selectedIndex].value);" >
<option value=" " >--Choose--</option>
<option value="1" >Theory</option>
<option value="2" >Demo</option>
</select>
<select name="opttwo" size="1">
<option value=" " selected="selected">Please select an option first</option>
</select>
<input type='submit' name='go' id='go' value='Go' disabled='disabled'/>
</form>
</center>
<br /><br />
<?
if (isset($opttwo)) {
if ($optone==1) {$query = "SELECT info,userscompleted,last_user,enabled FROM theorydata WHERE TheoryID=".$opttwo; $typestr='Theory'; $texthelp='Code must be entered in HTML';} 
if ($optone==2) {$query = "SELECT info,userscompleted,last_user,enabled FROM demodata WHERE DemoID=".$opttwo; $typestr='Demo'; $texthelp='Code must be entered in PHP';}
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_array($result);
$query2="SELECT full_name FROM users WHERE id=".$row['last_user'];
$result2 = mysql_query($query2) or die(mysql_error());
$row2 = mysql_fetch_array($result2);

?>
<form method='post' >
<table>
<tr>
	<td align='center'>
		Type:
	</td>
	<td>
		<input type='text' name='type' readonly='readonly' value="<? echo $typestr; ?>" />
	</td>
</tr>
<tr>
	<td align='center'>
		Module:
	</td>
	<td>
		<input type='text' name='module' readonly='readonly' value="<? echo $opttwo; ?>" />
	</td>
</tr>
<tr>
	<td align='center' >
		Enabled?
	</td>
	<td>
		<select name='enabled'>
			<option value='yes' <? if ($row['enabled'] == '1') {echo "selected='selected'";}?> >Yes</option>
			<option value='no' <? if ($row['enabled'] == '0') {echo "selected='selected'";}?> >No</option>
		</select>
	</td>

</tr>
<tr>
	<td align='center'>
		Code:
	</td>
	<td>
		<center><font color='red'><? echo $texthelp; ?></font></center>
		<textarea  name='info' rows=35 cols=80><? echo htmlentities($row['info']); ?></textarea>
	</td>
</tr>
<tr>
	<td align='center' >
		Users completed:
	</td>
	<td>
		<input type='text' name='userscompleted' value="<? echo $row['userscompleted']; ?>" size=4/>
	</td>
</tr>
<tr>
	<td align='center' >
		Last user:
	</td>
	<td>
		<input type='text' name='last_user' readonly='readonly' value="<? echo $row2['full_name']; ?>" />
	</td>
</tr>
<tr>
	<td></td>
	<td align='center'>
		<input type='submit' value='Edit'/>
	</td>
</tr>
</table>
</form>
<?
}//close isset(opttwo)
?>

[sunfighter]

You need an action="url" for your forms.

[fewkesy]

If you don't define the action attribute of the form tags, it simply defaults to the action being the current URL.

 

The problem that I face lies within submitting the html code through the textarea tags.

[fewkesy]

Just in case anyone else has a similar problem, I solved it by adding javascript to the onSubmit event of the form. By creating a javascript function that converts the raw html into the equivalent output when done through php using the following code.

		<script type="text/javascript">
	function htmlEntities(str) {
   			 return String(str).replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"');
		}
	</script>

This is then passed through with the other data in the form and can be reconverted back into the original raw code using the php function html_entity_decode().