So now I want to talk about how you think about data when you receive it from the server. So up to now we've been talking about how you make a form in HTML. We've talked about how that comes in $_POST. Now we're going to start talking about what you do with $_POST. And the first thing we're going to talk about is persisting form data from one stream to another. And we do this so much, it's done so commonly, and so often, that we just assume it magically happens. But it doesn't. It turns out that we, as the developer, have to work pretty hard to make that happen, right? And so, you type something, like 20. You hit submit. And if you don't persist it, this comes back blank, right? So, we just sent the data and there was a 20, but where'd it go? And what we want, as users, is to see the 20 in case there was a mistake, right? See the old value. So we have to specifically copy the old value from one request to another request on down, if that's what we want. And we turn out we want that a lot. And so the idea that we're going to take the POST data and generate a form that has the POST data in it, that turns out to be a real common problem. And turns out one the most common sources of security errors. So think about it this way, this script we've got is going to be run as a GET request when we first go to URL. And then we type something and hit submit, then it comes into this same script again as a POST request. And so we have to used isset to say, is this a POST request with guess as a value? Or is this a GET request and we'll just have to show the form. So on the first one we show the form, on the second one we want to show the form with the previous guess already persisted from the previous request, okay? So what I'm going to do, is I'm going to use the ternary operator. I don't like it, but I use it mostly only in this exact form. If there is a guess value in POST, stick it in oldguess, otherwise put a blank and oldguess. So oldguess is a variable that we'll follow through into this templating code. Now the rest of this is just a form post yada, yada, yada, except right here. We say value =, so value = is a way for us to put an old value into the form as we're displaying the screen. So we're writing back the form, and if we put value= in the form and put something in it, then that's going to show up 42 in that little screen box. So, that's how we put something in by generating HTML with value=. Now, this is also the moment where I'm showing you this little syntax of shortcutting. So normally, I would say double quote, double quote php echo oldguess semicolon less than question mark, right? That's a switch in the php that says run the echo command. Semicolon is the end of command. And this says switch back to HTML. That's what that does. And if I put double quotes around it, like here, then the HTML will just be like quote 42 quote, right? That's what we're going to see. Although spaces don't matter, because that's just code running. This is such a common thing that they actually have a shortcut for it, which is less than, question mark equals. So less than question mark php is the long form and less than, question mark equals is the short form. And what it is is just a short syntax to do exactly this thing. And that is to echo the value of a parameter. So what this says right here is print oldguess right here. And we're done. So, we use this short form a lot, especially when we're doing stuff like this, when we're mixing HTML and we switch into PHP just to get a value out, then we're back to HTML, okay? So, if we do that, that means that means that we're going to see that old value. But it turns out that that code that I just wrote for you, this code right here, is, The worst possible code you could ever write in an application, because of the problem of what we call HTML entities andHTML injection. And the problem becomes is if a user is particularly smart, they could type something into the form field that is going to become valid HTML, okay? And so they know that you're going to say value, = quote, whatever, quote. But what if I stick something in there that is itself is a quote? And then I put my own code in here. And so what I've typed carefully here is double quote and bold, DIE, DIE, DIE. And when I hit submit, I don't see the old guess anymore, I see bold DIE, DIE, DIE, right? And so this is called HTML injection, where what's happened is that the user was capable of typing something at the prompt that sort of took over the page. Now usually they're doing something much more evil than just putting up the words die, die, die. They're doing things like taking your credit card number. They are taking things like, if you're the teacher logged into a system, they go change their grade. They cause you execute code in your browser, that goes and change their grade. So this is HTML injection, and the whole idea is you're breaking the HTML and putting code in that the bad person wants to put in on your computer. So, let's take a look at what happens there, right? So, you type this thing and so this bit right here is exactly what the user typed, okay? And so they typed double quote blah, blah, blah, blah, blah, blah. But the problem is when the browser process it, it doesn't really know what came from the code and what didn't come from the code. And so that's how it sees it. And so this is just an HTML text. And this is a bold tag. And then this little quote here, this crap shows up right down here. See that crap showing up, but that's broken HTML ultimately. Actually it's not broken HTML because you can put a double quote and a slash less than inside of it. But the user has sort of permuted or messed up the page. And again, usually, they put something bad in here, something really bad that is going to do something to your system or do something to the server, etc. But that's the key. The HTML injection is when they put some highly crafted character in that is designed in a form field. And because it's so easy to write code like this, right? So easy to write code like this, that we end up in trouble. As software developers, we have to have a little warning message go off anytime we are producing HTML output with data that originally came from the user. So $oldguess is not just any old variable, it is a variable that came from user input. So the danger is when you're printing out user input, you have to make sure that you do it in a very clean way. Now, thankfully, there is a really easy way to fix this. After all of my fuss, there is this function called htmlentities. And what htmlentities does is if we go all the way back to the very beginning when I talked about HTML, I told you that if you're in HTML and you want to represent less than, you say, ampersand LT semicolon. If you want to represent a ampersand, you go ampersand amp semicolon. And if you want to represent a double quote, which is the one that's causing my problem right here, you say, ampersand QUOT, or something like that. These things are called htmlentities. These little alternate representations of these characters are htmlentities. So there is a function inside of PHP that just takes that data and convert anything that can be represent an a htmlentity and prints it out as an htmlentity. And so that's what this does, we're running oldguess through the htmlentities function and then we're printing that out between the double quotes. So let's take a look at what comes out at that point. This is what comes out at that point, right? We see value =, and now these are quot, greater than, less than, b, greater than, less than, greater than. So that's what they typed but now it's been converted by htmlentities to be htmlentities. And so what happens is when your browser parses this, it sees that as the beginning of value and that as the end of the value. because in there, there are no double quotes. There is a double quote but it's not represented in that string as the double quote. And so the browser knows that, yeah, and so it puts the double quote right back in. So you can submit the double quote, you can submit as crazy of stuff as you want. And away you go. Now, if you're using the auto graders for this course, this is a thing I check over and over and over again. Because it's the way that a lot of people make mistakes in building web apps that they open themselves up to what's called HTML injection. And you just have to keep in mind which, and I'll remind you this like 8 million times over the rest of the next few lectures. Just so you know, things coming from the user are dangerous and we have to escape them. That's called escaping, okay? So now we talked about ways to take data and then put it back in a safe manner using htmlentities. And now we'll talk about checking the data when it comes into the server before you do something with it.
