How to echo session variable inside input and tinymce textarea after redirecting the user to page

1
votes

I am trying to process a form. If there is an error, the user will redirected to the form, where the errors will be shown and whatever the user was trying to submit is echoed out the form's tinymce's textarea. That way, the user won't have to rewrite everything again. Everything is working well except the session variable doesn't echo inside the tinymce editor after the user is redirected. The session variable is set and has the correct value. If I echo the session variables outside tinymce, it shows up as expected. It just won't show up in the textarea. How do I fix this?

Also, I know that this is susceptible to xss. I want to allow the users to format their post, so I will be running it through HTML Purifier later on.

addnewthread.php: 

<?php 
session_start(); 

if($_SERVER['REQUEST_METHOD']==='POST')
{   
if(isset($_POST['submit'])&&$_POST['submit']==='success')
{

    if (empty(trim($_POST['thread-title'])))
    {
        $_SESSION['forum_titErr'] = "<p class='error text-center'>Error message</p>";
    }

    else
    {
        $_SESSION['threadTitle'] = $_POST['thread-title']; 
    }


    if (empty(trim($_POST['thread-content'])))
    {
        $_SESSION['forum_thrContErr'] = "<p class='error text-center'>Error message </p>"; 
    }
    else
    {
        $_SESSION['threadCont'] = $_POST['thread-content'];

    }

    if((isset($_SESSION['forum_titErr'])&&!empty($_SESSION['forum_titErr']))|| (isset($_SESSION['forum_thrContErr'])&&!empty($_SESSION['forum_thrContErr'])))
    {
        header("Location: newthread.php?submit=error"); 
    }
    else 
    {
    //insert into database and redirect to readtopic.php if insert is successful; else redirect to form and show insert is not successful 
    }
}

else{
    header("Location: newthread.php");
}
}

else
{
      exit('invalid request');
}


?>

form html: 

<!DOCTYPE html>
<html>
<?php 
      session_start(); 
?>
<head>
    <!-- title, meta, stylesheet, etc. --> 
    <script type="text/javascript" src="jquery.js"></script>
    <script src="https://cdn.tiny.cloud/1/no-api-key/tinymce/5/tinymce.min.js" referrerpolicy="origin"></script>
    <script>tinymce.init({selector:"#threadCont", height: 300, resize: false
    });</script>
</head>

<body>
<?php 

    if($_GET['submit']==="error")
    {            
        if((isset($_SESSION['forum_titErr'])&&!empty($_SESSION['forum_titErr']))|| 
        (isset($_SESSION['forum_thrContErr'])&&!empty($_SESSION['forum_thrContErr'])))
        {
            echo $_SESSION['forum_titErr']; 
            echo $_SESSION['forum_thrContErr'];

            session_unset($_SESSION['forum_titErr']);
            session_unset($_SESSION['forum_thrContErr']);
        }
    }

 ?>
    <form action='addnewthread.php' method='post'>
          <input type='text' name='thread-title' id='thread-title' placeholder='Type title here' class='user-input'
               <?php 
               if(isset($_SESSION['threadTitle'])&!empty($_SESSION['threadTitle'])
               {
                    echo "value='{$_SESSION['threadTitle']}'"; 
               }
               ?>
          >
          <textarea id='threadCont' name='threadCont'>
          <?php 
                if(isset($_SESSION['threadCont'])&!empty($_SESSION['threadCont'])
                {
                     echo $_SESSION['threadCont'];
                }
          ?> 
          </textarea>
          <button id='submit' type='submit' name='submit'value='success'>Submit</button>
    </form>
</body>

</html>
3
phpmysqltinymce
Your if(isset($_SESSION['threadTitle'])&!empty($_SESSION['threadTitle']) constructs there make rather little sense. First of all, empty includes the check for isset already, so there is no need to use both. And secondly, & would be a bitwise and, you would want a logical and here, that’s && - 04FS

3 Answers

0
votes

Just echo the variable, just take care of the " and ' because of string concatenation.

For input :

 <input type='text' name='thread-title' id='thread-title' placeholder='Type title here' class='user-input'
 <?php 
    if(isset($_SESSION['threadTitle'])&!empty($_SESSION['threadTitle'])
     {
     echo "value='".$_SESSION['threadTitle']."'"; 
  }
  ?>
  />

For textarea:

  <textarea id='threadCont' name='threadCont'>
  <?php 
  if(isset($_SESSION['threadCont'])&!empty($_SESSION['threadCont'])
  {
   echo $_SESSION['threadTitle'];
  }
  ?> 
  </textarea>
0
votes

I checked your code and found that you forgot to add round brackets:

<form action='addnewthread.php' method='post'>
    <input type='text' name='thread-title' id='thread-title' placeholder='Type title here' class='user-input'
        <?php
        if(isset($_SESSION['threadTitle'])&&!empty($_SESSION['threadTitle']) <--here
        {
            echo "value='{$_SESSION['threadTitle']}'";
        }
        ?>
    >
    <textarea id='threadCont' name='threadCont'>
          <?php
          if(isset($_SESSION['threadCont'])&&!empty($_SESSION['threadCont']) <--and here
          {
              echo $_SESSION['threadCont'];
          }
          ?>
          </textarea>
    <button id='submit' type='submit' name='submit'value='success'>Submit</button>
</form>

Also you need replace & to &&.

0
votes

I think you need to do it like this 

 <form action='addnewthread.php' method='post'>
      <input type='text' name='thread-title' id='thread-title' placeholder='Type title here' class='user-input'
           <?php 
           if(isset($_SESSION['threadTitle']) && !empty($_SESSION['threadTitle']))
           {
                echo "value='{$_SESSION['threadTitle']}'"; 
           }
           ?>
      >
      <textarea id='threadCont' name='threadCont'>
      <?php 
            if(isset($_SESSION['threadCont']) && !empty($_SESSION['threadCont']))
            {
                 echo $_SESSION['threadCont'];
            }
      ?> 
      </textarea>
      <button id='submit' type='submit' name='submit'value='success'>Submit</button>
</form>