style-form.php

<!DOCTYPE html>
<html lang="en">

<?php
// if $_POST is set, then we have a form submission to process
 if( $_POST )
 {
    /* Use associative array to map font-family values from form to
       correct style font-family names.  This also avoids any possible
       HTML injection when font-family name is printed in page.
     */
    $fontFamilyNames = array( 'serif' => '"Times New Roman", Times, serif',
			     'sans' => 'Arial, Helvetica, sans-serif',
			     'monospace' => '"Courier New", Courier, monospace');
?>

<head>
  <title>What You Said</title>
  <meta charset="utf-8">
<style type="text/css">
div {
<?php

// Replace font-family selection from form by an expanded CSS list of fonts.
// Normally the option will be set and will match one of the names in
// the array, but we validate in case of hacker tricks.
if( isset($_POST['font_family']) ) {
   $font_family = $_POST['font_family'];
   if( isset($fontFamilyNames[$font_family]) ) {
      print "font-family: $fontFamilyNames[$font_family];\n";
   }
}

// Test for presence of bold or italic checkboxes and set corresponding style
if( isset($_POST['bold']) ) {
     print "font-weight: bold;\n";
}
if( isset($_POST['italic']) ) {
     print "font-style: italic;\n";
}

// The coercion of font_size to int assures no HTML injection.  If value
// is not an int, result will be 0.  Validation rejects sizes outside the
// range 8 to 36 pt.
if( isset($_POST['font_size']) ) {
  $font_size = (int)$_POST['font_size'];
  if( $font_size >= 8 && $font_size <= 36 ) {
    print "font-size: {$font_size}pt;\n";
  }
}

// Font color can be any of a wide variety of possibilities, including
// names, hex codes, or rgb specs.  We give the user plenty of freedom
// but escape HTML special characters just in case.
if( isset($_POST['font_color']) ) {
  $font_color = htmlspecialchars($_POST['font_color']);
     print "color: $font_color;\n";
}
?>
    }
</style>

</head>
<body>



<h1>What You Said</h1>
<div>
<?php
// Print the text from the textarea field, escaping any HTML.
    print htmlspecialchars($_POST['quoth']);
?>
</div>



<?php
/**************** End processing part, start of form ***************/

// No $_POST, put out the form
  } else /* ! $_POST */
  {
?>
<head>
  <title>Select your style</title>
  <meta charset="utf-8">
  <style type="text/css">
    fieldset.style { background-color: #c8fbc8; }
    fieldset.text { background-color: #c8c8fb; }
    fieldset legend { font-weight: bold; font-style: italic; }
  </style>
</head>
<body>
<h1>Select your style</h1>
<p><b>Instructions:</b> Select style attributes, type some text in the
  box, and hit Submit.</p>

<form action="<?php print $_SERVER['SCRIPT_NAME'] ?>" method="post">

<fieldset class="style">
<legend>Select Style</legend>

<p>
<label><input name="bold" type="checkbox" /> Bold</label><br/>
<label><input name="italic" type="checkbox" /> Italic</label><br/>
</p>


<p>
Font family:
<select name="font_family">
  <option selected value="serif">Serif</option>
  <option value="sans">Sans Serif</option>
  <option value="monospace">Monospace</option>
</select>
</p>

<p>
Font size:
<select name="font_size">
<?php
    for($size=8; $size <= 36; $size += 2) {
	print "  <option";
	if( $size == 12 ) { print " selected"; } /* make 12pt default */
	print ">{$size}pt</option>\n";
    }
?>
</select>
</p>

<p>
Font color:
<input type="text" name="font_color" />
</p>

</fieldset>

<fieldset class="text">
<legend>Write some text</legend>

<p>
<textarea name="quoth" rows="10" cols="25">
The quick brown fox jumps over the lazy dog.
</textarea>
</p>
</fieldset>

<p>
<input type="submit" value="Submit" />
<input type="reset" /></p>
</form>
<?php
  } // end of ! $_POST
?>
</body>
</html>