jamesadrian Posted February 26, 2016 Share Posted February 26, 2016 I have attempted to write a page at http://www.futurebeacon.com/test.php that has a form window for a name, a form window for an email address and a form window for comments. The comment window never comes through with the email message sent to update@futurebeacon.com and I don't know what the script or the html form lack. Here they are: <?php if (isset($_POST['Submit'])) { // get posted data into local variables $EmailFrom = "Contact Form at http://www.futurebeacon.com"; $EmailTo = "update@futurebeacon.com"; $Subject = "Update Request"; $Name = Trim(stripslashes($_POST['Name'])); $Email = Trim(stripslashes($_POST['Email'])); // validation $validationOK=true; if (Trim($Name)=="") $validationOK=false; if (Trim($Email)=="") $validationOK=false; //if (Trim($Website)=="") $validationOK=false; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.futurebeacon.com/error.htm\">"; exit; } // prepare email body text $Body =""; $Body .= "\n"; $Body .= "Name: "; $Body .= $Name; $Body .= "\n"; $Body .= "Email: "; $Body .= $Email; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>"); // Print style redirect to success page: if ($success){ print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.futurebeacon.com/ok.htm\">"; } else{ print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.futurebeacon.com/error.htm\">"; } } ?><!DOCTYPE html><html><head><title>PHP Test</title><meta name="description" content=""><meta name="keywords" content=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body style="background-image: url(http://www.fibro1.org/Fibro1.png);"><div style="width: 3000px; height: 3000px; font-size: 20px; line-height: 28px; color: #000000; font-family: times new roman;"><div style="margin-left: 60px; margin-right: 0px;"><br /><br /><div style="font-size: 35px; line-height: 5px;">PHP Test</div><br /><br /><br /><br /><br /><br /><div style="width: 1000px;">To receive email updates, please enter your name and email address bellow. This information will not be shared with others.<br /><br /><!-- Website Contact Form--><form method="POST" action="<?php echo $PHP_SELF;?>">Name<br /><input type="text" name="Name" value="" size="29" maxlength="75"><br />Email Address<br /><input type="text" name="Email" value="" size="29" maxlength="75"><br /><br /><div style="position: absolute; top: 440px; left: 60px;"><br /><br />Questions and Comments:<br /><br /><textarea name="Comments" rows="12" cols="70"></textarea><br /><br /><br /><br /><input type="submit" name="Submit" value="Submit Form"><br /><br /><input type="reset" value="Clear Form"></div></form></div></div></div></body></html> I think that the php file needs to somehow enable the part of the html form that contains the comment window, but I am not sure and I wouldn't know how. The name and email address come with the message correctly. Any hints would be greatly appreciated. Thank you for your help. Jim Adrian jim@futurebeacon.com Link to comment Share on other sites More sharing options...
jamesadrian Posted February 27, 2016 Author Share Posted February 27, 2016 88 people have looked at this so far. Have I posted this in the wrong place? Thank you for your help. Jim Adrian jim@futurebeacon.com Link to comment Share on other sites More sharing options...
davej Posted February 28, 2016 Share Posted February 28, 2016 I don't see $Website being defined. Also a form can be submitted without pressing the submit button. Also you should avoid using a raw $PHP_SELF See... http://www.w3schools.com/php/php_form_validation.asp http://www.w3schools.com/php/func_mail_mail.asp --edit 2/28 10am cdt Oops. I see $Website was commented out. Link to comment Share on other sites More sharing options...
dsonesuk Posted February 28, 2016 Share Posted February 28, 2016 Its basically exactly the same way you accessed email and name content, but you are referencing 'Comments' and assigning to new variable instead (for instance $comments), then you include it in $Body variable as name and email were. Link to comment Share on other sites More sharing options...
jamesadrian Posted March 3, 2016 Author Share Posted March 3, 2016 I appreciate your help with this and I have made several changes. I separated the form from the php file which is now called recent.php and operates from my hosing account and is not on the website page. Located on a website page, the form is now this: <!-- Website Contact Form--><form action="recent.php" method="post">Name<br /><input type="text" name="Name" value="" size="29" maxlength="75"><br /><br />Email Address<br /><input type="text" name="Email" value="" size="29" maxlength="75"><br /><br /><br /><br />Questions and Comments:<br /><br /><textarea name="Comments" rows="12" cols="70"></textarea><br /><br /><br /><br /><input type="submit" name="Submit" value="Submit Form"><br /><br /><input type="reset" value="Clear Form"></form> Here is recent.php: <?php if (isset($_POST['Submit'])) { // get posted data into local variables $EmailFrom = "Contact Form at http://www.fibro1.org"; $EmailTo = "jim@futurebeacon.com"; $Subject = "Update Request"; $Name = Trim(stripslashes($_POST['Name'])); $Email = Trim(stripslashes($_POST['Email'])); $Comments = Trim(stripslashes($_POST['Comments'])); // validation $validationOK=true; if (Trim($Name)=="") $validationOK=false; if (Trim($Email)=="") $validationOK=false; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.fibro1.org/error.htm\">"; exit; } // prepare email body text $Body =""; $Body .= "\n"; $Body .= "Name: "; $Body .= $Name; $Body .= "\n"; $Body .= "Email: "; $Body .= $Email; $Body .= "\n"; $Body .= "Comments:"; $Body .= $Comments; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Comments, $Body, "From: <$EmailFrom>"); // Print style redirect to success page: if ($success){ print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.fibro1.org/ok.htm\">"; } else{ print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.fibro1.org/error.htm\">"; } } ?> I am stumped because there are no error messages and yet the email does not arive. Thank you for your help. Jim Adrian jim@futurebeacon.com Link to comment Share on other sites More sharing options...
Ingolme Posted March 3, 2016 Share Posted March 3, 2016 The mail() function might turn true even if the mail wasn't sent. It returns true if the mail was accepted for delivery by the SMTP server. If your web host doesn't have an SMTP server set up for you the code won't work. Link to comment Share on other sites More sharing options...
jamesadrian Posted March 14, 2016 Author Share Posted March 14, 2016 What does this line mean? <form method="POST" action="<?php echo $PHP_SELF;?>"> Its the action part I don't understand. Thank you for your help. Jim Adrian Link to comment Share on other sites More sharing options...
Don E Posted March 14, 2016 Share Posted March 14, 2016 Hello Jim, That looks like that's suppose to be $_SERVER['PHP_SELF']; or $PHP_SELF was assigned the value of $_SERVER['PHP_SELF']. http://php.net/reserved.variables.server Link to comment Share on other sites More sharing options...
Ingolme Posted March 14, 2016 Share Posted March 14, 2016 Perhaps an old version of PHP actually used a variable called $PHP_SELF Link to comment Share on other sites More sharing options...
Don E Posted March 14, 2016 Share Posted March 14, 2016 Hmm possible, but according to a quick search: http://stackoverflow.com/questions/12710803/undefined-variable-php-self near the bottom a user wrote: Looks like certain WordPress distributions declare $PHP_SELF = $_SERVER['PHP_SELF'] for reasons I can't say, must be some sorta legacy thing. That may be it in this case as well. Link to comment Share on other sites More sharing options...
davej Posted March 14, 2016 Share Posted March 14, 2016 I think it may be better to use action="" but certainly there is known problem with using $_SERVER["PHP_SELF"] http://www.w3schools.com/php/php_form_validation.asp Link to comment Share on other sites More sharing options...
dsonesuk Posted March 14, 2016 Share Posted March 14, 2016 If you go by that link and use action="" you are STILL vulnerable by hacking via url or input, unless you take necessary precautions and use htmlspecialchars() function for both action attribute and form inputs values. Link to comment Share on other sites More sharing options...
davej Posted March 14, 2016 Share Posted March 14, 2016 I don't actually understand how this confuses the system... http://www.example.com/test_form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E ...Why aren't the extra characters ignored or considered invalid? I could see that they might be confused as GET data but this code will be looking for a POST. Link to comment Share on other sites More sharing options...
dsonesuk Posted March 14, 2016 Share Posted March 14, 2016 Exactly! its sending as method 'get' using url, which will affect current form page its sent to when you hit return, if they can introduce code for alert, why can't they introduce js code to overwrite action value to redirect and change method value to get. Link to comment Share on other sites More sharing options...
davej Posted March 14, 2016 Share Posted March 14, 2016 But why does it matter if they send fake GET data if the Php code is going to look for POST data? The injected script can change the HTML but why would the Php care what the HTML says? Link to comment Share on other sites More sharing options...
dsonesuk Posted March 15, 2016 Share Posted March 15, 2016 If the url has inserted hidden js code, the forms action can be altered it then redirects to another domain server which lands on page that looks exactly as that of the original, it uses the same POST or changed to GET method info OR both, as action attribute value address can have GET querystring included while STILL sending as method POST, if the user does not notice change in url and see info he just submitted he is more likely to continue on to maybe give more personal info including payment details. Link to comment Share on other sites More sharing options...
davej Posted March 15, 2016 Share Posted March 15, 2016 But does this injection occur automatically or because of poorly written Php code? I'm reading this... http://www.html-form-guide.com/php-form/php-form-action-self.html ...but it doesn't explain why it happens. Link to comment Share on other sites More sharing options...
jamesadrian Posted March 16, 2016 Author Share Posted March 16, 2016 I have another question about the php script and html contact form that I have been working on. The contact page at needsnotmet.com/contactnnm.php is working fine except that I hope to have the form automatically cleared when sending is successful. Can anybody here tell me how that is done? The page at futurebeacon.com does it, but only because of a hidden script offered by the godaddy.com hosting service. I can't find out from them. For some reason, viewing codes does not get you the whole thing, so here is the page source: <?php if (isset($_POST['Submit'])) { // get posted data into local variables $From = "Contact Form at http://www.needsnotmet.com/contactnnm.php"; $EmailTo = "contact@needsnotmet.com"; $Subject = "Update Request"; $Name = Trim(stripslashes($_POST['Name'])); $Email = Trim(stripslashes($_POST['Email'])); $Comments = Trim(stripslashes($_POST['Comments'])); // validation $validationOK=true; if (Trim($Name)=="") $validationOK=false; if (Trim($Email)=="") $validationOK=false; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.needsnotmet.com/error.htm\">"; exit; } // prepare email body text $Body =""; $Body .= "\n"; $Body .= "\n"; $Body .= "Name: "; $Body .= $Name; $Body .= "\n"; $Body .= "\n"; $Body .= "Email Address: "; $Body .= $Email; $Body .= "\n"; $Body .= "\n"; $Body .= "Comments: "; $Body .= $Comments; $Body .= "\n"; $Body .= "\n"; $Body .= "From: "; $Body .= $From; $Body .= "\n"; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Body, "From: <$From>"); // Print style redirect to success page: if ($success){ print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.needsnotmet.com/ok.htm\">"; } else{ print "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.needsnotmet.com/error.htm\">"; } } ?><!DOCTYPE html><html><head><title>Contact</title><meta name="description" content=""><meta name="keywords" content=""><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body style="background-image: url(http://www.needsnotmet.com/bluesky.png);"><div style="width: 3000px; height: 3000px; font-size: 20px; line-height: 28px; color: #000000; font-family: times new roman;"><div style="margin-left: 60px; margin-right: 0px;"><br /><br /><div style="font-size: 30px; line-height: 5px;">This is your contact with NeedsNotMet.com</div><br /><br /><br /><br /><div style="width: 1000px;">Your email address will not be shared with others.<br /><br /><br /><br /><!-- Website Contact Form--><form method="POST" action="<?php echo $PHP_SELF;?>">Name<br /><input type="text" name="Name" value="" size="29" maxlength="75"><br />Email Address<br /><input type="text" name="Email" value="" size="29" maxlength="75"><br /><br /><div style="position: absolute; top: 440px; left: 60px;"><br /><br />Questions and Comments:<br /><br /><textarea name="Comments" rows="12" cols="70"></textarea><br /><br /><br /><br /><input type="submit" name="Submit" value="Submit Form"><br /><br /><input type="reset" value="Clear Form"></div></form></div></div></div></body></html> Thank you for your help. Jim Adrian jim@futurebeacon.com Link to comment Share on other sites More sharing options...
davej Posted March 16, 2016 Share Posted March 16, 2016 There is nothing here to restore those fields so it must be due to browser caching. You could add a script block... <script> window.onload = function(){ var i; var list = document.getElementsByTagName('INPUT'); for (i=0,len=list.length ; i<len ; i++){ if (list[i].type == 'text'){ list[i].value = ''; } } var list = document.getElementsByTagName('TEXTAREA'); for (i=0,len=list.length ; i<len ; i++){ list[i].value = ''; } } </script> Link to comment Share on other sites More sharing options...
jamesadrian Posted March 16, 2016 Author Share Posted March 16, 2016 (edited) Thank you. Edited March 17, 2016 by jamesadrian Link to comment Share on other sites More sharing options...
davej Posted March 16, 2016 Share Posted March 16, 2016 Simply take the code I provided above and place it in the head or body of the file. Link to comment Share on other sites More sharing options...
jamesadrian Posted March 17, 2016 Author Share Posted March 17, 2016 (edited) Thank you. Jim Adrian Edited March 17, 2016 by jamesadrian Link to comment Share on other sites More sharing options...
dsonesuk Posted March 17, 2016 Share Posted March 17, 2016 You are relying on javascript being enabled, use php to clear cache such as header( "Cache-Control: no-cache, must-revalidate" ); header( "Pragma: no-cache" ); as described here http://www.thesitewizard.com/archive/phptutorial2.shtml When it comes to preventing what could be users private information showing on form, i would not recommended using javascript. Example cached google snapshot of site, would not show javascript cleared form, but how form will show without javascript. Link to comment Share on other sites More sharing options...
jamesadrian Posted March 18, 2016 Author Share Posted March 18, 2016 You are relying on javascript being enabled, use php to clear cache such as header( "Cache-Control: no-cache, must-revalidate" ); header( "Pragma: no-cache" ); as described here http://www.thesitewizard.com/archive/phptutorial2.shtml When it comes to preventing what could be users private information showing on form, i would not recommended using javascript. Example cached google snapshot of site, would not show javascript cleared form, but how form will show without javascript. Thank you for this information. I think that you advise that I substitute the header commands for the java script and do without the java script. I don't yet see where the header commands should be placed in the code. At the beginning? I am studying the link you provided including the links it leads to. Perhaps I should google header commends. I am new to this. Thank you for your help. Jim Adrian Link to comment Share on other sites More sharing options...
dsonesuk Posted March 18, 2016 Share Posted March 18, 2016 It should be done in such a way that it appears BEFORE ANY html code. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now