|
PHP - Xxs Problem With $_server['request_uri'] In Form Action
Hi there,
I am having some issues with a page failing security tests because of a form. The form's text input files is getting sanitized when posted but the only thing I can think is that the form action="" is $_SERVER['REQUEST_URI'] and this then includes anything that is within the URL. <form name="zipcode" id="zipcode" action="<?php echo htmlentities($_SERVER['REQUEST_URI'], ENT_QUOTES, "UTF-8"); ?>" method="post"> <label for="zip" class="smalllbl">Zipcode: </label> <input type="text" class="smallzip" name="zip" id="zip" value="" /> </form> Has anyone else experienced this when running PCI Compliance style security tests? And if you have, why would this happen as the same form action is used elsewhere with no issues. Many thanks in advance Simon Similar TutorialsHello PHPers, Need help. I am using $_SERVER['REQUEST_URI']; in order to obtain the URL that the visitor came from. No matter what I try to change I get more info than required. IE. mojo/mojo.php?width=640&height=480&doc_location=/&doc_title=Marc%20Rob&doc_refer=http%3A//www.aaa.com.au/rob.html instead and what I should be getting is just http://www.aaa.com.au/rob.html Could somebody please help me and let me know why this is appearing with the extra info which I do not want. Thank you. HJ I currently have $_SERVER['REQUEST_URI'] which echos /dir/page etc How can I modify it so it only echo's /dir/ Otherwords I want to lose the page. This works: Code: [Select] form action="http://localhost/mysite/css/screen.css" method="post"> This does not work: Code: [Select] <?php $link_1 = "http://localhost/mysite/css/screen.css" ; $link_2 = '"' . "http://localhost/mysite/css/screen.css" .'"' ; ?> <form action=<?php echo $link_1;?> method="post"> <form action=<?php echo $link_2;?> method="post"> Why do neither of the PHP variables work? Thanks! what's the difference between them? how to use them. i print_r($_SERVER). there are no result of $_SERVER['PATH_INFO'] and $_SERVER['PORIG_PATH_INFO'] .why? how to enable it.i have read the php manual about them, but still don't understand . expect someone can explain them.thank you Hi there, I'm trying to make my code more efficient by using <?php echo $_SERVER['PHP_SELF']; ?> ....where I've been used to having two pages with forms - one for filling out the form, and then a second page to process it / confirm, etc. The page in question is designed to send a reminder of a user's password to their email address. They basically put their email address into a form with one field, next to which it says: "So...You forgot your password eh? Give us your email address and we'll send it to you." I've got the code set up so it sends the email with the password, no problems. However, once they've pressed submit, they can still see the message "So...You forgot your password eh? Give us your email address and we'll send it to you"...as well as the form field and submit button. I'd love to know what I need to do to hide these after the user has pressed submit?? Here's the code: Code: [Select] <?php if(isset($_POST['submit'])) { $emailaddress = $_POST['emailaddress']; echo "We've sent an email to $emailaddress, reminding you of your password."; //MySQL Database Connect include 'mysql_connect_applications.php'; // Get all the data from the "example" table $result = mysql_query("SELECT * FROM applications2011 WHERE emailaddress= '$emailaddress' LIMIT 0,1 ") or die(mysql_error()); while($row = mysql_fetch_array( $result )) { $password = $row['password']; } // keeps getting the next row until there are no more to get //***********************Email to forgetful user code*********************** $to = "$emailaddress\n"; $subject = "C2K Application"; $headers = "From: coast2kosci@coast2kosci.com"; $message = "Hi there, Seems you forgot your password. Here it is: Password: $password Yours in the long run, Dave.\n"; if (preg_match(' /[\r\n,;\'"]/ ', $_POST['emailaddress'])) { exit('Invalid Email Address'); } else { mail($to,$subject,$message,$headers); } //***********************End of Email to applicant code*********************** } ?> <form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <p> <label> So...You forgot your password eh? Give us your email address and we'll send it to you. <input type="text" name="emailaddress" id="emailaddress" /> </label> </p> <p> <label> <input type="submit" name="submit" id="submit" value="Submit Form" /> </label> </p> </form> pls help me.. i am new to PHP unit testing concept. i just wrote a PHP unit test case for a login module in ZEND frame work. for that we have to see the result via command promt. but in some places of zend frame work we are using '$_SERVER['HTTP_HOST']' to get server host name but it can get only by hitting via browser so while am hitting via command promt it will give error message lik this(given below) Generating code coverage report, this may take a moment.PHP Notice: Undefined index: HTTP_HOST in /opt/coolstack/apache2/htdocs/LPS/application/bootstrap/Bootstrap.php on line 147 Notice: Undefined index: HTTP_HOST in /opt/coolstack/apache2/htdocs/LPS/application/bootstrap/Bootstrap.php on line 147 PHP Notice: Undefined index: HTTP_HOST in /opt/coolstack/apache2/htdocs/LPS/application/bootstrap/Bootstrap.php on line 197 Notice: Undefined index: HTTP_HOST in /opt/coolstack/apache2/htdocs/LPS/application/bootstrap/Bootstrap.php on line 197 PHP Notice: Undefined index: HTTP_HOST in /opt/coolstack/apache2/htdocs/LPS/library/Zaah/Controller/Plugin/Ssl.php on line 79 Notice: Undefined index: HTTP_HOST in /opt/coolstack/apache2/htdocs/LPS/library/Zaah/Controller/Plugin/Ssl.php on line 79 i cant give server host name at all the places. so please help me how to solve this problem.... thanks Yogesh When I click the save changes button, I want the user to be brought back to profile.php. Right now they are being brought to editprofile.php. I currently have the form action set to editprofile.php . When the I change it to profile.php my fields won't update. Any thoughts as to where I went wrong? Here is the editprofile.php code. <form action='editprofile.php' method="POST" id="form"> I have the below php in my 404.php in wordpress. Recently we moved our main site url to wordpress from IIS. Company name is important. I want to treat any url that contains \prtaxsvc to not change from POST to GET as I need to run a WCF .svc file on the old server which runs IIS ( cant run a .svc on wordpress hosted site ) any clue on how to make this work. I think I need to make \prtaxsvc report as 308 or 307 and leave other old calls as 301. Right now it fails to send .svc to old server.. thanks
get_header(); header("Location: http://www.mysite.com{$_SERVER['REQUEST_URI']}"); exit(); ?> how do I put a get id into this form, or use $myvar?: Code: [Select] <form action='read2.php?id=' method="post" name='myForm' id="myForm"></form> I've heard multiple recommendations when a form needs to post to itself. Some say use PHP_SELF, others say leave it blank (even though it doesn't validate), etc. Please provide the best practice, and reasons why. Thank you
echo("<form method='post' action='{$_SERVER['PHP_SELF']}'>");
echo("<form method='post' action=''>");
Im having some problems with my PHP program... Im trying to get the imformation send to my inbox, but when i push the submit button; i get no email and the "thank you message" is incomplete.. (see attachement: thankUmessage.png) I have to say, im not really a PHPfreak , I understand this language a little.. I hope someone can help me first the codes: HTML: (see attachement: form.png) Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>contactformulier</title> <style type="text/css"> <!-- body,td,th { font-family: Arial, Helvetica, sans-serif; font-size: 13px; color: #FFFF00; } body { background-color: #CCCCCC; } .style2 {font-size: 16px} --> </style> <script type="text/javascript"> <!-- function MM_validateForm() { //v4.0 if (document.getElementById){ var i,p,q,nm,test,num,min,max,errors='',args=MM_validateForm.arguments; for (i=0; i<(args.length-2); i+=3) { test=args[i+2]; val=document.getElementById(args[i]); if (val) { nm=val.name; if ((val=val.value)!="") { if (test.indexOf('isEmail')!=-1) { p=val.indexOf('@'); if (p<1 || p==(val.length-1)) errors+='- '+nm+' must contain an e-mail address.\n'; } else if (test!='R') { num = parseFloat(val); if (isNaN(val)) errors+='- '+nm+' must contain a number.\n'; if (test.indexOf('inRange') != -1) { p=test.indexOf(':'); min=test.substring(8,p); max=test.substring(p+1); if (num<min || max<num) errors+='- '+nm+' must contain a number between '+min+' and '+max+'.\n'; } } } else if (test.charAt(0) == 'R') errors += '- '+nm+' is required.\n'; } } if (errors) alert('The following error(s) occurred:\n'+errors); document.MM_returnValue = (errors == ''); } } //--> </script> </head> <body> <form id="form1" name="form1" method="post" action="contactafhandeling.php"> <table width="400" cellpadding="0" cellspacing="0" bordercolor="#CCCCCC" bgcolor="#000000"> <!--DWLayoutTable--> <tr> <td height="39" colspan="6"><div align="center" class="style2">Contact formulier<br /> </div></td> </tr> <tr> <td height="21"><div align="right">Aanhef:</div></td> <td width="4" rowspan="7"> </td> <td colspan="4" valign="top"> <select name="aanhef" id="aanhef"> <option value="dhr" selected="selected">Dhr.</option> <option value="mvr">Mvr.</option> </select> </td> </tr> <tr> <td width="72" height="20"><div align="right">Voorletters:</div></td> <td width="42" valign="top"><div align="left"> <input name="voorletters" type="text" id="voorletters" size="5" maxlength="40" /> </div></td> <td width="120" valign="top"><div align="center">Achternaam: </div></td> <td colspan="2" valign="top"><div align="left"> <input name="achternaam" type="text" id="achternaam" size="20" maxlength="40" /> </div> <div align="left"></div> </td> </tr> <tr> <td height="20"><div align="right">Adres:</div></td> <td colspan="2" valign="top"><div align="left"> <input name="adres" type="text" id="adres" size="20" maxlength="40" /> </div> <div align="center"></div> <div align="left"></div></td> <td width="79" valign="top"><div align="center">Postcode:</div></td> <td valign="top"><div align="right"> <input name="postcode" type="text" id="postcode" size="10" maxlength="7" /> </div></td> </tr> <tr> <td height="20"><div align="right">Woonplaats:</div></td> <td colspan="4" align="right" valign="top"><div align="left"> <input name="woonplaats" type="text" id="woonplaats" size="20" maxlength="40" /> </div> <div align="left"></div> <div align="left"></div> <div align="left"></div></td> </tr> <tr> <td height="20"><div align="right">Tel:</div></td> <td colspan="4" valign="top"><div align="left"> <input name="tel" type="text" id="tel" size="20" maxlength="10" /> </div></td> </tr> <tr> <td height="20"><div align="right">Email:</div></td> <td colspan="4" valign="top"> <div align="left"> <input name="email" type="text" id="email" size="40" maxlength="40" /> </div></td> </tr> <tr> <td height="20"><div align="right">Interesses:</div></td> <td colspan="4" valign="top"><div align="left"> <label></label> <label> <input type="checkbox" name="badkamer" id="badkamer" /> Badkamermeubels</label> <label> <br /> <input type="checkbox" name="kantoor" id="kantoor" /> Kantoormeubels</label> <label> <br /> <input type="checkbox" name="kasten" id="kasten" /> Kasten</label> <label><br /> <input type="checkbox" name="keukens" id="keukens" /> Keukens <br /> </label> <label> <input type="checkbox" name="tafels" id="tafels" /> Tafels</label> <br /> </div></td> </tr> <tr> <td height="21" colspan="5" valign="top"><input type="reset" name="reset" id="reset" value="Reset" /></td> <td width="83" height="21" valign="top"><input name="verzenden" type="submit" id="verzenden" onclick="MM_validateForm('voorletters','','R','achternaam','','R','tel','','RisNum','email','','RisEmail');return document.MM_returnValue" value="Verzenden" /></td> </tr> </table> </form> </body> </html> Looks like: afbeelding 1.png Then the PHP code: Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Contactafhandeling</title> </head><body> <? $aanhef = $_POST['aanhef']['dhr']; $aanhef = $_POST['aanhef']['mvr']; $voorletters = $_POST['voorletters']; $achterNaam = $_POST['achterNaam']; $adres = $_POST['adres']; $postcode = $_POST['postcode']; $tel = $_POST['tel']; $email = $_POST[email]; $interesses = $_POST['badkamer']['kantoor']['kasten']['keukens']['tafels']; $formsent = mail('sven_jcvd@hotmail.com', 'Gegevens afkomstig van contactformulier.html', "Naam: $aanhef $voorletters $achterNaam\r\n Adres: $adres\r\n Postcode: $plaatst\r\n Telefoonnummer: $tel\r\n Emailadres: $email\r\n Interesse in: $interesses", "From: $email\r\nBounce-to: sven_jcvd@hotmail.com"); if ($formsent) { echo "<p>Beste $achternaam,<br><br> Bedankt voor uw bericht, we zullen zo snel mogelijk contact met u opnemen.\n\r Met vriendelijke groet, JPS</p>"; } else { echo "<p>Sorry, er gaat iets fout met het formulier, probeer het later nog eens a.u.b.</p>"; } ?> </body> </html> My question is, when someone make same html form with action that goes on same php file on my server, so i need to know, can my site be hacked in that way ? I mean if i have form that goes on file /sources/add_user.php and when someone make same html form that goes on www.my-site.com/sources/add_user.php and in that way to add users on my baze ? Hi, I'm creating a PHP application to handle my SQL server and I've run into a bit of a problem; I have two files atm: mainClass.php and testSite.php My mainClass.php looks like this: Code: [Select] class mainClass { private $host = 'localhost'; public function createDb($user,$pass,$dbName) { $con = mysql_connect($host, $user, $pass); if (!$con){ die('Could not connect: '.mysql_error()); } $sql = "CREATE DATABASE `$dbName`;"; if (!mysql_query($sql)){ die('Error 1: '.mysql_error()); } mysql_close(); } }and testSite.php looks like this: Code: [Select] <!DOCTYPE HTML> <html lang="en"> <head> <meta charset="UTF-8"> </head> <body> <h1>testSite for my PHP app</h1> <?php function __autoload($className){ require_once "./classes/{$className}.php"; } $test = new mainClass(); ?> <form name='createDb' method='post' action=''> User: <input type='text' name='user'><br> Password: <input type='password' name='pass'><br> dbName: <input type='text' name='dbName'><br> <input type='submit' value='Create DB'> </form> </body> </html> What I'm asking is if it is possible to make the form-action from testSite.php run the createDb function from mainClass.php I have pretty much no idea how to do it but I tried like this: Code: [Select] <form name='createDb' method='post' action="<?php $test->createDb($_POST['user'],$_POST['pass'],$_POST['dbName']); ?>"> User: <input type='text' name='user'><br> Password: <input type='password' name='pass'><br> dbName: <input type='text' name='dbName'><br> <input type='submit' value='Log in'> </form>But that just made the whole form disappear so now I'm completely lost, any help greatly appreciated. PS: I'm doing this to get better at PHP so please don't come with advice like "use a framework" or "there already are applications that handles this", I know there is. It has been brought to my attention that $_SERVER['PHP_SELF']; can be easily hacked. In this code... Code: [Select] <form id="login" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> Do I even need anything in the Action attribute if I am redirecting the form to itself?! Please advise... Debbie Hi there, I was wondering if it was possible to change a forms action field with PHP. Basically, if there are several checkboxes for the user to select and a specific checkbox was selected, how would I redirect users to an alternative webpage on submit? I've been playing around with several methods, and one of them was: Code: [Select] <?php if(isset($_POST['Example']) && $_POST['Example'] == 'FormValueGoesHere') { echo ('./page1.php'); } else { echo ('./page2.php'); } ?> But the form action would only display page1.php even with nothing selected. Maybe I'm just being stupid because it's getting late, but I'd appreciate any assistance. Thanks Hi guys, I want to create a piece of script that takes my users to a website based of there input in a form. Basiaclly what they input into a text field will become part of the URL used in action at the top of the form. So it would look like this: http://www."their input from form".mydomain.com does anyone have any suggestions on how to accomplish this? Thanks How do you have an HTML form process a function for an action? I tried what I have below, but i just can't get it to work right. Any ideas? Thanks for your help. For example: Code: [Select] <?php function UserLookup(){ $searchfield = $_POST['searchfield']; $client = new SoapClient("http://www.domain.com/webservice.asmx?WSDL"); $result = $client->UserLookup(array('searchfield'=>$searchfield)); echo json_encode($result); } if (isset($_GET['submit'])) { UserLookup(); } else { ?> <form method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>" > <input name="searchfield" type="text" size="45" /> <input type="submit" value=" Search " /> </form> <?php } ?> Hi, I want to make a checkbox that will store the value as the user's database table ID and when the records are checked, I will have a delete, update link to delete/update those records that have their checkbox checked. I know I would need two submit buttons (one for delete and one for update), but the form tag only takes one action attribute, right? So does anyone know what I should do??? Le me know, thanks is there anyway to hide the action URL from html form example: <form name="afrom" action="hide.php" method="post"> so it end up from the user side: <form name="afrom" action="" method="post"> Thanks! Hi all, title says it all: how do I get the request_uri from the parent frame. I do not have editing acces to the parent frame, but I want to know what page is called to behind the slash. The tag it is in is frameset and then frame, so not iframe. I hope someone knows the answer Thanks in advance, masteRens |
|||||||