$arr = [];
$arr['Uname'] = $_POST['Uname'];
$arr['email'] = $_POST['email'];
$arr['date'] = date("Y-m-d H:i:s");
$arr['id'] = $row['id'];
$arr['about'] = $_POST['about'];
" type="text" class=" form-control inc" name="about" placeholder="Write One paragraph about yourself" >
when i changed it to input it works. but i need multi lines so i need text area. is there anyway i can store it in my data base? it doesnt work when i use text area but works when i use input.
" type="text" class=" form-control inc" name="about" placeholder="Write One paragraph about yourself" >
Related
I have created a form with HTML/PHP/SQL where a user can either choose to submit their email into a database or else select a radio button to opt out of their email being submitted, alongside some other user data.
To achieve this, I have written an if/else statement, however my current code isn't working, and I can't quite work out the correct syntax that I should be using. If the user selects the radio-button, I would like "Email unavailable" to be inserted into the database, else the user-inputted email is inserted. All help appreciated!
Note, my code worked fine until I added the radio-button "no email" option.
HTML file:
<form id="newStaff" method="POST" action="staffportal.php" enctype="multipart/form-data">
<b><i class="fas fa-user-alt"></i> Full name:</b>
<input class="form-control" type="text" id="staffName" name="myStaffName" size="40" maxlength="50"/>
//THE RELEVANT CODE
<b><i class="fas fa-paper-plane"></i> Email:</b>
<div class="form-group row">
<div class="col-xs-4">
<input class="form-control" type="text" id="staffEmail" name="myStaffEmail" size="40"/>
<br>
<input class="form-check-input" type="radio" name="myStaffNoEmail" id="staffNoEmail" value="option1">
<label class="form-check-label" for="gridRadios1">
No available email
</label>
</div>
</div>
<hr>
<b>Job title(s):</b>
<input class="form-control" type="text" id="staffJob" name="myStaffJob" size="40" maxlength="60"/>
<b>Personal bio:</b>
<textarea class="form-control summernote" rows='6' cols='70' id="staffBio" name="myStaffBio" maxlength='1500'></textarea>
<b>Profile photo:</b>
<input type="file" class="custom-file-input" name="myStaffPhoto" id="staffPhoto">
<button name="newStaffBtn" id="newStaffButton" onclick="return confirm('Create new profile?');" type="submit" class="btn btn-primary">Create Profile></button>
</form>
PHP file:
if(isset($_POST["newStaffBtn"])) {
//Text inputs
$staffName = mysqli_real_escape_string($conn, $_POST["myStaffName"]);
//$staffEmail = mysqli_real_escape_string($conn, $_POST["myStaffEmail"]);
$staffJob = mysqli_real_escape_string($conn, $_POST["myStaffJob"]);
$staffBio = mysqli_real_escape_string($conn, $_POST["myStaffBio"]);
$staffNoEmail = mysqli_real_escape_string($conn, $_POST["myStaffNoEmail"]);
//Staff email option
if (!empty($staffNoEmail)){
$staffEmail = "Email unavailable";
} else {
$staffEmail = mysqli_real_escape_string($conn, $_POST["myStaffEmail"]);
}
//Image input
$file = $_FILES["myStaffPhoto"];
... profile photo code blah blah...
$insertquery ="INSERT INTO `staff` (staffID, staffName, staffEmail, staffRole, staffDesc, staffPic) VALUES (null, '$staffName', '$staffEmail', '$staffJob','$staffBio', '".$fileNameNew."')";
$result = mysqli_query($conn, $insertquery) or die(mysqli_error($conn));
$msg = "<small>Profile uploaded!</small>";
$css_class = "alert-success";
}
If radio input is checked, it will send value with post, if it is not checked it will not send any value and it will not exist in your $_POST array.In your case, you should be checking if it is set.
if(isset($_POST["newStaffBtn"])) {
//Text inputs
$staffName = mysqli_real_escape_string($conn, $_POST["myStaffName"]);
//$staffEmail = mysqli_real_escape_string($conn, $_POST["myStaffEmail"]);
$staffJob = mysqli_real_escape_string($conn, $_POST["myStaffJob"]);
$staffBio = mysqli_real_escape_string($conn, $_POST["myStaffBio"]);
//Staff email option
if (isset($_POST["myStaffNoEmail"])){
$staffEmail = mysqli_real_escape_string($conn, $_POST["myStaffEmail"]);
} else {
$staffEmail = "Email unavailable";
}
//Image input
$file = $_FILES["myStaffPhoto"];
... profile photo code blah blah...
$insertquery ="INSERT INTO `staff` (staffID, staffName, staffEmail, staffRole, staffDesc, staffPic) VALUES (null, '$staffName', '$staffEmail', '$staffJob','$staffBio', '".$fileNameNew."')";
$result = mysqli_query($conn, $insertquery) or die(mysqli_error($conn));
$msg = "<small>Profile uploaded!</small>";
$css_class = "alert-success";
}
I can't find any explicit information on this.
I have an HTML5 form...
which outputs to an external PHP script
which saves the variables output by the form as $_SESSION variables
which are then passed on to another page
which displays them
I've not (yet) escaped any of the data from any of the form fields.
Yet, when I enter a ' or a " or a & into the <textarea> of the form, everything continues working smoothly and nothing breaks.
I'm just as happy that it doesn't (since I want my form processing to be as robust as possible), but why doesn't it?
Is there some behind-the-scenes automatic escaping going on that I don't know about?
I am keen to find out if there is an authoritative source which explains what is going on.
The Form Page (HTML5):
<form class="contactform" method="post" action="/form-processing.php">
<fieldset>
<legend>Please Enter your Contact Details</legend>
<ul>
<li><label for="contactName">Contact Name:</label><input type="text" id="contactName" name="contactName" placeholder="Your Full Name" required /></li>
<li><label for="company">Company:</label><input type="text" id="company" name="company" placeholder="Your Company" required /></li>
<li><label for="telephone">Telephone:</label><input type="tel" id="telephone" name="telephone" placeholder="Your Work Telephone" required /></li>
<li><label for="email">Email:</label><input type="email" id="email" name="email" placeholder="Your Work Email" required /></li>
<li><label for="message">Message:</label>
<textarea id="message" name="message" placeholder="Write your message here..." required></textarea></li>
</ul>
</fieldset>
<input type="submit" value="Send your message" />
</form>
The Form Processing Page (PHP)
$Contact_Name = $_POST['contactName'];
$Company = $_POST['company'];
$Telephone = $_POST['telephone'];
$Email = $_POST['email'];
$Message = $_POST['message'];
if (($Contact_Name != '') && ($Company != '') && ($Telephone != '') && ($Email != '') && ($Message != '')) {
[...SCRIPT HERE...]
session_start();
$_SESSION['contactName'] = $Contact_Name;
$_SESSION['company'] = $Company;
$_SESSION['telephone'] = $Telephone;
$_SESSION['email'] = $Email;
$_SESSION['message'] = $Message;
header('Location: http://'.$_SERVER['HTTP_HOST'].'/confirmation-page.php');
}
The Confirmation Page (PHP)
if ((isset($_SESSION['contactName'])) && (isset($_SESSION['company'])) && (isset($_SESSION['telephone'])) && (isset($_SESSION['email'])) && (isset($_SESSION['message']))) {
$Contact_Name = $_SESSION['contactName'];
$Company = $_SESSION['company'];
$Telephone = $_SESSION['telephone'];
$Email = $_SESSION['email'];
$Message = $_SESSION['message'];
echo '<p>Your message has been sent.</p>
<dl>
<dt>Contact Name:</dt>
<dd>'.$Contact_Name.'</dd>
<dt>Company:</dt>
<dd>'.$Company.'<dd>
<dt>Telephone:</dt>
<dd>'.$Telephone.'<dd>
<dt>Email:</dt>
<dd>'.$Email.'</dd>
</dl>
<p>Message:</p>
<pre>'.$Message.'</pre>
<p>Thank you for your message.</p>
<p>We will be in touch.</p>';
I would have expected ' to break the PHP script the form data is passed to... but it doesn't. Any idea why not? I thought that's how XSS attacks were supposed to work?
my comments in answer form:
20 years ago the & and " (rather than & and ") may have broken some browsers when rendering the html, but nowadays they're able to handle it OK (& & " are correct though).
PHP variables may contain any arbitrary string (binary data even).. there's no issue with a var containing ' or ".
When assigning values pragmatically, they need escaped:
$myVar = 'sha\'zam!'; // ' needs escaped as the string is enclosed with '
$myVar = "dblquote -> \"!" // " needs escaped as the string is enclosed with "
As you're not doing any database stuff, there's nothing to "break" on the server side, but since you're not sanitizing stuff.... enter some values like
</form> or
<script>alert('shazam!')</script>
This is how an attacker could end up getting session id (of victim) or other sensitive information.
LAST EDIT : Everything works now will post below the working code , after clearing up like idealcastle said and fixed some syntax errors everything works as it should together with the javascript validation thank you everyone
HTML Code here :
<form name = "contact " id="contact_form" action="postcontact.php" method="post" onsubmit="return validateForm();">
<div id ="boxc">
<h3>Porosia juaj ?</h3>
<input name="orders" type="checkbox" value="veshje">Veshje
<input name="orders" type="checkbox" value="mbathje">Mbathje
<input name="orders" type="checkbox" value="stoli">Stoli
</div>
<div class="row">
<label class="required" for="name" >Emri:</label><br />
<input id="name" name="name" type="text" value="" size="30" placeholder = "Emri"/><br />
<span id="name_validation" class="error"></span>
</div>
<label class="required" >Country/State:</label><br />
<div class = "row"id="statecmb"><select name = "state">
<option value="chose" selected>[choose yours]</option>
<option value="albania">Albania</option>
<option value="kosovo">Kosovo</option>
<option value="germany">Germany</option>
<option value="bangladesh">Bangladesh</option>
</select>
<span id="state_validation" class="error"></span></div>
<div class="row">
<label class="required" for="email" >Email:</label><br />
<input id="email" name="email" type="text" value="" size="30"placeholder = "Email" /><br />
<span id="email_validation" class="error"></span>
</div>
<div class="row">
<label class="required" for="message" >Mesazhi:</label><br />
<textarea id="message" name="message" rows="7" cols="30" placeholder = "Mesazhi"></textarea><br />
<span id="message_validation" class="error"></span>
</div>
<input name="submit" id = "sub"type="submit" value="Submit" />
<div class="rating">
<h3>Vlerso Sherbimin :</h3>
<input type="radio" name="rate" value="1">1
<input type="radio" name="rate"value="2">2
<input type="radio" name="rate" value="3">3
<input type="radio"name="rate" value="4">4
<input type="radio" name="rate" value="5">5
</div>
</form>
Javascript file :
function validateForm() {
var valid = 1;
var email = document.getElementById('email');
var email_validation = document.getElementById("email_validation");
var name = document.getElementById('name');
var name_validation = document.getElementById("name_validation");
var message_validation = document.getElementById("message_validation");
var filter = /^([a-zA-Z0-9_\.\-])+\#(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;
if (name.value === "") {
valid = 0;
name_validation.innerHTML = "Ju lutem shenoni emrin tuaj";
name_validation.style.display = "block";
name_validation.parentNode.style.backgroundColor = "#FFDFDF";
} else {
name_validation.style.display = "none";
name_validation.parentNode.style.backgroundColor = "transparent";
}
if (message.value === "") {
valid = 0;
message_validation.innerHTML = "Ju lutem plotesoni fushen e mesazhit";
message_validation.style.display = "block";
message_validation.parentNode.style.backgroundColor = "#FFDFDF";
} else {
message_validation.style.display = "none";
message_validation.parentNode.style.backgroundColor = "transparent";
}
if (email.value === "") {
valid = 0;
email_validation.innerHTML = "Ju lutem shenoni email tuaj";
email_validation.style.display = "block";
email_validation.parentNode.style.backgroundColor = "#FFDFDF";
} else {
email_validation.style.display = "none";
email_validation.parentNode.style.backgroundColor = "transparent";
}
if (!filter.test(email.value)) {
valid = 0;
email_validation.innerHTML = "Email juaj nuk eshte valid";
email_validation.style.display = "block";
email_validation.parentNode.style.backgroundColor = "#FFDFDF";
} else {
email_validation.style.display = "none";
email_validation.parentNode.style.backgroundColor = "transparent";
}
if (!valid)
alert("KENI ERROR : Fushat duhen te plotesohen ");
}
PHP FIle :
<?php
$host = 'localhost';
$user = 'root';
$pass = '';
$db = 'herdesigns';
$con = mysqli_connect($host, $user, $pass,$db) or die(mysqli_error());
/* mysqli_select_db($con , $db); */
?>
<?php
if (isset($_POST['submit']))
{
$name = mysqli_real_escape_string($con, $_POST['name']);
$email = mysqli_real_escape_string($con, $_POST['email']);
$message = mysqli_real_escape_string($con, $_POST['message']);
$rate = mysqli_real_escape_string($con, $_POST['rate']);
$orders = mysqli_real_escape_string($con, $_POST['orders']);
$state = mysqli_real_escape_string($con, $_POST['state']);
/*$con = mysqli_connect($host, $user, $pass,$db) or die(mysqli_error());*/
/*mysqli_select_db($con , $db);*/
$sql = "INSERT INTO contacts (
orders,
name,
state,
email,
message,
rate
)
VALUES (
'$orders',
'$name',
'$state',
'$email',
'$message',
'$rate'
)";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
echo "Mesazhi juaj eshte postuar me sukses";
header('Location:contact.php');
mysqli_query($con, $sql);
mysqli_close($con);
}
?>
EDIT:
What field is NOW() going too?
I would remove that if there is no actual field to send that datetime. Or add a field for that. Try submitting Mysql without NOW() It would look like
$sql = "INSERT INTO contacts (
name,
email,
message,
rate,
orders,
state
)
VALUES (
'$name',
'$email',
'$message',
'$rate',
'$orders',
'$state'
)";
First thing I notice is the PHP code is being shown in the browser. If you are being sent to file:// that is not good, you should be using
http//localhost/
(if you are testing locally) or of course using the server url if live.
found here
Browser is showing PHP code instead of processing it
Second,
you should sanitize your mysql data being entered. If anyone of those values submits content with a single/double quote, mysql query will fail.
Since you are using an old mysql function, here is the escape function that should work
mysql_real_escape_string()
I would do this,
$sql = "INSERT INTO contacts (
name,
email,
message,
rate,
orders,
state
)
VALUES (
'".mysql_real_escape_string($name)."',
'".mysql_real_escape_string($email)."',
'".mysql_real_escape_string($message)."',
'".mysql_real_escape_string($rate)."',
'".mysql_real_escape_string($orders)."',
'".mysql_real_escape_string($state)."',
NOW()
)";
I am not sure if anyone of these are the cause, but they are red flags from what you have posted. You should always sanitize (escape) any inputs from crashing mysql queries.
It could be an error code 500 on validform.php.
please install firefug on firefox, it will save you lots of time. type [F12] reload the page and the network tab will show you the code of error.
also, you need to get this page by the web server: http://localhost/dir/file instead c://shittyos_amp/dir/thing.php
Plus, You should use the PDO's API for conection and every request with DB as pdo->prepare will secure the request easily for you.
Don't worry it's easy!
see PHP: Is mysql_real_escape_string sufficient for cleaning user input?
Don't say you don't need security: this input form could erase your database if an user type a sql command in it!
Anymore, If the file is client-side executed, it will never protect anythings as JS can be disabled by user.
note: I still consider myself as a noob (it's my first answer here!), never forget that web's moving everday, as security. back-end and and front-end are server-side it's an application point of view: front end= friendly-interface(code) back end=api(hard/or low level code)
PS: flash is ugly and obsolete, Adobe product's aren't free as freedom and their cloud sucks^^ (troll off)
Is it yours? http://www.her-design.com/
I have created a form for editing data stored in a table.
Retrieving form data :
if (isset($_POST['submit']))
{
$id = $_SESSION['id'];
$subject = $_POST['subject'];
$comments = $_POST['comments'];
$rating = $_POST['starrating'];
if (empty($subject) || empty($comments) || empty($starrating))
{
$message = "Missing Data " ;
header("Location: edit.php?message=$message");
exit;
Query for updating data :
mysql_query("UPDATE comments SET subject='$subject', usercomments='$comments', starrating='$starrating' WHERE id='$id'")
or die(mysql_error());
}
Displaying the data :
$id=$_SESSION['id'];
$result = mysql_query("SELECT * FROM comments WHERE id='$id'")
or die(mysql_error());
$row = mysql_fetch_array($result);
if($row)
{
$subject = $row['subject'];
$comments = $row['comments'];
$starrating = $row['starrating'];
}
?>
I then display the field data inside a form :
<label="editlabel" for="subject">Subject</label>
<div><input type="text" id="subject" name="subject" value="<?php echo $subject; ?>"/></div>
<label="editlabel" for="subject">Subject</label>
<div><input type="text" id="comments" name="comments" value="<?php echo $comments; ?>"/></div>
<label="editlabel" for="starrating">Star Rating</label>
<div><input type="text" id="starrating" name="starrating" value="<?php echo $starrating; ?>"/></div>
All the data is displayed and changes are saved on submit but I only see one record, even if a user has several records. Also I want to populate a textarea with the comments but this doesn't work :
<div><textarea id="comments" name="comments" value="<?php echo $comments; ?>"/></textarea></div>
I could create an inset class and style it like a textarea but would prefer to use a textarea. I have tried using print instead of echo but I still don't get any data in the textarea.
$rating = $_POST['starrating'];
if (empty($subject) || empty($comments) || empty($starrating))
$rating and starrating is wrong
<textarea> does not have a value attribute. You place the value you want to be displayed in between the opening and closing tags (it also is not a self closing tag):
<textarea id="comments" name="comments"><?php echo $comments; ?></textarea>
I'm creating a mobile landing page and I have also created a form that allows me to create more, by duplicating a folder that's host to a template file. The script then takes you to a page where you input the company details one by one and press submit. Then the page is created.
My problem is, when a field is left out (YouTube for instance), the button is created and is blank. I would like there to be a default text for when there is no text. I've tried a few things and have been struggling to make this work for DAYS!
<?php
$company = $_POST["company"];
$phone = $_POST["phone"];
$colour = $_POST["colour"];
$email = $_POST["email"];
$website = $_POST["website"];
$video = $_POST["video"];
?>
<div id="contact-area">
<form method="post" action="generate.php"><br>
<input type="text" name="company" placeholder="Company Name" /><br>
<input type="text" name="slogan" placeholder="Slogan" /><br>
<input class="color {required:false}" name="colour" placeholder="Company Colour"><br>
<input type="text" name="phone" placeholder="Phone Number" /><br>
<input type="text" name="email" placeholder="Email Address" /><br>
<input type="text" name="website" placeholder="Full Website - Include http://" /><br>
<input type="text" name="video" placeholder="Video URL" /><br>
<input type="submit" value="Generate QuickLinks" style="background:url(images/submit.png) repeat-x; color:#FFF"/>
</form>
That's the form. It takes the variables and post's them to the file below.
<?php
$File = "includes/details.php";
$Handle = fopen($File, 'w');
?>
<?php
$File = "includes/details.php";
$Handle = fopen($File, 'w');
$Data = "<div id='logo'>
<h1 style='color:#$_POST[colour]'>$_POST[company]</h1>
<h2>$_POST[slogan]</h2>
</div>
<ul data-role='listview' data-inset='true' data-theme='b'>
<li style='background-color:#$_POST[colour]'><a href='tel:$_POST[phone]'>Phone Us</a></li>
<li style='background-color:#$_POST[colour]'><a href='mailto:$_POST[email]'>Email Us</a></li>
<li style='background-color:#$_POST[colour]'><a href='$_POST[website]'>View Full Website</a></li>
<li style='background-color:#$_POST[colour]'><a href='$_POST[video]'>Watch Us</a></li>
</ul>
\n";
fwrite($Handle, $Data);
fclose($Handle);
?>
and there is what the form turns into. I need there to be a default link put in incase the field is left blank, witch it is sometimes. Thanks in advance guys.
Just use something like this for every element:
$company = trim($_POST["company"]);
if (!isset($company) || empty($company)) {
$company = "Not filled in";
}
I added trim to make sure spaces are ignored
Use following format for each variables:
$company = (isset($_POST["company"]) && !empty($_POST["company"]))? $_POST["company"]:"";
"" at the end of the can assign any default values.
It's usually easier to work with post variables if you wrap the access in a function:
function post($key, $default = '') {
if (!isset($_POST[$key])) return $default;
$value = trim($_POST[$key]);
if ($value == '')
return $default;
else
return $value;
}
You can now assign your variables like this:
$company = post('company');
$phone = post('phone', 'Not provided');
$colour = post('colour', 'blue');
... and so on...
Can you get away with simply wrapping your variable definitions in code like:
if (strlen($_POST["company"]) > 0) {
$company = $_POST["company"];
} else {
$company = "default company";
}
That will let you specify a default value that will be over-written by the user's data if there is any.