Every time I submit the form it refreshes, but doesn’t send the mail. I think, it cleans the input box before I get to make them into a variable, so then it goes to the validation IF and shows the *Please don't leave blank parameters! message.
Regarding the sending email code, it works, I tested it in other new made file without a form, just by opening the file and sending the mail as it is opened.
This is always an actual webhost provider with real info/links.
While you are at it, if you would be so kind, please tell me if I’m following any “Bad Practices”. Thanks in advance!
Code:
(I use a real email address to test, as well as real webhost links at the form — changed for this.)
Your issue seems to be on Line 12
In your if statement instead of using the single =, which assigns a value, instead you should be using double == to check the value.
As far as Bad Practices, I will say that your sanitize function inside your if is weird, functions should generally be written outside of logic loops, at the main level, or in OOP it should be at the root of the object.
Related
Here's one that might get you scratching your heads - it certainly has me!
I'm using a form to submit content to WordPress' 'update_post_meta' function.
The form itself is pretty simple, just a range of input and textarea fields. On submit the action directs to the same page where some PHP takes over to do validation on the $_POST info before submitting to Wordpress. Now it all works perfectly, except one very strange bug:
Whenever you use the word 'casino' in any of the fields, instead of submitting the form, the page refreshes and throws up a 404 error, even though the address bar shows a perfectly valid URL! I don't believe it's my PHP code as I don't think we get that far in the process, so I'm thinking it's a server thing, but I can't imagine why. This happens on any form across the whole site and I've also got the same result on other sites hosted with the same hosting company (Namecheap, FYI).
So, the question is, can anyone suggest a reason why sending that word in particular to $_POST would break a form and cause that error?
PS. I'm currently solving this using a replace() javascript function so 'casino' never gets sent with the form, but if the 'casion' issue can solved I would be very grateful. It would at least stop me puzzling over it.
This is because the probability of being recognized as spam is high.
Casinos should be used well because there are many websites that cannot be used by the word itself.
Using the language of other countries is one of the ways to promote it by openly saying "[우리카지노][1]" like me.
I hope you will answer your question.
I have a form on a webpage which emails the details using the PHP mail() function. The form is quite long, and I also am including HTML formatting for the email.
The email sends fine if I don't include all the form information, but when I try to include the whole form the email doesn't get sent. It seems to stop working when I'm including too much information. As soon as I take some of the information out it works again, and it doesn't matter which part of the information I remove.
I have tried the form on two different website hosts with the same problem. The content for the email is only about 300 lines long so I'm not sure if size is the issue.
Does anyone know what might be causing the problem?
here is my code for your reference
When I say "stop working" above, I mean simply that the mail() function returns false and does not send the email. The actual form works fine.
When you come to that amount of HTML within a PHP-script it is useful to catch it in a variable instead of putting every single line in a $body variable.
ob_start();
?>
<html>
Your HTML.
</html>
<?
$body = ob_get_clean();
This way you can easier see if there is something wrong with your message ruining the mail-function.
Here is a description of the php mail function. This document along with this document, What is the PHP Mail Character Limit, specifies that each line of the body must be no longer than 70 characters.
This stackoverflow, What is the maximum length of a string in PHP, as well as other sources indicate that PHP does not have a specific limit other than total memory limits which your string appears to be well under.
Also there are several different places where there could be a failure and you do not specify the behavior you are seeing for a failure.
First of all, check the return value of mail() to determine if PHP was able to hand the message off to the mail agent, the MTA. Next make sure that you specify good to and return addresses so that if there is a problem in the mail agent, it will be able to send you some kind of a reply describing the problem.
An elaboration of the answer provided by Undrium above. Here are some links to additional materials based on his answer.
Here is the ob_get_clean() documentation.
Here is an example using ob_get_clear() with sending HTML Email.
<form action="/path/hello.php" name='myForm' method='post'>
<!-- onChange="ajaxFunction();" -->
<input type= "text" name="user" id= "txtname" /><br />
<!-- <input type="text" name="user2" id="txtname2" /> -->
<input type='submit' name = "click" />
</form>
Noweveryone who looks at my html source code will know where this php file is located and will know how to call it. How can i stop this ?
If you handle the POST request to /path/hello.php properly, it shouldn't matter whether someone accesses it manually. Just make sure you are checking for things like the existence of $_POST['click'] and any other POST data you expect to exist, clean it, and proceed as normal.
If someone were to call /path/hello.php with spoofed POST data, then how would that be any different than them submitting your own form? There's no need to modify the script's visibility.
Furthermore, if your fear is that someone would be able to view the source of your PHP scripts--don't. The only thing a user would be able to see if they made an HTTP request to your PHP script would be the rendered HTML.
However, even if they could--why wouldn't you want someone to see your source (of course, barring situations where you might have sensitive configuration data within a PHP file)
You can't stop it. If you're going to tell the browser where the form is, you have to put the address in the HTML somewhere and once you do that anyone can see it.
It really shouldn't make any difference though, as your script should be able to cope with whatever values are sent to it. You can't blindly trust the data from the client in any case, so you need to verify the data sent is what you're expecting - no matter whether that's data sent by filling in your form as normal or someone calling it directly.
I can give a good example for why you would want to do this. You may have a service and offer it to a 3rd party, however in order to make this work there is some important configurable data that may come exposed. Here is an example
You own a website and let's say you want to create some type advertising campaign on your website but your "client" wants to advertise this the same thing on their website but the data needs to go into your email database.
you may not want them to know who you use
those services may require you to add account number or some type of identifying parameter towards your account.
May not be a big deal but still could be a security risk. So if you divert or mask it can prevent some of it.
There is no way to avoid this other than leave off action all together. The form will then submit to the current URL.
In any case, why are you worried about someone accessing the script? If you've written it correctly, no information should be exposed, and, no, they will not know how to "call" it - unless by calling it you mean simply accessing it in the browser. If by simply accessing it in the browser, sensitive information is displayed, you've got some serious problems on your hands.
I think your question is that by showing these paths that people will be able to actually view the source of the php file. That is not possible because it is being rendered by the php engine you are using. You have nothing to fear here.
Sorry, this isn't an answer, but a general observation on this same subject...
I have also experienced this and, seem to know where the OP is coming from...
I have seen a number of large CMS where form "actions" don't show the script... almost as if it points to a "friendly" URL...
Such as <form name="contactform" method="post" action="http://example.com/contact/send-contact">
As can be seen the extension is missing but the form is processed correctly...
I guess the htaccess could hide the extensions but some have a mix of visible URLs for standard pages and some "friendly" URLs for other content (including forms).
I'm not sure how these work...
It is sometimes considered best practice to keep .php files above the root directory to protect against the rare occurrence of php being configured incorrectly on the server and displaying php code to the client.
All you have to do is create a proxy script and post to that. I store the action in a hidden field so that I don't need multiple proxy scripts. I can't post the source code because I would be duplicating my answer on another post. You can find it here: https://stackoverflow.com/a/36941336/2452680
you can first give an action to page1 and in page 1 you can get the data and redirect and post the data to page2.
if you are using phpin page1 you can use curl and options to put data and execute it.
I have created a small script that sends a multipart email via php the mail() (that has been a challenge in itself!).
When I test the script and send and email it all works fine, but when I try another address (one which has the same domain as the server) the email appears blank. All the content is there when you look at the raw code, but nothing displays.
I solved the problem by removing the doctype tag from the code and left everything bare coded.
I also noticed the php variable
$body=' (html code here) '
The whitespace after ' was causing the email to show up empty sometime... I'm not exactly sure why!
I have encountered a similar issue and it was because I had a website www.example.com sending an email to me#example.com but the web server and email servers were on different machines. I had to ask the host to sort it so that the website wouldn't try to route emails within the server itself.
I managed to sort this by changing my own code to instead using something a little more supported - phpMailer.
I found this very easy to use and install into my own code. Also giving me as much flexibility as I had with my original code.
I guess though this isn't sorting the original problem, but it did seem to sort on my code.
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.