I have been trying to read up a lot about trying to get a safe html form to email me something. I have created a form but I'm curious about it's safety. I haven't added the e-mail controls yet.
Since it will be up on a website I'm terrified of any injections. What I have done so far is use the htmlentities() to protect the action, used the test_input function from w3 schools and used the require function but I know that can be easily taken out.
Thanks in advance!
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;}
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = test_input($_POST["name"]);
$email = test_input($_POST["email"]);
$website = test_input($_POST["telnr"]);
$comment = test_input($_POST["message"]);
echo"Bedankt voor het invullen, we nemen zo snel mogelijk contact met u op.";
}
else{
?>
<form action="<?php echo htmlentities($_SERVER["PHP_SELF"]);?>" method="post">
<div class="form-group row">
<label for="inputEmail3" class="col-sm-2 col-form-label">naam</label>
<div class="col-sm-10">
<input type="text" class="form-control" name="name" placeholder="naam" required>
</div>
</div>
<div class="form-group row">
<label for="inputPassword3" class="col-sm-2 col-form-label">e-mail</label>
<div class="col-sm-10">
<input type="email" class="form-control" name="email" placeholder="e-mail" required>
</div>
</div>
<div class="form-group row">
<label for="inputPassword3" class="col-sm-2 col-form-label">tel.nr</label>
<div class="col-sm-10">
<input type="tel" class="form-control" name="telnr" placeholder="telefoonnummer" required>
</div>
</div>
<div class="form-group row">
<label for="inputPassword3" class="col-sm-2 col-form-label">bericht</label>
<div class="col-sm-10">
<input type="text" class="form-control" name="message" placeholder="bericht" required>
</div>
</div>
<div class="form-group row text-center">
<div class="offset-sm-2 col-sm-10">
<button type="submit" class="btn btn-primary">Verstuur bericht!</button>
</div>
</div>
</form>
<?php } ?>
Definitely good to escape the PHP_SELF value although, unless you need the portability it provides, you can always simplify things a bit and hardcode the form target.
Related
I know that i messed up the code and getting undefined index errors and can't connect to database error also thanks in advance
<?php include("header.php");
?>
<?php
$target_dir = "admin/";
$file = $_FILES['image']['name'];
$path = pathinfo($file);
$filename = $path['filename'];
$temp_name = $_FILES['image']['tmp_name'];
$rand = rand(0000,9999);
$path_filename_ext = $target_dir.$filename.$rand;
if(! get_magic_quotes_gpc() ) {
$name = addslashes ($_POST['name']);
$phone = addslashes ($_POST['phone']);
$password = addslashes ($_POST['password']);
$email = addslashes ($_POST['email']);
$role = addslashes ($_POST['role']);
$image = addslashes (move_uploaded_file($temp_name,$path_filename_ext));
}else {
$name = $_POST['name'];
$phone = $_POST['phone'];
$password = $_POST['password'];
$email = $_POST['email'];
$role = $_POST['role'];
$image = move_uploaded_file($temp_name,$path_filename_ext);
}
$sql = "INSERT INTO admin ". "(a_name, a_phone, a_password, a_email, a_role, a_image) ". "VALUES('$name','$phone','$password','$email','$role','$image' NOW())";
// make project the current db
$db_selected = mysql_select_db('project', $conn);
if (!$db_selected) {
die ('Can\'t use project : ' . mysql_error());
}
$retval = mysql_query( $sql, $conn );
if(! $retval ) {
die('Could not enter data: ' . mysql_error());
}
echo "Entered data successfully\n";
mysql_close($conn);
?>
<section>
<div class="container-fluid">
<div class="row">
<form name="myForm" action="<?php $_PHP_SELF ?>" method="post" enctype="multipart/form-data">
<div class="col-xs-6 col-sm-6">
<div class="form-horizontal">
<div class="form-group">
<label for="inputEmail3" class="col-sm-2 control-label">Name</label>
<div class="col-sm-10">
<input type="text" class="form-control" id="inputTextBox" placeholder="Name" name="name" required/>
</div>
</div>
<div class="form-group">
<label for="inputPassword3" class="col-sm-2 control-label">Password</label>
<div class="col-sm-10">
<input type="password" class="form-control" id="password" placeholder="Password" name="password" required/>
</div>
</div>
<div class="form-group">
<label for="inputPassword3" class="col-sm-2 control-label">Strength</label>
<label class="col-sm-6 control-label" id="result" style="padding-top:1%;">
</label>
</div>
<div class="form-group">
<label for="inputEmail3" class="col-sm-2 control-label">Email</label>
<div class="col-sm-10">
<input type="email" class="form-control" id="txtEmail" placeholder="Email" pattern="[a-z0-9._%+-]+#[a-z0-9.-]+\.[a-z]{2,3}$" name="email" required/>
</div>
</div>
</div>
</div>
<div class="col-xs-6 col-sm-6">
<div class="form-horizontal">
<div class="form-group">
<label for="inputPassword3" class="col-sm-2 control-label">Role</label>
<div class="col-sm-10">
<select class="form-control" name="role">
<option value=""></option>
<option value="Admin">Admin</option>
<option value="Vendor">Vendor</option>
<option value="Subscriber">Subscriber</option>
</select> </div>
</div>
<div class="form-group">
<label for="exampleInputFile" class="col-sm-2 control-label">Image</label>
<div class="col-sm-10"> <input type="file" id="exampleInputFile" name="image">
<p class="help-block">Max Size 1 MB .</p>
</div>
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-2 col-sm-10">
<input type="submit" name="Sign in" value="Sign in" class="btn btn-default">
</div>
</div>
</form>
</div>
</div>
</div>
</section>
<?php include("footer.php");
?>
I know that i messed up the code and getting undefined index errors and can't connect to database error also thanks in advance
Put a comma between '$image' NOW() to look like: '$image', NOW()
Also, your query needs to declare which column to put the NOW() value in.
Replace mysql_ functions with a modern equivalent.
Your query is not secure.
Start reading on how to use php with mysql, because you have much to improve.
Lots of similar questions have been asked, but couldn't find an answer to the exact problem I have. I have a form that works completely fine, but I asked someone to design it nicer (which he did) and now it just doesn't work anymore. I don't know what's causing it.
I'm assuming there is something wrong in my HTML code for the form, since the .php page works perfectly fine (I copy/pasted it entirely) on my previous page.
Any idea?
<form name="htmlform" method="post" action="html_form_send.php">
<div class="row has-form">
<div class="col-xs-12 col-sm-8 col-sm-offset-2">
<div class="form-group">
<label for="first_name" class="col-sm-3 control-label">Prénom *</label>
<div class="col-sm-9">
<input type="text" class="form-control" id="first_name">
</div>
</div>
<div class="form-group">
<label for="last_name" class="col-sm-3 control-label">Nom *</label>
<div class="col-sm-9">
<input type="text" class="form-control" id="last_name">
</div>
</div>
<div class="form-group">
<label for="email" class="col-sm-3 control-label">Email *</label>
<div class="col-sm-9">
<input type="email" class="form-control" id="email">
</div>
</div>
<div class="form-group">
<label for="telephone" class="col-sm-3 control-label">Téléphone</label>
<div class="col-sm-9">
<input type="text" class="form-control" id="telephone">
</div>
</div>
<div class="form-group">
<label for="comments" class="col-sm-3 control-label">Votre critique *</label>
<div class="col-sm-9">
<textarea class="form-control" rows="6" id="comments"></textarea>
</div>
</div>
<div class="col-xs-12 col-sm-9 col-sm-offset-3 text-center">
<button type="submit" class="btn btn-primary btn-lg btn-block">Envoyer</button>
</div>
</div>
</div>
</form>
your inputs have no "name" attribute add a "name" attribute with the same value as the "id" attribute to each input tag as
Php uses NAME as the identifier when posted.
To Clearify:
if you try and get an input value from the POST in PHP you have to use the following code:
$var = $_POST['IDENTIFIER'];
Where IDENTIFIER is the value of the "name" attribute of the INPUT or TEXTAREA or any other HTML FORM element you're trying to retrieve.
all your inputs need attribute name="first_name" and etc:
<input type="text" class="form-control" id="first_name" name="first_name">
html_form_send.php must looks like:
<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$email = $_POST['email'];
$telephone = $_POST['telephone'];
$comments = $_POST['comments'];
//preparing mail data
$from = $email;
$to = "yourmail#exemple.com";
$subject = "Sending Form From site";
$message = "First name: $first_name \r\nLast name:$last_name \r\nTelephone: $telephone \r\nComments: $comments";
$headers = 'From: Birthday Reminder <birthday#example.com>' . "\r\n";
//sending
mail($to, $subject, $message, $headers);
}
?>
I have been trying to create a simple web form that will be used to submit data to a Google App Engine database that uses MySQL. The database is connecting fine and the try catch statement seems to be working properly. The problem is that when i click the submit button, the data is not being committed into the database. Any help would be much appreciated, I'm sure there is just some small error that i am overlooking.
HTML form
<form class="form-horizontal" role="form" action="connection.php" method="post">
<div class="form-group">
<label for="patientName" class="col-sm-2 control-label">Patient Name</label>
<div class="col-sm-10">
<input type="Name" class="form-control" id="patientName" name="patientName">
</div>
</div>
<div class="form-group">
<label for="Address1" class="col-sm-2 control-label">Address 1</label>
<div class="col-sm-10">
<input type="text" class="form-control" rows='3' id="Address1" name="Address1"></input>
</div>
</div>
<div class="form-group">
<label for="Address2" class="col-sm-2 control-label">Address 2</label>
<div class="col-sm-10">
<input type="text" class="form-control" rows='3' id="Address2" name="Address2"></input>
</div>
</div>
<div class="form-group">
<label for="Address3" class="col-sm-2 control-label">Address 3</label>
<div class="col-sm-10">
<input type="text" class="form-control" rows='3' id="Address3" name="Address3"></input>
</div>
</div>
<div class="form-group">
<label for="postCode" class="col-sm-2 control-label">PostCode</label>
<div class="col-sm-10">
<input type="text" class="form-control" id="postCode" name="postCode">
</div>
</div>
<div class="form-group">
<label for="symptoms" class="col-sm-2 control-label">Symptoms</label>
<div class="col-sm-10">
<textarea type="text" class="form-control" rows='5' id="symptoms" name="symptoms"></textarea>
</div>
</div>
<div class="form-group">
<label for="contactNumber" class="col-sm-2 control-label">Contact Number</label>
<div class="col-sm-10">
<input type="Tel" class="form-control" id="contactNumber" name="contactNumber">
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-2 col-sm-10">
<button type="submit" class="btn btn-default">Log Call Details</button>
</div>
</div>
</form>
PHP connection file
<?php
use google\appengine\api\users\User;
use google\appengine\api\users\UserService;
try {
$db = new pdo('mysql:host=111.111.111.11:3306;dbname=MyDB',
'root',
'password'
);
$patientName = $_POST["patientName"];
$address1 = $_POST["Address1"];
$address2 = $_POST["Address2"];
$address3 = $_POST["Address3"];
$postCode = $_POST["postCode"];
$symptoms = $_POST["symptoms"];
$contactNumber = $_POST["contactNumber"];
$sql = "INSERT INTO patient (patientName, patientAddress1, patientAddress2, patientAddress3, patientPostcode, PatientSymptoms, patientPhoneNumber)
VALUES ($patientName, $address1, $address2, $address3, $postCode, $symptoms, $contactNumber)";
$db->execute($sql);
} catch (PDOException $ex) {
echo "Could not connect to the database.";
exit;
}
$db = null;
echo "Woo-hoo!";
?>
I should probably also mention that the HTML page is using bootstrap.
You can try this code snippet below, It works, I did not used $_POST data but hard-coded values, Hope it helps !
more infos:
http://php.net/manual/en/pdo.prepare.php
$username="test12";
$role="test1";
$sql = "INSERT INTO test (username, role) VALUES (:username, :role)";
$conn = new pdo('mysql:host=127.0.0.1:3306;dbname=home',
'root',
'password'
);
$q = $conn->prepare($sql);
$q->execute(array(':username'=>$username, ':role'=>$role));
I Have two forms on my site. One works fine and the other sends email with email_from: etc but doesn't capture any of the form data.
Wondering what it may be. I can post the form that is working along with it's html too if that would help debug. Very much a novice and built form using stack overflow/other sites.
Coffee
<div class="form-group">
<label class="col-sm-3 control-label">Quantity</label>
<div class="col-sm-4">
<input type="text" name="quantity" class="form-control" placeholder="Quantity : " required>
</div>
</div>
<div class="form-group">
<label class="col-sm-3 control-label">Name</label>
<div class="col-sm-6">
<input type="text" name="name" class="form-control" placeholder="Name : " required>
</div>
</div>
<div class="form-group">
<label class="col-sm-3 control-label">Email address</label>
<div class="col-sm-6">
<input type="email" name="email" class="form-control" placeholder="Email address : " required>
</div>
</div>
<div class="form-group">
<label class="col-sm-3 control-label">Shipping Address</label>
<div class="col-sm-6">
<textarea class="form-control" name="shipping_address" rows="8" placeholder="Shipping Address : " required></textarea>
</div>
</div>
<div class="form-group">
<label class="col-sm-3 control-label">Payment Method</label>
<div class="col-sm-6">
<select class="form-control" required>
<option value="Paypal">Paypal</option>
</select>
</div>
</div>
<div class="form-group">
<label class="col-sm-3 control-label">Notes</label>
<div class="col-sm-6">
<textarea class="form-control" name="notes" rows="8" placeholder="Notes : "></textarea>
</div>
</div>
<div class="form-group">
<div class="col-sm-offset-3 col-sm-10">
<button type="submit" class="btn btn-black">Order Now</button></a>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
And here is the php
<?php
if(isset($_POST ['submit']))
{
$coffee = ($_POST['coffee']));
$quantity = ($_POST['quantity']));
$name = ($_POST['name']));
$email = ($_POST['email']));
$shipping_address = ($_POST['shipping_address']));
$notes = ($_POST['notes']));
}
$email_from ='paradigmcoffee#gmail.com';
$email_subject="New Order Submission";
$email_body ="You have received a new message from user $name.\n".
"Email_address:$email\n".
"Coffee: $coffee\n".
"Quantity: $quantity\n".
"Shipping_Address: $shipping_address\n".
"Notes: $notes\n".
$to ="paradigmcoffee#gmail.com";
$headers = "From: $email \r\n";
mail($to,$email_from,$email_subject,$email_body,$headers);
header("Location: http://www.paradigmcoffee.co/order_thanks.html");
?>
From what you have supplied, likely the reason you can not get data is because you are not sending anything called submit. Try naming your button:
<!-- name="submit" added -->
<button name="submit" type="submit" class="btn btn-black">Order Now</button>
You can do this or make a hidden field:
<input type="hidden" name="submit" value="1" />
I get problem in inserting data to database table. I have checked everything from table fields to the form fields. Everything is ok and even print_r prints the result but data is not inserted to database. it returns empty result set.
my form code
<?php include('header.php'); ?>
<div class="page container">
<div class="row col-12 register-page">
<form class="form-horizontal" role="form" action="register-process.php" method="post">
<div class="form-group">
<label for="firstname" class="col-sm-2 control-label">First Name</label>
<div class="col-sm-10">
<input type="text" class="form-control" id="firstname" name="firstname"
placeholder="Enter First Name">
</div>
</div>
<div class="form-group">
<label for="lastname" class="col-sm-2 control-label">Last Name</label>
<div class="col-sm-10">
<input type="text" class="form-control" id="lastname" name="lastname"
placeholder="Enter Last Name">
</div>
</div>
<div class="form-group">
<label for="email" class="col-sm-2 control-label">Email</label>
<div class="col-sm-10">
<input type="text" class="form-control" id="email" name="email"
placeholder="Enter Your Email">
</div>
</div>
<div class="form-group">
<label for="password" class="col-sm-2 control-label">Password</label>
<div class="col-sm-10">
<input type="password" class="form-control" id="password" name="password"
placeholder="Enter your password">
</div>
</div>
<div class="form-group">
<label for="confirm-password" class="col-sm-2 control-label">Confirm Password</label>
<div class="col-sm-10">
<input type="password" class="form-control" id="cpassword" name="cpassword"
placeholder="Confirm password">
</div>
</div>
<div class="form-group">
<label for="birth-year" class="col-sm-2 control-label">Birth Year</label>
<div class="col-sm-10">
<select id="year" class="birth-year" name="birth-year">
<?php
for($i = 1970; $i < date("Y")+1; $i++){
echo '<option value="'.$i.'">'.$i.'</option>';
}
?>
</select>
</div>
</div>
<div class="form-group">
<label for="gender" class="col-sm-2 control-label register-gender">Gender</label>
<div class="col-sm-10">
<select id="registration_gender" class="select-register " required="required" name="gender">
<option selected="selected" value="">Gender</option>
<option value="_UE_M">Male</option>
<option value="_UE_MRS">Female</option>
</select>
</div>
</div>
<div class="form-group form-action">
<div class="form-action">
<input type="submit" name="submit" class="btn btn-large btn-primary" value="Lets Get Started" >
</div>
</div>
</form>
</div>
</div>
and my register-process code
<div class="page container">
<div class="row col-12 register-page">
<?php
$fname = $_POST['firstname'];
$lname = $_POST['lastname'];
$email = $_POST['email'];
$password = md5($_POST['password']);
$cpassword = md5($_POST['cpassword']);
$birthyear = $_POST['birth-year'];
$gender = $_POST['gender'];
if($fname && $lname && $email && $password && $cpassword){
if($password == $cpassword){
include("config.php");
$insert = 'INSERT INTO users(firstname,lastname,email,password,birth-year,gender)
VALUES("'.$fname.'","'.$lname.'","'.$email.'","'.$password.'","'.$birthyear.'","'.$gender.'")';
mysql_query($insert);
echo "registered successfully";
}
else{
header("Location: register.php");
echo "your password do not match.";
}
}
else{
echo "complete the form please.";
header("Location: register.php");
}
?>
</div>
</div>
The line
if($fname && $lname && $email && $password && $cpassword){
is checking if these values are true, which they aren't. The PHP code around this will result in SQL injections as you're not validating the values entered in your form. Look at escaping SQL and also removing HTML entities.
Use the function isset() on your $_POST variables, this way you can validate the form was filled in correctly. Once you're happy the form is filled in correctly, SQL escape and removal of html entities into your local variables and then use these to insert into SQL.