I'm creating an e-mail system, so I made this little test tidbit and it works.....a bit?
<html>
<head><title>EMail Test</title></head>
<body>
<input type="text" name="email">
EMail (required)
<br><br>
<textarea name="comment" rows="5" cols="40"></textarea> what's your problem?
<br><br>
<form method="POST" action=''>
<input type="submit" name="button1" value="Submit">
</form>
<?php
if (isset($_POST['button1'])) {
$msg=$_POST['email']." asks: ".$_POST['comment'];
echo $msg;
$email=$_POST['email'];
$SupportNinga="Typhoone01#gmail.com";
$mail=mail($SupportNinga,"Question from ".$email,$msg);
echo "Emailing...";
if($mail) {
echo"E-mail sent sucessfully";
}
}
?>
</body>
</html>
This was put into an online host and didn't seem to work.
It sent the e-mail, but it simply said "Question from-asks:". I can tell it's not properly reading the $_POST.
Help is appriciated. :P
Firstly, this part of your code is outside your form.
<textarea name="comment" rows="5" cols="40"></textarea> what's your problem?
As is <input type="text" name="email">
Place all form elements inside <form></form> tags.
Reference: http://php.net/manual/en/tutorial.forms.php
Your mail() parameters are also off.
Read the manual http://php.net/manual/en/function.mail.php
Use error reporting.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Displaying errors should only be done in staging, and never production.
You should also check for empty()'ness on your email input.
http://php.net/manual/en/function.empty.php
Also using FILTER_VALIDATE_EMAIL against it:
http://php.net/manual/en/filter.examples.validation.php
HTML sticklers:
In regards to using <html> it's best to declare a doctype, such as <!DOCTYPE html>.
Firefox for one, will throw a (red) warning in HTML source, upon placing your mouse over <html>.
Such as:
Start tag seen without seeing a doctype first. Expected "<!DOCTYPE html>".
<form method="POST" action=''> be consistent and use all double quotes.
Seperate your PHP from HTML. Place your PHP above your HTML if you're not going to be echoing anything special besides your "success on mail" message.
Prevent data resubmissions:
You should be redirecting to a new page using a header, and using sessions/tokens to prevent people from resubmitting the same data if the user refreshes that page.
References:
http://php.net/manual/en/function.header.php
How to make a redirect in PHP?
How to prevent form resubmission when page is refreshed via PHP
http://www.phpro.org/tutorials/Preventing-Multiple-Submits.html
XSS injection:
$msg=$_POST['email']." asks: ".$_POST['comment'];
You should first declare your variables assigned from your POST arrays, then concatenate those variables. You stand at getting an XSS injection here.
References:
XSS (Cross Site Scripting) Prevention Cheat Sheet
How to prevent cross site scripting
How to sanitze user input in PHP before mailing?
User sign-up via email footnote:
"I'm creating an e-mail system".
It seems you're new to working with emailing, and here are a few pointers for you.
You need to make sure that you include an unsubscribe method in each mailing.
There are laws about this, and is beyond the scope of this question.
Canada for one and being my country, has strict anti-spam laws, as do other countries.
http://fightspam.gc.ca/
So, make sure that the people who sign up, know what they're getting themselves into and have an double opt-in method for verification.
Otherwise, you will get blacklisted.
Related
I have a form.
<form name="form1" method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
<p><label>User Name : </label>
<input id="username" type="text" name="username" /></p>
<p><label>Password : </label>
<input id="password" type="password" name="password"/></p>
<a class="btn" href="register.php">Signup</a>
<input class="btn register" type="submit" name="submit" value="Login" />
</form>
which use $_SERVER["PHP_SELF"].
On submitting (POST) the data, the users credentials are sent in plain text (shown below)
Where as if I replace the $_SERVER['PHP_SELF'] with say a "check_login.php" there isn't a problem.
I used the acunetix scanner too which also says "User credentials are sent in clear text".
I need to use the $_SERVER['PHP_SELF'] but without the credential being shown.
The vulnerability alert you are receiving is being displayed because the web server is making use of HTTP rather than HTTPS when the client is sending the user credentials.
This would not have anything to do with your PHP form—regardless of how you implement it, the information is still being sent in clear text. Example:
POST /userinfo.php HTTP/1.1
Host: testphp.vulnweb.com
uname=test&pass=test
You can see the uname and pass parameters being sent in plain text and can be intercepted and read by anyone.
For more information, I would encourage you to read the answer of the following question.
Whilst we're at it, you might also want to check out Let's Encrypt and Acunetix should you want to keep yourself extra secure ;-)
You are misunderstanding the problem, and misunderstanding $_SERVER['PHP_SELF'].
Firstly, your actual problem has nothing to do with $_SERVER['PHP_SELF'], nor with your form nor PHP. The problem is because your site is not secured with HTTPS. If you're using HTTP, then everything the browser sends or receives is sent in plain text and can potentially be intercepted. If you want your traffic to be secure then you need to use HTTPS instead. This is something you configure in your server, and is entirely separate from anything in your PHP code.
Secondly, you state "I need to use the $_SERVER['PHP_SELF']...". This is not actually true: you don't need to use $_SERVER['PHP_SELF'] in this context. $_SERVER['PHP_SELF'] is a global variable in your PHP program that contains address of the current page. So if you visit userinfo.php within your site, then the $_SERVER['PHP_SELF'] will contain /userinfo.php. This is the value that you're putting into the form's action attribute. That's fine, but understand that you don't actually need it in this context, because the default value of action is to submit the form back to the current page. In other words, your form will work exactly the same if you omit $_SERVER['PHP_SELF'] entirely. This isn't in any way related to your security warning, but I felt it was important to clarify what's going on here, to help you understand that $_SERVER['PHP_SELF'] isn't some magical thing that makes the form work; it's just a string variable with a pagename in it.
i send an HTML email with a form and a button like this:
<form action="http://myurl/index.php" method="post">
<input type="hidden" name="testing" value="123456">
<button class="btn" type="submit">SEND</button>
</form>
then in my index.php page i read the testing variable, in this way:
echo $_POST['testing'];
but i can't read the variable and give me this:
Notice: Undefined index: testing
there is a way to send a variabile from an html mail to a php page?
Oh. Got that Email Part now.
Most Mail-Programs won't do POST requests, for security/privacy reasons. Use GET here:
in HTML:
SEND
and in PHP:
echo $_GET['testing']
Of course the data is visible in that case - but that's the entire point.
Emails don't play well with a lot of fairly standard html. In this case, I'd use something like this:
Submit
And then style your anchor to look like a button. Then on your php side, use this to make sure the variable gets there:
print_r($_GET);
What happens when you replace:
<button class="btn" type="submit">SEND</button>
With
<input type="submit" value="Send" />
I realize you are probably styling it given that you have a class statement but you can still style an input type="submit" easily enough. I ran into issues posting variables using the object.
Also, FWIW, you don't need to specify the full URL in the action. In fact, you should probably do the following to safeguard your self against XSS attacks:
<form action="<? echo htmlentities('/path/to/index.php'); ?>" method="post">
I need to validate a form using php. when i go to validate i need it to stay on same page if validation fails. is this possible. i know it can be done with the use of javascript but im trying to cater to those who turn javascript off.
No. If you're not willing to use Javascript, you'll have to submit the form (and go to a new page) to validate it.
Put all of the variables into strings, then use a post method to validate, and if there was a problem get the variables back out from the strings
$name = $_POST['name'];
<form action="validate.php" method="POST" value="$name">
<input type="text" id="name" />
</form>
PHP is server side code. In order to validate the page, you need to do a round trip to the server. If the form doesn't validate, then you can redirect them back to the same, page, along with some markup that explains the problem.
That said, only ~1% of people disable javascript, so I wouldn't worry about that.
Even if you do perform client side form validation in javascript, you should always validate server side as well.
While it is not possible to do without client side help it is possible to emulate the result by posting the for to the page that hosts the form.
if ($_SERVER["REQUEST_METHOD"] == "POST"){
// validate your form and set placeholder variables for error messages.
if(empty($_POST["username"])) $userError = "You must supply a username";
// if the form is valid do a header redirect
header("Location: http://mysite.com/myaccount/");
}
<form method='post'>
<label for='username'>Username: </label>
<input id='username' name='username' type='text'
value='<?= isset($_POST["username"])?$_POST["username"]:"" ?>'>
<?= isset($userError)?$userError:"" ?>
</form>
I have a landing page called `index.php' with the following form:
<form action="auto_mail.php" method="post">
<input id="signup" class="span8" type="text" placeholder="Your email" name="signup">
<input type="submit">
<?php
if (isset($_SESSION['got_it']))
{echo "<b>You're all signed up!</b>}
?></form>
In the file auto_mail.php I have:
// code scrubbing user input...
$user_email = $_POST['signup'];
session_start();
$_SESSION['got_it'] = '1';
// code sending me an email when someone signs up.
echo <<<EOD
</b>
<meta http-equiv="refresh" content="0, url=index.php">
</div>
</body>
</html>
EOD;
?>
I've looked at some other SO questions (Using $_SESSION to carry data), but it's not what I'm looking for.
All I want, is for a user to see "You're all signed up" when they enter a valid email; with the email confirm email being sent in the background. This code feels clumsy and awkward. It also flashes the auto_mail.php page briefly.
I tried to set <form action="index.php"..., but it doesn't work because I've set up auto_mail.php such that you can't access it directly.
How can use the code in auto_mail.php, which checks for a valid email address and sends confirm emails, without dealing with both $_POST and $_SESSION, or at least using them better?
If you don't want to have any page reloads whatsoever, you'll have to use AJAX to send the form, instead of utilising the form POST.
If you are using jQuery, or Mootools, they both have built in wrappers to handle ajax calls. Without a helper library, you'll have to look into making an XMLHttpRequest yourself.
Other than that, traditionally, you would redirect the user to a "form submitted" page, or alternatively, have the form action be sent to the same page (in your case, index.php, and have PHP code to handle form data if it is received).
I dont get completely what you want.
I think you try to Verify a Mail Address (after?) that form has been sent. But you cannot access the file via http that does the verification.
Have you thought about including the auto_mail.php?
I think you should consider using one of popular PHP frameworks. I guess you didn't use any in above example. Good framework that also offers MVC structure allows to do operations like this in such a simple way you can't even imagine.
Breaking it down to MVC structure will even make it extremely simple to handle post sending and displaying dependences and results made by it in one action.
Learing good framework at first might look like a waste of time, but believe me - it will pay off very quickly.
For start I recommend you looking at Kohana Framework or, if you're ambitions one - Symfony Framework.
I want to automate some tests on my webpage, mainly filling out forms with invalid data and see what happens. Is is possible with Javascript? If not, is it possible with PHP? The script should handle sessions and cookies.
Here is a very simple example that has 3 pages. In the first you should enter 'x' and click submit, in the second you should enter '3' and click submit. If that was successful the last page should show you "you got it!". Can that be automated so that I load a script and see the "you got it" right away? Please note: This has no cookies\sessions for simplicity, but I want an answer that dose support those.
I have tried making another page with iframe that includes the site above. But could not gain access to the elements inside the iframe
I have tried making an PHP script using cURL, that sends requests, but I could not forward cookies.
I have posted an comment on this answer but didn't get a reply.
For your convenience, here is the code: (you don't really need it, but just in case..)
index.html
<!DOCTYPE html>
<html>
First page: please enter x
<form method="post" action="next.php">
<input type="text" id="id" name="id" />
<input type="submit" />
</form>
<html>
next.php
<?php
if(isset($_POST) && isset($_POST['id']) && $_POST['id']!='x'){
echo '<script>window.location = "http://www.cs.bgu.ac.il/~kahilm/myNavigator/";</script>';
}
?>
<!DOCTYPE html>
<html>
Second page: please enter 3
<form method="POST" action="last.php">
<input type="text" name="code" />
<input type="submit" />
</form>
</html>
last.php
<?php
if(isset($_POST) && isset($_POST['code']) && $_POST['code']=='3'){
echo 'you got it!';
}else{
echo 'you sent something, please make it a "3"... :)';
}
?>
Consider the Selenium browser automation framework - it allows you to navigate through pages, verify conditions, fill in forms. Very stable, very mature.
http://seleniumhq.org/
You should look at programatically controlling a browser to perform this type of test. Selenium is a popular option, and has PHP bindings mentioned in the documentation (although I usually use Perl or Python).
PHP-based solution: Won't test from the front-end, only the server-backend, hence won't emulate real input.
JS: Will not persist across pages.
Hence, you are either looking for a browser-extension or a standalone utility separate from the browser entirely.
You could try:
Sikuli which however is generic, not targeted at web-pages, but at GUIs in general.
WatiN or Selenium