I've have this bit in my processor.php file...
session_start();
$_SESSION['address'] = $_POST['field_2'];
$_SESSION['name'] = $_POST['field_1'];
Those variables are being passed to another page and pre-filling inputs on a second form like this...
<input type="hidden" name="Name" value="<?php echo $_SESSION['name']?>">
<input name="Address" type="text" value="<?php echo $_SESSION['address']?>">
Then that form is being submitted to email...
mail($to, $subject,"Form data:
Name: " . $_POST['Name'] . "
Property Address: " . $_POST['Address'] . "
More Fields ", $headers
);
The email comes through successfully with the pre-filled "Property Address" but "Name" is blank. Why is the hidden input not passing the variable for $_POST['Name']?
While it seemed like the hidden field was the problem, it was not. Every thing was working except for the second line here.
mail($to, $subject,"Form data:
Name: " . $_POST['Name'] . "
Email: " . $_POST['Email'] . "
Property Address: " . $_POST['Address'] . "
Lots More Fields ", $headers);
The whole `mail()' function bit was a copy-and-paste snip-it from the web into Sublime Text. The syntax was perfect, but I eventually found that there was an invisible non-ASCII character in the Name line left over from the copy paste from web snip-it operation. I checked if anyone else ever had a similar problem like this and immediately found this FileUtils.mv throwing Invalid char \302 and \255 exception
The moral of the story is that saving time by using snipits may not always save you time. I should have enabled "draw_white_space" in Sublime Text and I would have probably caught it a lot sooner.
As Fred -ii- pointed out the message body arguments all would have been better concatenated as a $message variable. Whose advice I've now followed.
At step 2, check in the generated HTML code if the "value" attribute have the correct value.
Also, instead of using at step 3 $_POST['Name'] , use $_REQUEST['Name']. With this, it will work if POST or GET request.
Related
When i get the POST data from form .
This is my html of a particular input field .
<input type="text" title="Nick Name" data-optional="1" value="" name="FedEx_small_dropship_nickname" placeholder="Nick Name" id="FedEx_small_dropship_nickname">
when i add the input like nick 'o' compton it make it nick 'o' compton means it does not read ' sign and make it ' but i want to store ' in db . Any body please help .
Regards
while inserting to DB use:
htmlspecialchars($data_var, ENT_QUOTES)
and later on when you display this data back to users:
htmlspecialchars_decode($data_var, ENT_QUOTES);
I'm trying to accept a form and write it to a CSV (invisible to the people submitting the form, but I can look at it as a compilation of everyone's entries on the server when I feel like it). Every time someone enters the form, it will become a new line on the CSV. To show that the people are actually submitting, a new tab will pop up with a little "thank you" like message and their submission so they can make sure it's theirs. Yes, I do have a JS form validation that works perfectly, but since that doesn't have a problem I left it out to save space.
Here is my current problem. In Firefox, I just get a blank new tab and nothing changes on my--blank--CSV, which is titled testForm.csv. In Chrome, a new tab opens that contains all the code on my php document, and my CSV stays blank.
Here's the snippet of my HTML:
<html>
<body>
<form name="Involved" method="post" action="postest.php" target="_blank" onsubmit="return validateForm();">
Name: <br><input type="text" name="name" title="Your full name" style="color:#000" placeholder="Enter full name"/>
<br><br>
Email: <br><input type="text" name="email" title="Your email address" style="color:#000" placeholder="Enter email address"/>
<br><br>
How you can help: <br><textarea cols="18" rows="3" name="help" title="Service you want to provide" style="color:#000" placeholder="Please let us know of any ways you may be of assistance"></textarea>
<br><br>
<input type="submit" value="Submit" id=submitbox"/>
</form>
</body>
<html>
Here is postest.php:
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$help = $_POST['help'];
$csvData = $name . "," . $email . "," . $help . '\n';
echo "Thank you for your submission! We'll get back to you as soon as we can!";
echo "I'm " . $name . ", my email is " . $email . ", and I can help in that: \n" . $help;
$filepointer = fopen('testForm.csv','a');
if ($filepointer){
fwrite($filepointer,$csvData);
fclose($filepointer);
exit();
}
?>
I checked out this question about echoing to see if that was my problem. I asked this question before and nobody seemed to find anything wrong with my code other than the obvious $_POSTEST problem. This page looked like what I was going for, but wasn't. This question kind of had what I was going for but didn't actually have the POST code and the answer was one of the most useless things I've ever read (in a nutshell: "Just do it. It isn't that complicated." and some links to other SO questions, which I followed). They brought me here and here. I put exit(); after fclose() like it seemed to work for the first one (it did nothing). With the second, the user's code was too far removed from the codes I've been looking at for me to change my code over to what he/she was doing. I've been searching a lot, and doing extensive googling, but I'm going to cut my list of research here because nobody wants to read everything; this is just to prove I tried.
Let me know if there's anything else you need; I am a complete php novice and it's probably something very basic that I missed. On the other hand, I'm not seeing any major differences between my code and others' at this point.
Try something like this :
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$help = $_POST['help'];
$filepointer = fopen('testForm.csv','a');
fputcsv($filepointer, array($name,$email, $help));
echo "Thank you for your submission! We'll get back to you as soon as we can!";
echo "I'm " . $name . ", my email is " . $email . ", and I can help in that: \n" . $help;
?>
This is the error :-
---> $filepointer = fopen('testForm.csv','a');
$fp = fopen('testForm.csv','a');
if ($fp){
fwrite($fp,$csvData);
fclose($fp);
exit();
}
And the real issue is developing without
display_errors = On
log_errors = On
Look for these parameters in the php.ini file, and turn them on, unless you are developing on a live server, in which case, you really should set up a test environment.
and then not looking at the php error log
UPDATE
There was only one line to change actually, here is the complete code.
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$help = $_POST['help'];
$csvData = $name . "," . $email . "," . $help . '\n';
echo 'Thank you for your submission! We\'ll get back to you as soon as we can!';
echo '\"I\'m \"' . $name . ", my email is " . $email . ", and I can help in that: \n" . $help;
$fp = fopen('testForm.csv','a'); // only line changed
if ($fp){
fwrite($fp,$csvData);
fclose($fp);
exit();
}
?>
Your error is really basic and I am ashamed of you. Your problem is obviously that you have not been using a server, nor do you have a PHP package installed on your computer. When you told your computer target="_blank" and method="post", it knew what you wanted, being HTML. However, not having anything that parsed PHP, it had no idea how to read your code and came up as a blank page in Firefox and a block of code in Chrome.
You, indeed, have no idea what you are doing.
I have a minor problem. When I use this code:
<!DOCTYPE HTML>
<html>
<head>
<title>Declare Nerf War!</title>
</head>
<body>
<?php
$form="<center><form action='decwargen.php' method='POST'>
Your Name: <input type='text' name='yname' placeholder='John Doe'><br>
Opponent's Name: <input type='text' name='oname' placeholder='Jane Doe'><br>
Why? <input type='text' name='why' placeholder='for stealing my stuff'><br>
Date of war: <input type='text' name='dwar' placeholder='10/11/13'><br>
Time of war: <input type='text' name='twar' placeholder='10:56 PM'><br>
Created on: <input type='text name='crtd' placeholder='10/10/13'><br>
<input type='submit' name='subbut' value='Submit'></center>
</form>";
$ok = $_POST ['subbut'];
if($ok){
$yname = $_POST ['yname'];
$oname = $_POST ['oname'];
$why = $_POST ['why'];
$dwar = $_POST ['dwar'];
$twar = $_POST ['twar'];
$created = $_POST ['crtd'];
echo("<center><h1>Declaration of war</h1><br><p contenteditable='true'>I, " . $yname . " declare war on " . $oname . " for/because " . $why . ". This will happen on " . $dwar . " at " . $twar . ".<br>Created on" . $created);
} else echo($form);
?>
</body>
</html>
The web browser says:
Notice: Undefined index: subbut in /Applications/MAMP/htdocs/decwargen.php on line 17
when I first go to the page, then
Notice: Undefined index: crtd in /Applications/MAMP/htdocs/decwargen.php on line 24
when I enter data. Can anyone please help?
Change your
<input type='text name='crtd' placeholder='10/10/13'>
-------^ quote not closed properly
to
<input type='text' name='crtd' placeholder='10/10/13'>
From your recent question edit, also make the following change:
Replace your
$ok = $_POST ['subbut'];
if($ok){
to
if(isset($_POST ['subbut']))
{
As an additional safety tip, DO NOT EVER print something without sanitizing it.
-- edit --
When writing any code that can accept user submitted content, you need to bear in mind that user content can never be trusted. Malicious users can submit specially crafted data that could allow them to gain access to your application, the end user's computer, or much more.
One way to reduce (or control) the threat is to do the following:
Validate the data: Make sure that the type of data matches what you expect for a field (number, text, email, etc).
Sanitize the data: Perform some cleanup to remove undesirable things contained in the data.
Validate the legitimacy of the form (Optional but recommended): If applicable, ensure that the code is being submitted by a form that was truly generated by your web site and use CAPTCHA to prevent automated content submission when possible.
Escape the data: When displaying the data or passing it on to other systems (database, api call, etc.), make sure that you escape the received data so that it does not negatively after those systems.
You can get more information about doing these things and much more using a simple Google search. You can also look at PHP Sanitize filters
Now going back to the actual code that was used in the original question.
I have taken the liberty to print the form below the declaration of war so that you can declare even more wars if you wish.
The code looks like the following ...
<!DOCTYPE HTML>
<html>
<head>
<title>Declare Nerf War!</title>
</head>
<body>
<?php
$form="<center><form action='decwargen.php' method='POST'>
Your Name: <input type='text' name='yname' placeholder='John Doe'><br>
Opponent's Name: <input type='text' name='oname' placeholder='Jane Doe'><br>
Why? <input type='text' name='why' placeholder='for stealing my stuff'><br>
Date of war: <input type='text' name='dwar' placeholder='10/11/13'><br>
Time of war: <input type='text' name='twar' placeholder='10:56 PM'><br>
Created on: <input type='text' name='crtd' placeholder='10/10/13'><br>
<input type='submit' name='subbut' value='Submit'></center>
</form>";
$ok = $_POST['subbut'] ?? false;
if($ok){
$yname = $_POST['yname'];
$oname = $_POST['oname'];
$why = $_POST['why'];
$dwar = $_POST['dwar'];
$twar = $_POST['twar'];
$created = $_POST['crtd'];
echo "<center><h1>Declaration of war</h1><br><p contenteditable='true'>I, " . $yname . " declare war on " . $oname . " for/because " . $why . ". This will happen on " . $dwar . " at " . $twar . ".<br>Created on " . $created;
};
?>
<hr>
<?php echo $form; ?>
</body>
</html>
I realize that the question was originally asked in 2013. Still, I am going to solve the Notice: Undefined index: subbut ... using a more modern PHP feature.
I would replace ...
<?php
$ok = $_POST ['subbut'];
with ...
<?php
$ok = $_POST['subbut'] ?? false;
You can find out more about the new PHP Null coalescing operator (the Elvis operator ??) at http://php.net/manual/en/language.operators.comparison.php#example-105
When you submit and declaration of war, you will have something similar to the following image ...
HTML Injection
Now, you are going to see what happens with your form when someone performs a simple HTML injection on your page.
Instead of submitting the name as John Doe, I am going to submit John Doe</form><form action="http://example.com" target="_blank"><input value="You got hacked">
The result is visible on the following image ...
If you try to submit another declaration, you will notice that the form will be submitted to the example.com domain. That's because:
The </form> tag will try to close the current form in case the submitted value was printed inside a form. If there was no form to close off, than the tag will be invalid and the browser will ignore it.
Then, my new form is added using <form action="http://example.com" target="_blank">. Browsers will usually reject a nested form tag. Because of this, my form will take over the next form by invalidating its opening tag.
Someone could argue by saying that the original example was not printing a form. Sure. But that does not change what I am trying to convey.
Instead of creating a form, I could have injected a tag what would load an elaborate Javascript application that would then run on your site's domain and do whatever is possible using Javascript. I could have also added an iframe or other things.
The bottom line is, do not use or directly print anything submitted to your script. Heck, you cannot even trust content coming for your own database because you don't know if it's been altered by someone else. You still need do perform some clean up to guard against XSS and CSRF using the data.
When you first go to the page
$_POST['subbut']
Does not exist. It only exists once the form has been posted. In order to avoid this you need to use isset. For example use the following code instead
if(isset($_POST ['subbut'])){
$yname = $_POST ['yname'];
$oname = $_POST ['oname'];
$why = $_POST ['why'];
$dwar = $_POST ['dwar'];
$twar = $_POST ['twar'];
$created = $_POST ['crtd'];
echo("<center><h1>Declaration of war</h1><br><p contenteditable='true'>I, " . $yname . " declare war on " . $oname . " for/because " . $why . ". This will happen on " . $dwar . " at " . $twar . ".<br>Created on" . $created);
} else echo($form);
Also change this line
Created on: <input type='text name='crtd' placeholder='10/10/13'><br>
to this
Created on: <input type='text' name='crtd' placeholder='10/10/13'><br>
You have a quote mistake. Try to change
type='text name='crtd'
to
type='text' name='crtd'
I am implementing a contact form. When the user submits the form, all input is validated and stored in a session. It is then forwarded to a page that informs the user of a successfully posting of the comment, displaying the data entered.
The trouble I am having is that all new lines are not being displyed correctly as breaks using nl2br().
User input:
<textarea name="comments" rows="10" cols="50" id="comments" tabindex="5" title="comments">
<?php echo isset($_POST['comments']) ? $_POST['comments'] : ''; ?>
when validated...
$_SESSION['comments'] = $_POST['comments'];
forwarded on to contact-sent page and then appended to the string to display
$forwardString = "<h2>New Website Comment: </h2><h3>" . $cEmail . "</h3><p>" . $cComment . "</p>";
Then displayed:
echo nl2br($forwardString);
Where do I implement the nl2br() function?
Example input:
Just a test to verify contact works correctly.
We should see two line breaks here.
One line break here
Currently yields:
Just a test to verify contact works correctly.We should see two line breaks here.One line break here
try
echo nl2br(stripslashes($forwardString));
You could be possibly escaping the string twice so the \n becomes \n
I hope I'm missing something pretty basic here but: An empty form is getting submitted randomly, sometimes 3-8 times a day, then none for a few days and so on.
The empty submits always email with the subject as "[Website Contact Form]." Even though there is no validation in my php, in the html code the subject is chosen from a drop-down menu with the default as "General Enquiry." Notice in the php code below, there is no way for a human to submit an empty form with the above subject line, that is, it would always be "[Website Contact Form]General Enquiry" if I press submit without entering anything.
I have contact.html call this contact.php file:
<?
$email = 'info#mail.com';
$mailadd = $_POST['email'];
$headers = 'From: ' . $_POST['email'] . "\r\n";
$name = $_POST['name'];
$subject = '[Website Contact Form] ' . $_POST['subject'];
$message = 'Message sent from: ' . $name . '. Email: ' . $mailadd . '. Organization: ' . $_POST['company'] . '. Phone: ' . $_POST['phone'] . '. ';
$message .= 'Message: ';
$message .= $_POST['message'];
if (mail($email,$subject,$message, $headers)) {
echo "<p>Thank You! We'll get back to you shortly.</p>";
}
else {
echo "<p>Error...</p>";
}
?>
I use this code for many websites, but have never encountered this issue. Is there something so obviously wrong with this code that I'm missing? Any help would be greatly appreciated!
I suspect that you may not be checking that these variables are set before you send the email. Someone requesting contact.php directly (without any form data) may produce the results you have described. If this is the case, the following code should work like a charm:
<?php
if (isset($_POST['submit']) {
// form code
}
else {
// The form was not submitted, do nothing
}
?>
Even if that's not that case, such a simple check is always good practice.
Furthermore, you should always validate any user input just as a good habit. You don't want your server flooding your inbox with emails. I suggest using regexs to validate the input provided and possibly use a captcha service (such as ReCaptcha).
If you've been using this code and it's been working fine then I'd check what variables you changed with this case for example your submit form.
Try out your form with all common possibilities and see if it works. And empty Subject will give your form the subject "[Website Contact Form]". Check that your script actually get's the post variables and your form submits the right variables. Your dropdown might have an option with value of "" and the innerHTML "General Enquiry". The value is what will get submitted.
It's good to check inputs server-side as well
<?php
if(isset($_POST['subject'],$_POST['email'])){
}
?>