I want to read cookies when page loads and I want to be able to save them when user presses the submit button on the form.
As the server side script is runing before the html loads I don't know how to send user info from the form into the setcookie()
For example:
<form id="loginForm" name="loginForm" method="post" action="login-exec.php">
<div><input name="login" type="text" class="textfield" id="login" /></div>
<div><input name="password" type="password" class="textfield" id="password" /></div>
<div><input type="checkbox" name="checkbox" value="true" id="checkbox" /> Remember me</td></div>
</form>
this is then function that is made to set cookies:
setcookie(name, value, expire, path, domain);
How to put my info from the form into the $value variable when checkbox is checked?
Do I need to check checkbox value in html or php?
You must do that in login-exec.php using the $_POST variable which will contain your form's data:
<?php
if (isset($_POST['checkbox'])) {
// guessing how to retrieve the other fields is left as an exercise
// setcookie('name', 'value');
}
?>
But, as others have said, you should really read some articles about how to make a safe remember-me system (or ask on SO!).
Related
i have input field for emails and i need the data that was entered by the user to be shown on another page
<input style="width:456px; height:30px;" class="adv_onus_fields" name="adv_onus_email" autocomplete="off" type="email" placeholder="'.__("Email","Advinim").'"/>
You simply have to wrap the input into a form and specifiy a target like this.
<form action="/destination.php" method="get">
<input style="width:456px; height:30px;" class="adv_onus_fields" name="adv_onus_email" autocomplete="off" type="email" placeholder="'.__("Email","Advinim").'"/>>
<input type="submit" value="Submit">
</form>
On the page you want to use the variable write $_GET['adv_onus_email'] to access it.
Another way of doing it is starting a session with session_start() and saving the variable in the $_SESSION array.
I have a php page with a form which I want to search the user database from for a username match. This is my code:
<form id="searchuser" name="searchuser" method="post" action="">
Enter a username to search for:
<label>
<input type="text" name="uname" id="uname" />
</label>
<label>
<input type="submit" name="submit" id="submit" value="Search" />
</label>
<p> </p>
</form>
Do I need to put setcookie() in the action?
The action field of a form should contain URL (relative or absolute) of the php script which the browser will navigate into while passing the form fields as a POST request.
For example, you can create a php script named search.php, set action="search.php" in the form and then access the fields of the form in that script using $_POST['uname'] for example.
Not sure what you need to set the cookies for in this form but to set a cookie you need to put the setcookie() call somewhere in your php script, NOT in the HTML code. Also you need to call the setcookie() before any HTML output in your php script.
I have this form:
<form name="form2" method="post" action="http://1.1.101.1/reg.php">
<input id="field12" type="text" value="{$username}" name="username" maxlength="32" placeholder="Username" required="required" />
<input id="field22" type="text" value="{$password}" name="password" maxlength="32" placeholder="Password" required="required" />
<input name="checkbox" type="hidden" id="checkbox" value="checkbox" />
<input type="hidden" name="url" value=""/><br/>
<input type="submit" value="Connect to WiFi" name="button1" /><br/>
</form>
the action is a external url.
How can i check in my php when the button submit is posted (name = button1) before it goes to that url.
Right now i have this but its not working becasuse it goes directly to the action url from the form.
if ($_SERVER['REQUEST_METHOD'] == "post") {
var_dump($_POST);
exit;
}
You can't.
The only way to validate it without using client side code is to submit the form to your own server side code.
You then won't be able to reliably redirect the request while maintaining POST.
You have basically two options the way I see it.
If it's not necessary for the user to see the output of the external script, you could do the posting yourself from your backend. I.e. change the action of your form to your own script and do something like the following:
Validation the fields
If validation OK, POST the data to the external URL via CURL (or similar)
If POST to external URL went OK, redirect to wherever the user should end up in the end
If the user must end up at this external URL, you could do it in two steps. First have your form action set to your own server side validation. If it passes, give the user a confirmation page with a form containing the same data which would then post it to the external URL. The fields should probably be hidden/read-only on this page to prevent them from being changed before the final submit.
This last method is definitely possible to mess with since it's easy to first use valid values, and then change the data in the HTML before doing the final submit. So if security is important here, you're stuck with the first option.
Try this
<?php
if(isset($_POST['button1'])){
//action
header('Refresh:3; url=http://1.1.101.1/reg.php');
}
?>
On page1.php I have a form which sends vars via POST to page2.php.
However, I only want to process the form if it is called from page1.php.
How do I check for this?
Kind regards!
EDIT:
It's a kind of security measure. If i'm a hacker and I copy the form code from the source of the page and run it, I can change crucial vars.
EDIT2:
Ok here is the actual problem:
Users can edit credit to their account. They can choose values from 5EUR to 50EUR.
Eventually they come on a page 'deposit.php' where the final form is sent to a page 'payments.php' which then sends the var to Paypal.
Deposit.php:
<form class="paypal" action="paypal/payments.php" method="post" id="paypal_form" target="_blank">
<input type="hidden" name="cmd" value="_xclick" />
<input type="hidden" name="no_note" value="1" />
<input type="hidden" name="lc" value="BE" />
<input type="hidden" name="currency_code" value="EUR" />
<input type="hidden" name="bn" value="PP-BuyNowBF:btn_buynow_LG.gif:NonHostedGuest" />
<input type="hidden" name="item_number" value="50" / >
<input type="hidden" name="price" value="47.50" / >
<input type="submit" class="uibutton " value="Betaal met Paypal" style="width: 100%; font-size:120%;">
(BTW they get a discount if they add 50EUR)
Well, first of all you have to understand that there is no security measure the way you put it.
And, of course, no method provided by other participants can protect your "crucial vars". They were actually answering other question, one is more familiar to them.
Forms are intended to be filled by client party. So, you can't expect whatever variable be untouched. Everything coming from the client side can be spoofed, no matter what measures you took.
So, whatever "crucial vars" should remain on the server.
While all the data coming from the form should be considered unsafe and treated accordingly.
Depending on the application, you could use $_SERVER['HTTP_REFERER'] and do a check but the problem with it is that not all browsers send it, and it is modifiable by the user. So if this is just for a few people that you know it probably won't be a problem. If this is for the world it isn't recommended.
What I usually do is set a session on page 1, then check for that session on page 2. Every time page 1 loads you need to reset the session.
page1.php
<?php
session_start();
$hash = $_SESSION['hash'] = md5(time().rand(0,100));
?>
<form action="page2.php" meethod="post">
<input type="hidden" name="h" value="<?php echo $hash; ?>" />
Your Name: <input type="text" name="name" />
</form>
page2.php
<?php
session_start();
if($_SESSION['hash'] != $_POST['h']){
header("Location: page1.php");
exit;
}
// process data
I think Adam D response is too weak (Anyone can change that just using firebug). what you want to prevent is users to skip some step or avoid XSRF.
In that case I would say use sessions.
Create a session
Save the current step
Retrieve and validate the current step and halt or continue according to the value
In your form, include a hidden field that you then check for on page2.php. See below:
<form action="post.php" method="POST">
<input type="text" name="fname" id="fname" />
<input type="hidden" name="cameFromPageOne" value="true" />
</form>
Then, on the top of page2.php, check that the hidden variable is set, and if not, redirect back to page1.php
<?php
if(!isset($_POST['cameFromPageOne']) || $_POST['cameFromPageOne'] != 'true') {
header('location: http://www.example.com/page1.php');
exit();
} else {
// ... code to process if they DID come from page1.php
}
?>
There's no reason to overcomplicate it, there's a global variable in PHP which tell's you the url your current script was requested from:
echo $_SERVER["HTTP_REFERER"];
i am using php and this is my form
<form method="POST" action="www.welcome.php"style="clear:both">
<legend>Login</legend>
Username: <input type="text" name="username" size="20" id="username" class="content" /><br>
Password: <input type="text" name="password" size="20" id="password" class="content" /><br>
<input type="submit" value="Login" name="submit" class="content" />
<input type="reset" value="Reset" class="content" />
<div id="login_response"></div>
</form>
however, i want the redirected page url to be
www.welcome.php?username=xxxx
provided i logged in with xxxx
i want the redirected page url to be www.welcome.php?username=xxxx
for the form's action you don't need it. Just leave your form as is.
if you want to redirect a user after the form processing (as you have to anyway), just add an entered username to the URL in the Location header:
header("Location: welcome.php?username=".$_POST['username']);
exit;
As posted in the second comment, form method="GET" will send the user over to this URL: www.welcome.com/?username=xxxx&password=yyyyyy
However, assuming you do not want the URL to have the password in the querystring (bad idea!) then you will have to submit the form with Javascript, in order to pass the username in the querystring and the password in the post variables. Specifically, your submit button should have an onclick event that calls a Javascript function, which then reads the value of the username and appends it to the action URL, then submits the whole form with the POST method.
I can't think of a reason why you would want the username to be in the querystring instead of the post variables though.
In MB The Developer's answer, the www.welcome.com?username=xxxx URL is hardcoded, which doesn't seem that useful, but if you are talking about a failed login going back to the login page ("redirected?") then MB's example could be extended with something like this:
<form method="POST" action="www.welcome.com?username=<?php print($_GET['username']); ?>"style="clear:both">
Also I think you will want your password field to be type="password" instead of type="text".