Sometimes, when I submit a form that gathers checkbox data, the checkbox data displays perfectly and other times, the values don't display at all. Any ideas what could cause this?
A typo in your code
You misunderstand how checkboxes work
Ineffective debugging logic
Bad logic to begin with
Those would be the most likely causes. If you share some code and a more specific example I bet it can be narrowed down even further.
You probably have a problem with your URL structure. You may be trying to post data to a URL thats different then your current location. This tends to look like a cross site scripting attack and the server won't be able to grab your posted variables in this case.
Example of what I'm talking about:
I have a form here: http://www.mywebsite.com/myform.php
Now I try to submit the form to: http://mywebsite.com/myform.php
To a user this seems fine but the server thinks that the www. version of the site is a different website and doesn't grab your variables.
For consistency you should always force a user to either the www. or non www. version of your website using a .htaccess file.
Hope that helps.
Related
Here's one that might get you scratching your heads - it certainly has me!
I'm using a form to submit content to WordPress' 'update_post_meta' function.
The form itself is pretty simple, just a range of input and textarea fields. On submit the action directs to the same page where some PHP takes over to do validation on the $_POST info before submitting to Wordpress. Now it all works perfectly, except one very strange bug:
Whenever you use the word 'casino' in any of the fields, instead of submitting the form, the page refreshes and throws up a 404 error, even though the address bar shows a perfectly valid URL! I don't believe it's my PHP code as I don't think we get that far in the process, so I'm thinking it's a server thing, but I can't imagine why. This happens on any form across the whole site and I've also got the same result on other sites hosted with the same hosting company (Namecheap, FYI).
So, the question is, can anyone suggest a reason why sending that word in particular to $_POST would break a form and cause that error?
PS. I'm currently solving this using a replace() javascript function so 'casino' never gets sent with the form, but if the 'casion' issue can solved I would be very grateful. It would at least stop me puzzling over it.
This is because the probability of being recognized as spam is high.
Casinos should be used well because there are many websites that cannot be used by the word itself.
Using the language of other countries is one of the ways to promote it by openly saying "[우리카지노][1]" like me.
I hope you will answer your question.
I am wondering if this is possible with PHP, or if not with ASP since it's relatively similar and I could pick it up quickly. Let's say I have a text input for a user to search a database; as an alternative to using the text field I want a user to be able to go to 'www.examplesite.com/SEARCHTERM'. Is this possible? I've seen it done, but I can't figure out how. Thanks!
You might have to look in to url rewriting based on the server you use.
URL Rewritting
This can be done:
1) Using $_GET
www.examplesite.com/?SEARCH=SerachTermHere
In the page you can get the search variable with $_GET['SEARCH']
2) Using URL Rewritting
Yes that's easily possible. For example if you have apache server then you can enable mod rewrite and write one rule to redirect all such requests to your script in a variable and it will then handle accordingly
It is possible, you have two options.
Using URL Rewritting in your server configuration.
Using $_GET global. Everything in URL after your actual page address is available through $_GET.
This goes a bit beyond your question but might prove to be very useful. Even though it is a framework, you might want to look at Symfony 2 routing for ideas how to implement it. Specifically at "Under The Hood" section. You can even explore their routing code on github. Applications made in it have exactly the form you are searching for (content displaying based on $_GET data).
I am buildiig a simple CMS and would like to know how to create short URLs (not the APACHE bit but the PHP bit).
example.com/?page=100
example.com/home/test
How would I interpret the ?page=100 into /home/test (Through select the database, but i couldn't figure out how) I can see if just one level /home/test because you probably can have a zoneID, but when it comes to /home/test/test. I become lost
And how do I parse back the /home/test to the page id.
Plus is there anyone can show a bit idea for the database design as well?
These resources can be useful to you:
https://stackoverflow.com/a/120411/370290
http://www.symfony-project.org/book/1_0/09-Links-and-the-Routing-System
http://codeigniter.com/user_guide/general/urls.html
http://www.phpaddiction.com/tags/axial/url-routing-with-php-part-one/
You need some kind of mod_rewrite for your server side.
That will help you to send route data to index.php (or somewhere else) file without filename in adress string. Than some php file will analyze the route and give correct html.
ok i think you need to definitely need to look at the way you are going to do your routing (through mod_rewrite)..for example
1.you can rewrite the page www.example.com/test to ..www.example.com/index.php?page=test and implement a way of getting page by the page name..and returning an id if a page name exists ..if multiple entries exist then maybe the last modified will be given precedence over the otheers ..you can get the following book CMS Design Using PHP and jQuery helped me alot
<form action="/path/hello.php" name='myForm' method='post'>
<!-- onChange="ajaxFunction();" -->
<input type= "text" name="user" id= "txtname" /><br />
<!-- <input type="text" name="user2" id="txtname2" /> -->
<input type='submit' name = "click" />
</form>
Noweveryone who looks at my html source code will know where this php file is located and will know how to call it. How can i stop this ?
If you handle the POST request to /path/hello.php properly, it shouldn't matter whether someone accesses it manually. Just make sure you are checking for things like the existence of $_POST['click'] and any other POST data you expect to exist, clean it, and proceed as normal.
If someone were to call /path/hello.php with spoofed POST data, then how would that be any different than them submitting your own form? There's no need to modify the script's visibility.
Furthermore, if your fear is that someone would be able to view the source of your PHP scripts--don't. The only thing a user would be able to see if they made an HTTP request to your PHP script would be the rendered HTML.
However, even if they could--why wouldn't you want someone to see your source (of course, barring situations where you might have sensitive configuration data within a PHP file)
You can't stop it. If you're going to tell the browser where the form is, you have to put the address in the HTML somewhere and once you do that anyone can see it.
It really shouldn't make any difference though, as your script should be able to cope with whatever values are sent to it. You can't blindly trust the data from the client in any case, so you need to verify the data sent is what you're expecting - no matter whether that's data sent by filling in your form as normal or someone calling it directly.
I can give a good example for why you would want to do this. You may have a service and offer it to a 3rd party, however in order to make this work there is some important configurable data that may come exposed. Here is an example
You own a website and let's say you want to create some type advertising campaign on your website but your "client" wants to advertise this the same thing on their website but the data needs to go into your email database.
you may not want them to know who you use
those services may require you to add account number or some type of identifying parameter towards your account.
May not be a big deal but still could be a security risk. So if you divert or mask it can prevent some of it.
There is no way to avoid this other than leave off action all together. The form will then submit to the current URL.
In any case, why are you worried about someone accessing the script? If you've written it correctly, no information should be exposed, and, no, they will not know how to "call" it - unless by calling it you mean simply accessing it in the browser. If by simply accessing it in the browser, sensitive information is displayed, you've got some serious problems on your hands.
I think your question is that by showing these paths that people will be able to actually view the source of the php file. That is not possible because it is being rendered by the php engine you are using. You have nothing to fear here.
Sorry, this isn't an answer, but a general observation on this same subject...
I have also experienced this and, seem to know where the OP is coming from...
I have seen a number of large CMS where form "actions" don't show the script... almost as if it points to a "friendly" URL...
Such as <form name="contactform" method="post" action="http://example.com/contact/send-contact">
As can be seen the extension is missing but the form is processed correctly...
I guess the htaccess could hide the extensions but some have a mix of visible URLs for standard pages and some "friendly" URLs for other content (including forms).
I'm not sure how these work...
It is sometimes considered best practice to keep .php files above the root directory to protect against the rare occurrence of php being configured incorrectly on the server and displaying php code to the client.
All you have to do is create a proxy script and post to that. I store the action in a hidden field so that I don't need multiple proxy scripts. I can't post the source code because I would be duplicating my answer on another post. You can find it here: https://stackoverflow.com/a/36941336/2452680
you can first give an action to page1 and in page 1 you can get the data and redirect and post the data to page2.
if you are using phpin page1 you can use curl and options to put data and execute it.
Hi I have a web form that sends a string to one php file which redirects them to a corresponding URL. I've searched about web form hacking and I've only received information about PHP and SQL... my site only uses a single PHP file, very basic etc. Would it be open to any exploits? I'm obviously not going to post the URL, but here is some code I was working on for the php file:
Newbie PHP coding problem: header function (maybe, I need someone to check my code)
Thanks
From that little snippet, I don't see anything dangerous. "Hackers" can enter pretty much anything they want into $_REQUEST['sport'] and thereby $searchsport, but the only place you use it is to access your array. If it's not found in your array.... nothing much will happen. I think you're safe in this limited scenario ;) Just be careful not to use $searchsport for...... just about anything else. Echoing it, or inserting it into a DB is dangerous.
Uh, it really depends. If you are inserting data into a MySQL DB without sanitizing, the answer is a huge yes. This is something you need to decide for yourself if you aren't going to show code.
The solution you've got in the linked question is pretty safe.
Every possible action is hardcoded in your script.
Nothing to worry about.
Though asking for the "web form like this" you'd better to provide a web form. Not the link to the question that contains a code that can be presumed as this form's handler.