Thanks!
Results 11 to 20 of 27
Thread: whats my form action?
-
-
it dosnt work.
Edited by Meti (Forum Moderator): Please do not double post, when you simply can edit your first post.Last edited by Meti; 30-10-2008 at 09:29 PM.
-
-
I pasted the code into notepad, saved as "form.php" and then opened it in firefox and nothing happened.
-
Okay well there was a few things wrong with the script that Dilore produced. Firstly it had a syntax error (excess "(" bracket in the form validation). Secondly he's using addslashes which might double slash strings may end up like "code\\'s" as magic quotes is on by default. Thirdly he defines the variables $name, $email, $subject, $message, etc after it checks if they're empty... well of course they're going to be empty - no variable of such exists! But if you must use his terrible example here is a version which should work.
But I do not condon it!PHP Code:<b>Form:</b>
<?php
if(isset($_POST['send'])) {
$name = addslashes(htmlspecialchars($_POST['name']));
$email = addslashes(htmlspecialchars($_POST['email']));
$subject = addslashes(htmlspecialchars($_POST['subject']));
$message = addslashes(htmlspecialchars($_POST['message']));
if(empty($name) || empty($email) || empty($subject) || empty($message)) {
echo "One of the fields hasn't been filled in!";
} else {
$ip = $_SERVER['REMOTE_ADDR'];
$mail = "[email protected]";
$sub = "Email from $name";
$msg = "Here's $name's email:
Name: $name
Email: $email
IP: $ip
Subject: $subject
Message: $message";
$headers = "From: $email";
mail("$mail","$sub","$msg","$headers");
echo "Thanks, your form has been sent, we will reply within 24 hours!";
}
} else {
echo "<form method='post' action='$_SERVER[PHP_SELF]'>
Name:<br>
<input type='text' name='name' size='20'><br>
Email:<br>
<input type='text' name='email' size='20'><br>
Subject:<br>
<input type='text' name='subject' size='20'><br>
Message:<br>
<textarea name='message' cols='45' rows='6'></textarea><br>
<input type='submit' name='send' value='Send'>
</form>";
}
?>Last edited by Iszak; 27-10-2008 at 02:24 PM.
-
-
Yes except.. there is no variables called $name, $email, $subject etc prior so look at this example.
taken directly from your code - as you can see that it's checking if $name, $value, etc are empty yet there is no values assigned to those until later once it's passed the form validation.PHP Code:<?php
if (isset($_POST['send']))
{
if(empty($name) || empty($email) || empty($subject) || empty($message))
{
echo "One of the fields hasn't been filled in!";
}
else
{
$name = addslashes(htmlspecialchars($_POST['name']));
$email = addslashes(htmlspecialchars($_POST['email']));
$subject = addslashes(htmlspecialchars($_POST['subject']));
$message = addslashes(htmlspecialchars($_POST['message']));
// The other code
}
}
else
{
// The else
}
?>
-
Variables don't have to be declared, it's just better coding if they are.
Originally Posted by Iszak
If I made a script like this:
and went to script.php?lol=John. 'John' would be outputted.Code:<?php echo $lol; ?>
I don't see the point in using addslashes and htmlspecialchars though. It's going to an email so there's no risk of XSS and there's no SQL, so no risk of SQL injection.Last edited by Jxhn; 27-10-2008 at 07:23 PM.
-
Thats what it is meant to do? If they submit the form and don't fill in any fields, when they press Submit it will kick them an error. Originally Posted by Iszak
Back for a while.
-
Jxhn, are you a complete noob that wants to act as if you know what you're talking about, because that's what it seems like. Firstly by making a page called file.php with the following code
and then going to the url file.php?lol=John it will not output "John" it will output nothing! because $lol isn't assigned to any variable. You can get it like that though by using extract($_GET); such example is likePHP Code:<?php echo $lol; ?>but other than that, your comment makes you look like an idiot. Secondly I said nothing about XSS or SQL Injections, I was simply only using what the guy who posted used and the negatives of using it. Thirdly XSS attacks can be dangerous, by using it they could add javascript in which could result in a hijack of their session etc. just have a look at a XSS example by wikipedia.PHP Code:<?php
extract($_GET);
echo $lol; ?>
Yeah, no real XSS danger there!DOM-based attack[18]
1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.
4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.
5. Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.
Excellent2 - That's only a snippet of the original code but that's the general idea it was mainly from Dilore though.
Seriously Jxhn if you're going to make claims at least have the knowledge to back it up.Last edited by Iszak; 27-10-2008 at 08:45 PM.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts