Am i missing somthing here...

Mr Macro · 18-04-2007, 03:54 PM

Code:

<?php
ob_start;
if($_SERVER['REQUEST_METHOD']=="POST")(
setcookie("name", "$_POST['name'];", time()+3600");
else { ?>
<form name="name" method="post" action="<?=$_SERVER['PHP_SELF'];?>">
Name: 
<input name="name" type="text">
<br> 
<input type="submit" name="Submit" value="Submit"> 
</form>
<?php
}
?>

Missing somthing, cant quite put my finger on it...

Invent · 18-04-2007, 04:02 PM

You're missing an "}" :\

PHP Code:


<?php
ob_start;
if($_SERVER['REQUEST_METHOD']=="POST")(
setcookie("name", "$_POST['name'];", time()+3600");
} else { ?>
<form name="name" method="post" action="<?=$_SERVER['PHP_SELF'];?>">
Name: 
<input name="name" type="text">
<br> 
<input type="submit" name="Submit" value="Submit"> 
</form>
<?php
}
?>

Mr Macro · 18-04-2007, 04:07 PM

Ah i see now, thanks, +REP

Still doesnt work.

Mr Macro · 18-04-2007, 04:09 PM

PLEASE IGNORE

Mentor · 18-04-2007, 04:14 PM

Originally Posted by Mr Macro

Code:

<?php
ob_start;
if($_SERVER['REQUEST_METHOD']=="POST") {
setcookie("name", $_POST['name'], time()+3600);
} else { 
?>
<form name="name" method="post" action="<?=$_SERVER['PHP_SELF'];?>">
Name: 
<input name="name" type="text">
<br> 
<input type="submit" name="Submit" value="Submit"> 
</form>
<?php
}
?>

Missing somthing, cant quite put my finger on it...

You were useing ( instead of { and missed the second one completely. you also had an unopened " being closed, and a ; after a variable within a function.

Mr Macro · 18-04-2007, 04:22 PM

Thats my half assed style of coding for you.Thanks

nets · 18-04-2007, 09:24 PM

It's likely that by using the superglobal 'PHP_SELF', you're exposing yourself to a XSS vulnerability. Before outputting it, you should run it through htmlentities.

Mr Macro · 18-04-2007, 09:29 PM

Thanks for the concern, but its just on my local macheane.I'm just doing some PHP practice.

Mentor · 18-04-2007, 09:51 PM

Originally Posted by nets

It's likely that by using the superglobal 'PHP_SELF', you're exposing yourself to a XSS vulnerability. Before outputting it, you should run it through htmlentities.

o.0 in that instance i dont see how it would be any use, sure you could include the page and get it to think the includeing page was where the form should be send? but you could just as easly rewrite the entire form and send it where ever you wanted anyway o.0

nets · 18-04-2007, 11:43 PM

It's possible to add characters (for instance, HTML/JavaScript) onto the end of a URL, which the superglobal 'PHP_SELF' will contain; hence why you shouldn't output it without running it through htmlentities.

Thread: Am i missing somthing here...

Thread Tools

Am i missing somthing here...

Posting Permissions