Welcome to WebmasterWorld Guest from 54.167.157.247

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

form data disappears

When user encounters an error, data disappears

   
11:51 am on Jan 17, 2013 (gmt 0)



Hi, I am new to webmasterworld.com.
I am stuck on trying to get my code to work.
On the contact form, if a user doesn't fill out a required field then an error appears with what they must do, but their data has disappeared. Below is the code I currently help.
Any help would be greatly appreciated.

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="css/lightbox.css" rel="stylesheet" />
</head>

<body>
<?php

if (isset($_POST['submit'])) {
$error = "";

if (!empty($_POST['Name'])) {
$name = $_POST['Name'];
} else {
$error .= "You didn't type in your name. <br />";
}

if (!empty($_POST['Email'])) {
$email = $_POST['Email'];
if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){
$error .= "The e-mail address you entered is not valid. <br/>";
}
} else {
$error .= "You didn't type in an e-mail address. <br />";
}

if (!empty($_POST['Message'])) {
$message = $_POST['Message'];
} else {
$error .= "You didn't type in a message. <br />";
}

if (!empty($_POST['Telephone'])) {
$telephone= $_POST['Telephone'];
}

if(($_POST['code']) == $_SESSION['code']) {
$code = $_POST['code'];
} else {
$error .= "The captcha code you entered does not match. Please try again. <br />";
}

if (empty($error)) {
$from = 'From: ' . $name . ' <' . $email . '>';
$to = "email@emial.com";
$subject = "Message from website";
$content = " From: ".$name . "\n Phone number: " . $telephone . "\n Message: " . $message;
$success = "<h3>Thank you! Your message has been sent!</h3>";
mail($to,$subject,$content,$from);
}
}
?>

<p>&nbsp;</p>
<table align="center" width="1090" border="0" >
<tr>
<td valign="top">
<div class="Contactpage-BG">
<table border="0" align="left" width="100%">

<tr>
<td>
</td>

</tr>
<tr>
<td align="left">
<div class="Testimonial">
<div class="Contact-BG">

<div class="Contact-Midleft">

</div>
<div class="Contact-text">
<p class="Contact-text"><i> *Compulsory Fields</i> </p>
</div>

<form method="post" action="" >
<table width="600" height="531" border="0" cellpadding="0">
<tr>
<td width="111" height="28" class="Contact-text"><div class="Contactboxes-name-label">*Name:</div></td>
<td colspan="2">
<input name="Name" type="text" class="Contactboxes-name" id="Name" value="<?php echo $_POST['name']; ?>"/>
</td>
</tr>
<tr>
<td height="28" class="Contact-text"><div class="Contactboxes-email-label">*Email:</div></td>
<td colspan="2"><input name="Email" type="text" size="60" class="Contactboxes-email" id="Email" value="<?php echo $_POST['email']; ?>"/></td>
</tr>
<tr>
<td height="28" class="Contact-text"><div class="Contactboxes-telephone-label"> Telephone:</div></td>
<td colspan="2"><input name="Telephone" type="text" class="Contactboxes-telephone" id="Telephone" value="<?php echo $_POST['telephone']; ?>"/></td>
</tr>
<tr>
<td height="139" valign="top" class="Contact-text"><div class="Contactboxes-message-label">*Message:</div></td>
<td colspan="2"><textarea name="Message" cols="56" rows="11" class="Contacttextarea" id="Message"><?php echo $_POST['message']; ?></textarea></td>
</tr>
<tr>
<td valign="top" class="Contact-text"><div class="Contactboxes-spam-label">*Anti-SpamBot Code:</div></td>
<td colspan="2" valign="top"><div class="Contactboxes-spam">Please enter the numbers you see in this image<br />
into the box below</div></td>
</tr>
<tr>
<td height="51">&nbsp;</td>
<td width="209" valign="top"><div class="Captchaimagebox"><label><img src="captcha.php"></label></div></td>
<td width="252" rowspan="3" valign="top">
<?php
if (!empty($error)) {
echo '<p class="error"><font color="#FF0000"><strong>Your message was NOT sent</strong></font><br/>' . $error . '</p>';
} elseif (!empty($success)) {
echo $success;
}
?>
</td>
</tr>
<tr>
<td height="48">&nbsp;</td>
<td valign="top"><input name="code" type="text" class="Captchabox"></td>
</tr>
<tr>
<td height="65">&nbsp;</td>
<td><input type="submit" class="Contact-Send" name="submit" value="" /></td>
</tr>

</table>
<p>
<div class="contactfields">
<label for="Name"></label></div></p>
</form>


</div>
<div class="Contact-Midright"></div>
</div>



</td>

</tr>

</table>


</div>
</td>
</tr>
</table>
</body>
</html>
12:17 pm on Jan 17, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



hash keys for arrays are case-sensitve.


<input name="Email" type="text" size="60" class="Contactboxes-email" id="Email" value="<?php echo $_POST['email']; ?>"/>

See the "Email" used to send it to you and the "email" used to send it back ?

That said, this is a classic example of a website vulnerable to Cross Site Scripting (XSS) - well at least once you fix this.

Ref: [owasp.org...]
1:20 pm on Jan 17, 2013 (gmt 0)



Thanks swa66,
That works perfectly.
You're a star.
3:44 pm on Jan 17, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I hope you fixed the XSS security bugs. Remember that any XSS affects your entire site - not just the vulnerable element itself.
2:17 pm on Jan 21, 2013 (gmt 0)



What XSS security bugs? and how do i fix them.
With the form, if the user has filled out the form successfully, a message says that it has been sent, but the data in the fields is still there. Any way to correct this?
Kind Regards
James
3:06 pm on Jan 21, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Anywhere where you send back unfiltered input is a XSS vulnerability.

How to fix them see the link to oawsp above for a comprehensive answer.

In essence: make sure there is no html in the input that goes back to the user - yes that's all it takes to have a XSS vulnerability.

Simply changing < > " ' and & to their respective htmlentities is enough in the cases you've shown so far.
htmlencode() is ok too - but it's not a generic solution in all possible cases - you should escape those things that in the context of where you output them can hurt you.
3:44 pm on Jan 21, 2013 (gmt 0)



Will this correct the issue of data still be there once the user has clicked on "Send" and all the fields are completed correctly?
5:49 pm on Jan 21, 2013 (gmt 0)

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



It doesn't matter that you do not echo back upon success, any way there is a possibility for echoing back unfiltered content is more than enough for an attacker to exploit it - even an error page is plenty of an opportunity.
The attacker does not need to use your form ... they can make their own (it might even not look like a form at all just a button or link is enough for them. If you process the input and send unfiltered output back: you lose (and/or your users lose).

What attackers do with XSS is insert javascript in the input and then it runs in the context of your website - hence having access to e.g. cookies the browser has to authenticate -> it then forwards that to the attacker allowing him access.

Don't output unfiltered user input: running it through htmlencode() before you output it. will remove most of the problems. Actually: there are functional problems solved there too.