1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:52 pm Apr 27, 2026

Forum Moderators: coopster

Message Too Old, No Replies

form data disappears

When user encounters an error, data disappears

         

jamescurl

11:51 am on Jan 17, 2013 (gmt 0)

10+ Year Member



Hi, I am new to webmasterworld.com.
I am stuck on trying to get my code to work.
On the contact form, if a user doesn't fill out a required field then an error appears with what they must do, but their data has disappeared. Below is the code I currently help.
Any help would be greatly appreciated. 

<?php session_start(); ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<link href="css/lightbox.css" rel="stylesheet" />
</head>

<body>
<?php

 if (isset($_POST['submit'])) {
 $error = "";

 if (!empty($_POST['Name'])) {
 $name = $_POST['Name'];
 } else {
 $error .= "You didn't type in your name. <br />";
 }

 if (!empty($_POST['Email'])) {
 $email = $_POST['Email'];
 if (!preg_match("/^[_a-z0-9]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/i", $email)){ 
 $error .= "The e-mail address you entered is not valid. <br/>";
 }
 } else {
 $error .= "You didn't type in an e-mail address. <br />";
 }

 if (!empty($_POST['Message'])) {
 $message = $_POST['Message'];
 } else {
 $error .= "You didn't type in a message. <br />";
 }

if (!empty($_POST['Telephone'])) {
 $telephone= $_POST['Telephone'];
 }

 if(($_POST['code']) == $_SESSION['code']) { 
 $code = $_POST['code'];
 } else { 
 $error .= "The captcha code you entered does not match. Please try again. <br />"; 
 }

 if (empty($error)) {
 $from = 'From: ' . $name . ' <' . $email . '>';
 $to = "email@emial.com";
 $subject = "Message from website";
 $content = " From: ".$name . "\n Phone number: " . $telephone . "\n Message: " . $message;
 $success = "<h3>Thank you! Your message has been sent!</h3>";
 mail($to,$subject,$content,$from);
 }
 }
 ?>

<p>&nbsp;</p>
<table align="center" width="1090" border="0" >
 <tr>
 <td valign="top">
 <div class="Contactpage-BG">
 <table border="0" align="left" width="100%">
 
 <tr>
 <td>
</td>

 </tr>
 <tr>
 <td align="left">
 <div class="Testimonial">
<div class="Contact-BG">
 
 <div class="Contact-Midleft">

 </div>
 <div class="Contact-text">
 <p class="Contact-text"><i> *Compulsory Fields</i> </p>
 </div>
 
 <form method="post" action="" >
 <table width="600" height="531" border="0" cellpadding="0">
 <tr>
 <td width="111" height="28" class="Contact-text"><div class="Contactboxes-name-label">*Name:</div></td>
 <td colspan="2">
 <input name="Name" type="text" class="Contactboxes-name" id="Name" value="<?php echo $_POST['name']; ?>"/>
 </td>
 </tr>
 <tr>
 <td height="28" class="Contact-text"><div class="Contactboxes-email-label">*Email:</div></td>
 <td colspan="2"><input name="Email" type="text" size="60" class="Contactboxes-email" id="Email" value="<?php echo $_POST['email']; ?>"/></td>
 </tr>
 <tr>
 <td height="28" class="Contact-text"><div class="Contactboxes-telephone-label"> Telephone:</div></td>
 <td colspan="2"><input name="Telephone" type="text" class="Contactboxes-telephone" id="Telephone" value="<?php echo $_POST['telephone']; ?>"/></td>
 </tr>
 <tr>
 <td height="139" valign="top" class="Contact-text"><div class="Contactboxes-message-label">*Message:</div></td>
 <td colspan="2"><textarea name="Message" cols="56" rows="11" class="Contacttextarea" id="Message"><?php echo $_POST['message']; ?></textarea></td>
 </tr>
 <tr>
 <td valign="top" class="Contact-text"><div class="Contactboxes-spam-label">*Anti-SpamBot Code:</div></td>
 <td colspan="2" valign="top"><div class="Contactboxes-spam">Please enter the numbers you see in this image<br />
into the box below</div></td>
 </tr>
 <tr>
 <td height="51">&nbsp;</td>
 <td width="209" valign="top"><div class="Captchaimagebox"><label><img src="captcha.php"></label></div></td>
 <td width="252" rowspan="3" valign="top">
 <?php
 if (!empty($error)) {
 echo '<p class="error"><font color="#FF0000"><strong>Your message was NOT sent</strong></font><br/>' . $error . '</p>';
 } elseif (!empty($success)) {
 echo $success;
}
?>
 </td>
 </tr>
 <tr>
 <td height="48">&nbsp;</td>
 <td valign="top"><input name="code" type="text" class="Captchabox"></td>
 </tr>
 <tr>
 <td height="65">&nbsp;</td>
 <td><input type="submit" class="Contact-Send" name="submit" value="" /></td>
 </tr>

 </table>
 <p>
 <div class="contactfields"> 
 <label for="Name"></label></div></p>
 </form>

 
</div>
 <div class="Contact-Midright"></div>
 </div>
 

 
</td>
 
 </tr>

 </table>
 
 
 </div>
 </td>
 </tr>
</table>
</body>
</html>

swa66

12:17 pm on Jan 17, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



hash keys for arrays are case-sensitve. 


<input name="Email" type="text" size="60" class="Contactboxes-email" id="Email" value="<?php echo $_POST['email']; ?>"/>

See the "Email" used to send it to you and the "email" used to send it back ?

That said, this is a classic example of a website vulnerable to Cross Site Scripting (XSS) - well at least once you fix this.

Ref: [owasp.org...]

jamescurl

1:20 pm on Jan 17, 2013 (gmt 0)

10+ Year Member



Thanks swa66,
That works perfectly.
You're a star.

swa66

3:44 pm on Jan 17, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I hope you fixed the XSS security bugs. Remember that any XSS affects your entire site - not just the vulnerable element itself.

jamescurl

2:17 pm on Jan 21, 2013 (gmt 0)

10+ Year Member



What XSS security bugs? and how do i fix them.
With the form, if the user has filled out the form successfully, a message says that it has been sent, but the data in the fields is still there. Any way to correct this?
Kind Regards
James

swa66

3:06 pm on Jan 21, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Anywhere where you send back unfiltered input is a XSS vulnerability.

How to fix them see the link to oawsp above for a comprehensive answer.

In essence: make sure there is no html in the input that goes back to the user - yes that's all it takes to have a XSS vulnerability.

Simply changing < > " ' and & to their respective htmlentities is enough in the cases you've shown so far.
htmlencode() is ok too - but it's not a generic solution in all possible cases - you should escape those things that in the context of where you output them can hurt you.

jamescurl

3:44 pm on Jan 21, 2013 (gmt 0)

10+ Year Member



Will this correct the issue of data still be there once the user has clicked on "Send" and all the fields are completed correctly?

swa66

5:49 pm on Jan 21, 2013 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



It doesn't matter that you do not echo back upon success, any way there is a possibility for echoing back unfiltered content is more than enough for an attacker to exploit it - even an error page is plenty of an opportunity.
The attacker does not need to use your form ... they can make their own (it might even not look like a form at all just a button or link is enough for them. If you process the input and send unfiltered output back: you lose (and/or your users lose).

What attackers do with XSS is insert javascript in the input and then it runs in the context of your website - hence having access to e.g. cookies the browser has to authenticate -> it then forwards that to the attacker allowing him access.

Don't output unfiltered user input: running it through htmlencode() before you output it. will remove most of the problems. Actually: there are functional problems solved there too.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / PHP Server Side Scripting 10:52 pm Apr 27, 2026