PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
Moderator: General Moderators
smartic
Forum Newbie
Posts: 3 Joined: Thu Jul 19, 2007 5:37 am
Post
by smartic » Thu Jul 19, 2007 5:40 am
Code: Select all
<html>
<head>
<title>Test</title>
</head>
<body>
<form id="form1" name="form1" method="post" action="indexs.php">
<input type="text" name="username" id="username" value="<?php echo $_POST['username'];?>"/>
<br />
<input type="text" name="pass" id="pass" />
<br />
<input type="submit" name="button" id="button" value="Submit" />
</form>
<?php
$user=$_POST['username'];
$password=$_POST['pass'];
$btn=$_POST['button'];
function handle_errors($input,$msg){
if($input==""){
echo "<span class='RED'>".$msg."</span><br />";
}
}
if($btn){
handle_errors($user,"Fill user Field");
handle_errors($password,"Fill password Field");
}
?>
</body>
</html>
i need help in this code i want handle_errors function not to be executed until i press the Submit button .
Last edited by
smartic on Thu Jul 19, 2007 6:52 am, edited 2 times in total.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Thu Jul 19, 2007 6:04 am
$username and $pass are not defined.
You appear to understand how if statements work, so I'm confused when you are unable to detect the submit button (or rather the submission.)
print_r($_POST) and/or
print_r($_SERVER) may shed some light.
Also note that without proper handling your echo of $_POST['username'] will at minimum throw a notice, but also open the page to injection.
smartic
Forum Newbie
Posts: 3 Joined: Thu Jul 19, 2007 5:37 am
Post
by smartic » Thu Jul 19, 2007 6:51 am
Thank you for replay but how this code can open the page to injection and how can i solve this problem thx.
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Thu Jul 19, 2007 6:59 am
Blindly echoing $_POST data allows anyone to inject HTML code into your page. At minimum, use
htmlspecialchars() on the information.
Also, make sure error_reporting is set to E_ALL, not E_ALL ^ E_NOTICE (or similar variants.)