Web Form with PHP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
genie
Forum Newbie
Posts: 6
Joined: Thu Apr 13, 2006 8:21 am

Web Form with PHP

Post by genie »

Hi

I want to add a web feedback form in my site supported by php code. I have written the code, done everything but everytime I try to submit my form the browser asks to open or save a file. When i click on open it opens the .php file in dreamweaver.

I dont understand why is this happening? I have done everyhting I could do or know. I have tried to make the form with different idea, coding in different ways. Still unable to find the problem.

Please help.

Regards.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

When you open the file, does it show the internal code or the generated output?
User avatar
genie
Forum Newbie
Posts: 6
Joined: Thu Apr 13, 2006 8:21 am

Post by genie »

yes it does but in the dreamweaver
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

it sounds like your server is not parsing php files.
User avatar
genie
Forum Newbie
Posts: 6
Joined: Thu Apr 13, 2006 8:21 am

Post by genie »

my site has linux hosting. my host suppost php and perl.
earlier i was using cdosys, since it didn't worked i asked my host. they told presently they support only linux hosting and php/perl.
what possibly are my options?

PS: Relly sorry for disturbing. I didn't realised you are the administrator. I was only looking for someone for some instant help.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

What's your code, what filename (exactly) did you use?

Does the following work when run in a new file? Tell us the results if it does please.

Code: Select all

<?php

$ve = phpversion();
$os = PHP_OS;
$er = intval(error_reporting());
$rg = (in_array(strtolower(ini_get('register_globals')), array(0, false, '', null, 'off')) ? 'Off' : 'On');
$de = (in_array(strtolower(ini_get('display_errors')), array(0, false, '', null, 'off')) ? 'Off' : 'On');
$so = (in_array(strtolower(ini_get('short_open_tag')), array(0, false, '', null, 'off')) ? 'Off' : 'On');
$eol = (isset($_SERVER['HTTP_HOST']) ? "<br />\n" : "\n");

$ec = array(
   'E_STRICT' => 2048,
   'E_ALL' => 2047,
   'E_USER_NOTICE' => 1024,
   'E_USER_WARNING' => 512,
   'E_USER_ERROR' => 256,
   'E_COMPILE_WARNING' => 128,
   'E_COMPILE_ERROR' => 64,
   'E_CORE_WARNING' => 32,
   'E_CORE_ERROR' => 16,
   'E_NOTICE' => 8,
   'E_PARSE' => 4,
   'E_WARNING' => 2,
   'E_ERROR' => 1,
);

$e = array();
$t = $er;
foreach ($ec as $n => $v)
{
   if (($t & $v) == $v)
   {
      $e[] = $n;
      $t ^= $v;
   }
}
$er = $er . ' (' . implode(' | ', $e) . ')';

echo 'PHP Version: ' . $ve . $eol;
echo 'PHP OS: ' . $os . $eol;
echo 'Error Reporting: ' . $er . $eol;
echo 'Register Globals: ' . $rg . $eol;
echo 'Short Tags: ' . $so . $eol;
echo 'Display Errors: ' . $de . $eol;

?>
User avatar
genie
Forum Newbie
Posts: 6
Joined: Thu Apr 13, 2006 8:21 am

Post by genie »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


my php code is:

Code: Select all

<?
// ------------- CONFIGURABLE SECTION ------------------------

// $mailto - set to the email address you want the form
// sent to, eg
//$mailto		= "youremailaddress@example.com" ;

$mailto = 'mridu@myamsterdam.co.uk' ;

// $subject - set to the Subject line of the email, eg
//$subject	= "Feedback Form" ;

$subject = "Feedback Form" ;

// the pages to be displayed, eg
//$formurl		= "http://www.example.com/feedback.html" ;
//$errorurl		= "http://www.example.com/error.html" ;
//$thankyouurl	= "http://www.example.com/thankyou.html" ;

$formurl = "http://www.myamsterdam.co.uk/feedback.html" ;
$errorurl = "http://www.myamsterdam.co.uk/error.html" ;
$thankyouurl = "http://www.myamsterdam.co.uk/thankyou.html" ;

$uself = 1;

// -------------------- END OF CONFIGURABLE SECTION ---------------

$headersep = (!isset( $uself ) || ($uself == 0)) ? "\r\n" : "\n" ;
$name = $_POST['name'] ;
$email = $_POST['email'] ;
$comments = $_POST['comments'] ;
$http_referrer = getenv( "HTTP_REFERER" );

if (!isset($_POST['email'])) {
	header( "Location: $formurl" );
	exit ;
}
if (empty($name) || empty($email) || empty($comments)) {
   header( "Location: $errorurl" );
   exit ;
}
if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
	header( "Location: $errorurl" );
	exit ;
}

if (get_magic_quotes_gpc()) {
	$comments = stripslashes( $comments );
}

$messageproper =

	"This message was sent from:\n" .
	"$http_referrer\n" .
	"------------------------------------------------------------\n" .
	"Name of sender: $name\n" .
	"Email of sender: $email\n" .
	"------------------------- COMMENTS -------------------------\n\n" .
	$comments .
	"\n\n------------------------------------------------------------\n" ;

mail($mailto, $subject, $messageproper,
	"From: \"$name\" <$email>" . $headersep . "Reply-To: \"$name\" <$email>" . $headersep . "X-Mailer: chfeedback.php 2.07" );
header( "Location: $thankyouurl" );
exit ;

?>
my file names are: feedback.php, feedback.html, thankyou.html and error.html


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

A small number of hosts advertise PHP, but require you to make a support ticket requesting it to be enabled. I suggest checking your host docs for their basic PHP support policy.

I also strongly suggest using the <?php opening tags in case the short tag form is not enabled...
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

As soon as you're able to get php working...
genie wrote:

Code: Select all

$http_referrer = getenv( "HTTP_REFERER" );
I woudl write that as $http_referrer = $_SERVER['HTTP_REFERER'];
genie wrote: if ( ereg( "[\r\n]", $name ) || ereg( "[\r\n]", $email ) ) {
Input validation :) (But what happens if someone tries an attack with only "\n"?)
User avatar
genie
Forum Newbie
Posts: 6
Joined: Thu Apr 13, 2006 8:21 am

Thanks

Post by genie »

Thank You very much to all of you for your help. My code is working now :P . As you can see I'm a novice so I'm sorry for mistyping the code :roll: without proper tags and really sorry for directly using the IM :oops:.

But very very thanks for your support, I was very much worried.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

We all made a ton of mistakes when starting out ;) I'm pretty sure I posted code at some point without proper tags also...:)
Post Reply