profesionals pplz help

[andy]

hiii,
i started learning php5 from last few weeks
but i m stucked at a point from 4 days
i tried every thing but aint got any solution
so plz help me
i m wrting the code here
the codes is in 2 parts

1)<form method="GET" action="text.php">
who is my fav author?
<input name="Author" type="text">
<br><br>
<input type="submit" value="click!!!">

(saved with text.html)

2)<?php
echo $_GET['Author'];
?>

(saved with text.php)

i tried xampp,apache2.0,2.4
but same thing

no return value comes back

plz help me.

[rdivilbiss]

Finish your form, and your HTML.

An HTML page should have at a minimum:

<html>
<head>
  <title>Page Title</title>
</head>

</body>

</body>
</html>

Without all of these tags, the browser may not know what you want to display and may react in an unpredictable manner.

In your case, you need:

<html>
<head>
<title>Author Form</title>
</head>

<body>
<form method="get" action="text.php">
Who is my favorite author?
<input name="Author" type="text">
<br><br>
<input type="submit" value="click!!!">
</form>
</body>

</html>

To get the proper results, e.g. the form to submit the value to your next page.

http://www.cafesong.com/ert/text.html

Rod

[rdivilbiss]

Once you get your form working, you should change text.php, because echoing user input (the Author) field, to the browser unfiltered, is an XSS vulnerability.

if isset($_GET("Author")) {
    if (ctype_alpha($_GET("Author"))) {
        echo $_GET("Author")
    }
}

[andy]

i entered all the html tags in coding but to make message short i aint mentioned it in the question.

and the text.php one

if isset($_GET("Author")) {
    if (ctype_alpha($_GET("Author"))) {
        echo $_GET("Author")
    }
}

i didnt understand this
sorry,
actually i know that echo is used to return the input to the web browser.
and from the book i m learning has written only echo there,
so please can u explain me why i need to enter isset and ctype alpha?
thnx

[andy]

this piece of code also not working

if isset($_GET("Author")) {
    if (ctype_alpha($_GET("Author"))) {
        echo $_GET("Author")
    }
}

giving an eroor as follows

Parse error: syntax error, unexpected T_ISSET, expecting '(' in C:\Program Files\php5\webserver\Apache2\htdocs\vibhor\text.php on line 10


plzz plzzz help me

[andy]

i solved the error for '(' in T_ISSET
now the following error is coming

Fatal error: Can't use function return value in write context in C:\Program Files\php5\webserver\Apache2\htdocs\vibhor\text.php on line 10

[andy]

now its working
but sometimes its giving a return value (by using only echo $_GET['Author'];
and some times not
i cant understand what is happenning
now i used some other ftype of form now again no return value is coming

[andy]

i got some kinda new clue

when it is returning value with echo $_GET['Author'];

i see the page source code it is not showing any php code as usual
but when its is not returning any inputted value
page source code shows the php code with it..which is not good i believe

help!

[rdivilbiss]

Sorry...should be:

if (isset($_GET["Author"])) {
   if (ctype_alpha($_GET["Author"])) {
      echo($_GET["Author"]);
   }
}

Why?

The if (isset($_GET["Author"])) {   verifies a value was passed. If not the next statement will error.

Then if (ctype_alpha($_GET["Author"])) {   ensures an alpha value was passed before

echo($_GET["Author"]); writes it to the screen.

If you don't filter the input, then a person completing your form could submit <script>alert('XSS');</script> as input to your Author field, thus creating an XSS attack.

In my example form: http://www.cafesong.com/ert/text.html, I use my method of filtering input and also the was I posted here.

Enter Poe or Twain it works.  Enter <script>alert('XSS');</script> and nothing is displayed.

My method uses a rather robust filterClass and is discussed here: http://www.expertsrt.net/main/articlewiki.

Rod

[andy]

thnx alot rod
i got every thing u said
but unfortunately
one more problem occured
please solve this too



when i use checkboxes in form feed in html
suppose i used 4 check boxes

(i ingored general tags and codes for shortening the post)

1)<?php
echo $_POST"['check1'];
echo $_POST['check3'];
echo $_POST['check3'];
echo $_POST['check4'];
?>
(saved as text.php)

2)<form method="POST" action="text.php">
please tick in one of these here
<input name="check1" type="checkbox" value="hello1">
<input name="check2" type="checkbox" value="hello2">
<input name="check3" type="checkbox" value="hello3">
<input name="check4" type="checkbox" value="hello4">
<br><br>
<input type="submit" value="click!!!">
(saved as text.php)

now suppose i tick the second check box the answer get to me is hello2 but for rest 3 unchecked boxes it says

that check1,check2,check3 constants are not defined

help me!
thnx a lot

[rdivilbiss]

Nothing is sent for unchecked, checkboxes.

Ergo, the need for the isset() function.

if (isset($_POST["check1"])) {
      echo($_POST["check1"]);
}

If you are setting the values as "hello1" etc.... then


if (isset($_POST["check1"])) {
   if (ctype_alnum($_POST["check1"])) {
      echo($_POST["check1"]);
   }
}

To avoid XSS.  Even though your browser form has checkboxes, nothing prevents me from submitting a string of my own to your PHP script to try to attack you or the page.

So, you must always check if the posted field has contents, with isset(), then you must ensure the value input is not harmful, then you can echo it to the page.  Anything less will either error out or open you to an attack.

[CrYpTiC_MauleR]

just a side note if the value of Author is say John Doe then ctype_alpha() will return false because of the space. So preg_match('/^[a-z ]+$/Di', $_POST['Author']) would be better choice. Depends on what the author field might contain. =o)

[rdivilbiss]

http://www.cafesong.com/ert/text.html

just a side note if the value of Author is say John Doe then ctype_alpha() will return false because of the space. So preg_match('/^[a-z ]+$/Di', $_POST['Author']) would be better choice. Depends on what the author field might contain. =o)

I don't disagree, and of course use RegEx's in my filterClass mentioned above.

For names I use: /^[a-zA-Z\-\'\ ]+$/ so I can receive "O'Brian", "Santos-Gonzolez", or the above mentioned "John Doe."

So, for your first example of Author being submitted by the method GET, the PHP for all three methods is.

Code

Language: php (GeSHi-highlighted)
<?PHP
 
$tainted = $_GET["Author"];
 
if (isset($tainted)) {
	if (ctype_alpha($tainted)) {
		echo "Via ctype_alpha: " . $tainted . "<br>";
	}else{
		echo "Input failed via ctype_alpha.<br>";
	}
}
 
 
if (isset($tainted)) {
	// The regular expression pattern for a Name
	$regExPattern = "/^[a-zA-Z\-\'\ ]+$/";
	
	// If magic quotes are on we need to strip the \ from the value.
	if (get_magic_quotes_gpc()) {
		$tainted=stripslashes($tainted);
	}
	
	// find out if the submitted data matches the pattern...results go to an array
	preg_match($regExPattern, $tainted, $matchArray);
	if (!empty($matchArray)) {
	    // if the array is not empty, the first element is the match.
		echo "Via regEx: " . $matchArray[0] . "<br>";
	}else{
		echo "Input failed via regEx.<br>";
	}
}
 
// include the class file
require_once "filterClass.php";
// make a new GET object
$page_get = new requestGet();
// get the tainted input from "Author" using type "Name"
$author = $page_get->getVarByType("Author", $type="name");
// echo safe results
echo "Via filterClass: " . $author . "<br>";
?>

And the least number of lines to perform a safe, filtered retrieval of user input is via filterClass, because it does all the work for you.  Also filterClass is more functional than the new filtering being added to PHP 5.x and can be used by PHP 4.x and later.

[VGR]

yes, all you lacked was the /FORM
the other problems are probably linked to a bad php tags (<?php, <?) coding somewhere
I would also add a name="something" on the type="submit" input if I were you.
note also that if ever you intended to perform a javascript pre-validation of the FORM before submitting it, you would probably find more practical to have not only name="Author" on your FORM fields, but also id="Author"

regards ;-)

[andy]

huh!!
its all gone above my head
i m learner rite now,
but well thnx a lot all
for helping me so much and taking pain for my stupidity types of questions

and i will try to think what all solutions are,
 jokes apart
i will learn soon
:)