I am new to Stackoverflow, but I already have a simple problem where I need your help.
I have a simple form, where the user has to submit his first and last name:
<form action="u_eingabe.php" method="post"> <!--enctype="application/x-www-form-urlencoded"-->
<p>First name: <input name="firstname" id="vor"/></p>
<p>Last name: <input name="lastname" id="nach"/></p>
<p><input type="submit" /></p>
The u_eingabe.php contains the following simple code for getting the first and last name:
<?php
echo "Ihre Adresse lautet:" . "<br />";
echo $_POST['firstname'] . " " . $_POST['lastname'] . "<br />";
?>
On PHP5 there is no problem. It just transmits and displays the data. But on PHP 7.0.3 it doesn't show anything and throws the warnings, that the indexes are empty. (Notice: Undefined index: firstname)
The interesting thing is: if i switch to GET as method, everything is fine and it submits and displays the first and last name.
So has everything changed due to PHP7 for post method? Google didn't help out for this problem.
As i mentioned above, it works fine with php5. I didn't mention I use PHPStorm 10.0.3. I continued searching with google and found this:
https://intellij-support.jetbrains.com/hc/en-us/community/posts/206999125-PhPStorm-10-does-not-allow-POST-method
It seems to be an issue in PHPStorm 10.0.2 and higher that POST-Requests are empty in the phpstorm built-in webserver.
Related
In researching an idea I came across a good YouTube video on security (with nodejs) which covered a lot more than the usual SQL injection. One such was simple script and html injection through html encoding. javascript buffers etc.
In researching this for a project I'm working on I came across this script from the php.net documentation website:
<?php
if ($_POST) {
echo '<pre>';
echo htmlspecialchars(print_r($_POST, true));
echo '</pre>';
}
?>
<form action="" method="post">
Name: <input type="text" name="personal[name]" /><br />
Email: <input type="text" name="personal[email]" /><br />
Beer: <br />
<select multiple name="beer[]">
<option value="warthog">Warthog</option>
<option value="guinness">Guinness</option>
<option value="stuttgarter">Stuttgarter Schwabenbräu</option>
</select><br />
<input type="submit" value="submit me!" />
</form>
Looking at the code, I believed the html injection was safe and as I didn't have somewhere to test this script out, I just uploaded it to a hosting domain I have and played with it remotely. When I tried a basic alert injection:
<script>alert("test");</script>
I got an error from the server (a 403 Forbidden). I thought I malformed the html so I tried some minor variations and before I knew it I was banned from my server :D (I was able to reset it, that's not the concern).
Tonight I deployed a VM with apache and php and started playing with it, and when I used the same code, I actually saw what I'd originally expected to see. The array output is presented as expected because of the htmlspecialchars.
Array
(
[personal] => Array
(
[name] => <b>bold</bold>
[email] => <script>alert("test");</script>
)
[beer] => Array
(
[0] => stuttgarter
)
)
What I'd like to know is:
1. Does the browser do some manipulation that nullifies the script tags since there's nothing in the form that does that? My guess is that nothing is an issue until it's attempted to be parsed by the page on form submission. Correct?
2. When I ran it locally the output was as expected (ie, no alert box and correct parsing) which infers that the values are somewhat "safe" until php attempts to parse them via the print_r. If I remove the htmlspecialchars the page fails to load ERR_BLOCKED_BY_XSS_AUDITOR (so that's good). If the original page never parses the raw code, why would the remote server ban my IP if it's correctly escaped within the output code? Again, I'm guessing, but would it be the host is just preemptively trying to prevent attacks and processing all $_POST vars for XSS?
I'm a Grails newbie, but I thought I was doing ok until I started messing about with file uploads. I'm trying to upload a file to S3 and store the file location in my data object.
My problem is I can upload a file fine, and I can update my data object fine, but for some crazy reason I can't do both at the same time!
Here's the simplified test code:
GSP Form:
<form method="post" url="[resource:fileBundleInstance, action:'test']" enctype="multipart/form-data">
<input type="file" name="bundle">
<g:actionSubmit class="save" action="test" value="Test" />
</form>
Controller:
#Transactional
def test(FileBundle fileBundleInstance) {
def file = request.getFile('bundle')
println file ? "found " + file.originalFilename : "no file"
fileBundleInstance.state = "test" // only works if no file input in form
redirect (action:'edit', id: fileBundleInstance.id)
}
So this code gets the file just fine, but doesn't update the state of the FileBundleInstance. However, if I comment out the file upload form element:
<form method="post" url="[resource:fileBundleInstance, action:'test']" enctype="multipart/form-data">
<!--input type="file" name="bundle"-->
<g:actionSubmit class="save" action="test" value="Test" />
</form>
... suddenly the state gets updated fine (but of course I have no file)!
I suspect I'm fundamentally misunderstanding something here about how GSP forms work in grails - can anyone set me right?
Oops... embarrassingly this is my mistake :-/.
It turns out that the name I was using for my file, 'bundle', was also the name of a field in my data object. Grails was throwing a data exception, and I didn't have good error handling (newbie, remember :-) ).
When I add lines:
fileBundleInstance.save();
fileBundleInstance.errors.allErrors.each {error ->
println error.toString()}
I see my nice shiny error - and if I change the name from 'bundle' to 'myfile' everything works. Oops.
I am writing a pretty simple plugin. I notice that when I submit a form with a text field with a value that is 2 or more digits followed by an x then followed by two or more digits that the form doesn't submit it redirects me to the index page. I get an apache error log message : [error] [client ::1] script '/Applications/MAMP/htdocs/index.php' not found or unable to stat but that is all of the info I can find.
To narrow down the problem, I made a super basic form that runs in the admin section with only one field. When it is submitted it calls a javascript alert to show the $_POST value. This works all day long UNTIL I enter 00x00 or any digits really with an x between them, 123x123, 999999999x999999999 etc...
In it's intended use this field would have a dimension like 120x120 but for what ever reason the x is causing something weird to happen. Any ideas?
Here is the stripped down basic example, added to an admin menu page
<?php
if(isset($_POST['update'])){
echo '<script type="text/javascript">', 'alert("' . $_POST['image_url'] . '");', '</script>';
}
?>
<form method="post" action="<?php echo htmlspecialchars($_SERVER['REQUEST_URI']);?>">
<input name="image_url" id="image_url" type="text" maxlength="200" value="00x00"/>
<input name="update" type="submit" id="update" value="Submit" />
</form>
So I am trying to make a simple external popup that has 1 pull down menu for category and 4 columns of checkboxes as tags. (this is to feed a wordpress search engine plugin)
I use regular form submit for this but I end up with this as final URL:
Site.com/?category_name=VALUE&tag=TAG1&tag=TAG2&tag=TAG3
But I want my URL to be like this:
Site.com/?category_name=VALUE&tag=tag1+tag2+tag3
Could anyone point me in the right direction into achieving this?
CATEGORY_NAME is for searching a specific WordPress category
and the TAGS are regular post tags.
You can't do that with a checkbox. That is not how checkboxes work. It is not a choice, really. It the way that HTML, PHP, and your browser(s) are built.
Additionally, what you have done won't work. You've set the same variable to several different fields. Each time you set is, you overwrite the previous value. While your URL may look like ?category_name=VALUE&tag=TAG1&tag=TAG2&tag=TAG3 if you were to add var_dump($_GET); to your script you'd see that the only thing PHP sees is the last one-- tag=TAG3.
You can get the code working by using square brackets-- []-- in the checkbox names. An example in very minimal code (for demonstration purposes only):
echo '<form>';
echo '<input type="checkbox" name="tag[]" value="tag1">';
echo '<input type="checkbox" name="tag[]" value="tag2">';
echo '<input type="checkbox" name="tag[]" value="tag3">';
echo '<input type="checkbox" name="tag[]" value="tag4">';
echo '<input type="checkbox" name="tag[]" value="tag5">';
echo '<input type="checkbox" name="tag[]" value="tag6">';
echo '<input type="submit" value="Clickie">';
echo '</form>';
The 'tag' part of you URLs will look like this however:
&tag[]=tag1&tag[]=tag4&tag[]=tag6
That is just how checkboxes work. There are two workarounds that I can think of.
The first is to use Javascript to populate a hidden field in your form.
echo '<form>';
echo '<input type="hidden" name="tag" value="">';
echo '<input type="checkbox" value="tag1">';
echo '<input type="checkbox" value="tag2">';
echo '<input type="checkbox" value="tag3">';
echo '<input type="checkbox" value="tag4">';
echo '<input type="checkbox" value="tag5">';
echo '<input type="checkbox" value="tag6">';
echo '<input type="submit" value="Clickie">';
echo '</form>';
You would have your Javascript watch for clicks on those checkboxes and fill the value into the hidden tag field. In order to get the URL you want you have to remove the name from the checkboxes, which makes this form entirely dependent upon Javascript. Without Javascript it won't work. I consider that bad design.
The other option is to use mod_rewrite to try to rewrite your URL, but honestly, I don't know if mod_rewrite is capable of the complex regex you would need to make that work.
I don't think either workaround in worth the effort or the price. I would suggest you use the square brackets and process the array at the receiving end. In other words, if you have &tag[]=tag1&tag[]=tag4&tag[]=tag6 then this will get a string like what you want in your URL:
if (isset($_GET['tag'])) {
$tstr = implode('+',$_GET['tag']);
}
echo $tstr;
You can use that in your search function, whatever you are using for that.
This is what I did. Instead of adding a extra function to my wordpress (which was causing some unexpected error when testing deeper) I simply created a PHP to catch the URL before submiting further.
This is what it looks like:
<?php
if (isset($_GET['tag'])) {
$tstr = implode('+',$_GET['tag']);
}
$cat = ($_GET['category_name']);
header("Location: http://url.com/?category_name=$cat&tag=$tstr");
?>
I don't know if this is correct or secure, but it works :D
Thanks for your help !
Zend newbie here ... And just to make it better, my mission is to build on top of someone else's pre-existing Zend site.
(BTW: zf show version --> Zend Framework Version: 1.11.1 -- I seem to have Zend_Form).
Here's the curious bit. All the forms are built in HTML within views. They seem to work, although I can't figure out how -- especially given what I am seeing.
I followed the convention and created a view for a test form and wrote the form:
<form action="<?php echo $this->url(array('controller'=>'ControllerName','action'=>'submit'));?>" method="post" style="margin-left:20px">
<p class="bold setmgr">Your email here:</p>
<div class="field">
<input class="text" type="text name="custEmail"/>
</div>
<div class="field">
<input class="button" value="Submit and be free!" type="submit"/>
</div>
</form>
The submitAction member in the controller is firing correctly. No problem.
But ALL the places I could look for the POST data appear to be empty!
echo "obj custEmail = [" . $this->_request->getPost('custEmail') . "]\n";
echo "GET custEmail = [" . $_GET['custEmail'] . "]\n";
echo "POST custEmail = [" . $_POST['custEmail'] . "]\n";
if ($this->_request->isPost()) {
$data = $this->_request->getPost();
Zend_Debug::dump($data);
}
They all produce nothing.
I'd be much obliged for a solution or even a clue about what is going wrong.
Thanks for reading.
Your form is not in the correct format.As it's PHP you can use form like this or you can even generate a ZEND_FORM(which is profound way to do it).It's always a good practise to work around with ZEND_FORM.If you still want to use this and the go by your way,here is th snippet I modified for you.
I am modifying the Code for you.Your View should have this form in it;
<form action="" method="post" style="margin-left:20px">
<p class="bold setmgr">Your email here:</p>
<div class="field">
<input class="text" type="text" name="custEmail"/>
</div>
<div class="field">
<input class="button" value="Submit and be free!" type="submit" name="submit"/>
</div>
</form>
<?php
echo $this->custEmail;
?>
Now write the following one on your ACTIOn,i.e. submitAction;
public function submitAction()
{
if ($this->getRequest()->isPost())
{
$custEmail = $this->getRequest()->getPost('custEmail');
echo $custEmail;
$this->view->custEmail = $custEmail;
}
}
Now check if it works for you or not.
Create a form using Zend_Form. When ZF already has a way to create forms, you should use that. Your method is like a hack and is not a recommended way to do things.
Check here on how to create a Zend_Form
http://framework.zend.com/manual/en/zend.form.html