I'm migrating from codeigniter to Fat-Free (F3) and trying to get my head around the quirks.
Regarding the following form:
<form ACTION = "<?php echo $_SERVER['PHP_SELF'];?>" METHOD="POST">
<input type="text" name="theirName" value="" required="required">
...
In standard PHP I get the POST value like this:
$name = $_POST['theirName'];
Or in codeignitor:
echo form_open('someclass/some_method_of_someclass');
$name = $this->input->post('name');
How do I get data from a form in a view in f3/fatfree?
You can get it from the Hive:
$name = $f3->get('POST.name');
Related
I have some problem with XSS scan on sitelock. They said that some of URL from html input form is vulnerable. They said each parameters which I sent through the form was vulnerable. In this case the vulnerability is from Paypal input form. I build my website with Paypal redirect so the user will input their own data into the form and the system will send it to paypal. This is the example of my form code:
<div class="col-md-5">
<input type="text" class="form-control" name="L_PAYMENTREQUEST_FIRSTNAME" id="L_PAYMENTREQUEST_FIRSTNAME" value="<?=$_SESSION['post_value']['shipping_first_name']?>" readonly="readonly">
</div>
<input type="hidden" name="billing_first_name" value="<?=$_POST['billing_first_name']?>">
<input type="hidden" name="billing_last_name" value="<?=$_POST['billing_last_name']?>">
<input type="hidden" name="billing_email" value="<?=$_POST['billing_email']?>">
<input type="hidden" name="billing_phone" value="<?=$_POST['billing_phone']?>">
<input type="hidden" name="billing_address" value="<?=$_POST['billing_address']?>">
<input type="hidden" name="billing_city" value="<?=$_POST['billing_city']?>">
<input type="hidden" name="billing_postcode" value="<?=$_POST['billing_postcode']?>">
<input type="hidden" name="billing_state" value="<?=$_POST['billing_state']?>">
That is some part of my form. What I want to know is whats wrong with that form and how to prevent Sitelock to scan XSS vulnerability ? Please anyone knows could help me.
I would also recommend using the HTTP header.
X-XSS-Protection: 1; mode=block
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
you probably dont check/nullify the data you are getting in the input fields
and by typing <script>alert('hacked')</script> in billing_address field
on next page where you print the billing_address you will get a popup window calling hacked
On the page that process your form you should validate that input fields doesn't have any javascript code.
for example
<?php
// define variables and set to empty values
$name = $email = $gender = $comment = $website = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$name = test_input($_POST["name"]);
$email = test_input($_POST["email"]);
$website = test_input($_POST["website"]);
$comment = test_input($_POST["comment"]);
$gender = test_input($_POST["gender"]);
}
function test_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
?>
you need to create a function like test_input and run for all your input fields
I would like to create a requirement that if nothing is selected from a drop down field in my contact form that a message will come up saying "Please choose", and the form will not be able to be submitted unless something is chosen. I have gotten requirements to work on all of my text input forms, but cannot figure out how to create one for the drop down field.
The drop down HTML looks like this:
<div class='container'>
<label for='destemail' > Which department are you trying to reach?*</br> You must select a department.</label></br>
<select name="destemail" id="destemail">
<?php foreach ($emailAddresses as $name => $email) { ?>
<option value="<?php echo htmlspecialchars($name); ?>"><?php echo htmlspecialchars($name) ; ?></option>
<?php } ?></select>
<span id='contactus_destemail_errorloc' class='error'></span>
</div>
I got the other form requirements to work like so:
The HTML -
<div class='container'>
<label for='name' >Your Full Name*: </label><br/>
<input type='text' name='name' id='name' value='<?php echo $formproc->SafeDisplay('name') ?>' maxlength="50" /><br/>
<span id='contactus_name_errorloc' class='error'></span>
</div>
The Javascript -
<script type='text/javascript'>
<![CDATA[
var frmvalidator = new Validator("contactus");
frmvalidator.EnableOnPageErrorDisplay();
frmvalidator.EnableMsgsTogether();
frmvalidator.addValidation("name","req","Please provide your name");
</script>
The PHP -
//name validations
if(empty($_POST['name']))
{
$this->add_error("Please provide your name");
$ret = false;
}
I tried the exact same coding for the drop down but with the different id names where appropriate, and it didn't work. Why doesn't this same method work for the drop down?
Help much appreciated!
I can't see what the Validator() code is doing, but you can just check to see whether the select field is empty using Javascript or jQuery.
jQuery way:
if( !$('#destemail').val() ) {
alert('Empty');
}
The problem may lie in that your select box actually does have a value, which is whatever the first value printed out in it is. The Validation function may be checking for any value, and since the select does have one, it returns as valid.
You could set up a default value to show first, something like "Please select a Department", and then do the jquery/javascript check for that text. If it exists, then you know an option has not been selected.
I have the following HTML code:
<form method="post" action="">
<b>Name: <input type="text" name="username" size="20" />
<input type="submit" value="Login" name="login" />
</form>
and:
<?php
if(isset($_POST['login'])){
$check = $_POST['username'];
?>
Whenever a user submits his username, the user should receive his username back but with the following modifications:
1) *Sapce bars will be replaced with "_"
2) *All letters will become non-capital letters.
Example:
Username: "I Like Icecream"
Result:
i_like_icecream
The message should be displayed to the user as an variable through an echo.
echo "$result";
I was thinking about doing it with preg_repalce, but didn't really manage to since I am not familiar with it very well. Any help will be appriciated.
preg_replace() is way too powerful but way expensive for this task. The patterns you need to change are constant, so you're better of using str_replace() and mb_strtolower()
$encoding = 'UTF-8'; // optional
$name = $_POST['usernamename']
$name = str_replace(' ', '_', $name);
$name = mb_strtolower($name, $encoding); // or $name = mb_strtolower($name); if you don't specify encoding
I´m trying to make a form to be able to edit a custom config.ini file with some custom settings, I´m trying to do this dynamically, so if i add another line to the config file, it shows on the edit form, or more precisely , i will be using this with a extension like system, where new extensions can add lines in this config.ini file. But, i´m having a hard time with the field names, so for en config file like this:
[production]
db.adapter = "pdo_mysql"
db.params.host = "localhost"
db.params.username = "user"
db.params.password = "123456"
db.params.dbname = "zend"
I need to have the respective fields for each param, like so:
<input type="text" name="db[adapter]"/>
<input type="text" name="db[params][host]"/>
<input type="text" name="db[params][username]"/>
<input type="text" name="db[params][password]"/>
<input type="text" name="db[params][dbname]"/>
So what would be the easiest way of building this form automatically?
I´ve created a custom Zend_Form, and in this form, a get the config file with Zend_Config,
and loop trough the settings creating a text field for each param, but i like the names to follow the same pattern as the ini file, like in the example above, but all i can get is something like:
<input type="text" name="params[host]"/>
<input type="text" name="params[username]"/>
<input type="text" name="params[password]"/>
<input type="text" name="params[dbname]"/>
Can anyone point me in the right direction ?
I don't use Zend_form so I'm not the right person to answer, but since I've done something similar where I can change the config from inside my application I'm giving it a shot anyway. Personally I would do this in a view-helper and generate the html-form directly without using Zend_form, but if you want to use Zend_form, Zend_sub_form seems the way to go. I know that the below code isn't completely right, bit it should lead you a bit on the way at lest.
/**
* The action
*/
public function configAction(){
//get the zend config from file or from registry and cast it as an array
$config = Zend_Registry::get('config');
$config = $config->toArray
//create the form and a new subform for each part of the config array
$form = new Zend_Form();
foreach ($config as $key=>value){
$form = self::generateSubForm($key, $value, $form);
}
$this->view->form = $form;
}
/**
* Generates all subforms
*/
private function generateSubForm($key, $value, $form){
//generate a subform for this key if needed
if(!is_object($form->getSubForm($key)){
$$key = new Zend_Form_SubForm();
$form->addSubForm($$key, $key);
} else {
$$key = $form->getSubForm($key);
}
//if the value is an array, we must go deeper
//Else we create a textelement and go on the next one
if(is_array($value){
$form = self::generateSubForm($key, $value, $form->getSubForm($key));
} else{
$form->getSubForm($key)->addElement('text', 'value');
$form->getSubForm($key)->$key->setValue($value);
}
return $form;
}
This should generate a form that looks something like this
<input type="text" name="phpSettings[date][timezone][value]" value="Europe/Stockholm">
<input type="text" name="phpSettings[display_startup_errors][value]" value="0">
<input type="text" name="phpSettings[display_errors][value]" value="0">
from a config that looks like this
phpSettings.date.timezone = "Europe/Stockholm"
phpSettings.display_startup_errors = 0
phpSettings.display_errors = 0
Can I use my normal (html) form in Zend Framework ? How can I do that & How can I call action in IndexController file?
of course you can ... just use
<form action="/index/action" methode="POST">
to access post arguments use
$this->getRequest()->getParam('argument')
thats no problem, put your form code inside the view script for the associated action. Maybe:
formAction()
{
// check if post request
if ($this->getRequest()->isPost()) {
// read global $_POST array
$data = $this->getRequest()->getPost();
}
}
the associated view ist than form.phtml
Yes, definitely.. You just have to remove the isValid call in your controller since it won't be performing any validation and also remove the post request check if it will not contain any form. It's like creating a common view with simple links in it.
Yes, I have a module called 'contact', and an action addcontactAction() in the ContactController.php.
So I can use :
/view/scripts/contacts/addcontact.phtml
<form action="" method="post" name="frm_addcontact" />
<input name="cn_fname" type="text" class="textbox" id="cn_fname"/>
<input type="submit" class="button" id="save" value="Save" />
</form>
when this form is submitted, it calls addcontactAction() in the controller.
$cn_fname = $_REQUEST['cn_fname'];
Just to know this is not a good practice to implement, but to solve such problem do the following:
in the view file when you define the form
<form action = "<?php echo $this->url(array('action'=>'ACTIONAME')); ?>" ...>
................
</form>
in the corresponding action name
if($this->_request->isPost()){
foreach ($_POST as $var => $value) {
echo "$var = $value<br>";
}