PHP form submission - Help needed - Tilted Forum Project Discussion Community

d*d · 05-06-2005, 12:39 AM

I created files in php which contain html form submission sending variables using POST. These files worked fine on my testing server, but now they have been uploaded to a secure server the form submission does not work - it takes three days for the server host to ok any changes made in the files so I can't tinker with them like I usually do -

Any ideas as to why this would happen would be greatly appreciated

Rawb · 05-06-2005, 07:31 AM

The secure server is probably running with register_globals off. (which is the correct way to run), are you using $_REQUEST['varname'] to get to your post requests, or just $varname?

d*d · 05-06-2005, 08:05 AM

I am using $_POST['variable'] - could this be why?

Rawb · 05-06-2005, 12:22 PM

If the form is POST'ed to (via a form with "method=POST"), that should work fine... I prefer $_REQUEST because then it forces me to remember that all of the elements are from an untrusted source.

They could also be running a version of PHP below 4.1.0 (I believe), because that was before the $_POST/$_REQUEST magic variables were created.

d*d · 05-09-2005, 12:20 AM

yeah they are POST'ed, I've not used $_REQUEST before but will checkit out, I'll find out what version of php they are using, I would just use phpinfo(), but it'd take three days for them to check and ok that

Heres the source coding, perhaps someone can spot the problem?

<?php
include ('./includes/header_secure.php');

if (isset($_POST['submit'])) { // Handle the form.

require_once ('./mysql_connect.php'); // Connect to the db.

// Check for a first name.
if (eregi ("^[[:alpha:].' -]{2,15}$", stripslashes(trim($_POST['first_name'])))) {
$fn = escape_data($_POST['first_name']);
} else {
$fn = FALSE;
echo '<p class= "warning">Please enter your first name</p>';
}

// Check for a last name.
if (eregi ("^[[:alpha:].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) {
$ln = escape_data($_POST['last_name']);
} else {
$ln = FALSE;
echo '<p class= "warning">Please enter your last name</p>';
}

// Check for an email address.
if (eregi ("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", stripslashes(trim($_POST['email'])))) {
$e = escape_data($_POST['email']);
} else {
$e = FALSE;
echo '<p class= "warning">Please enter a valid email address</p>';
}

// Check for a username.
if (eregi ("^[[:alnum:]_]{4,20}$", stripslashes(trim($_POST['username'])))) {
$u = escape_data($_POST['username']);
} else {
$u = FALSE;
echo '<p class= "warning">Please enter a valid username!</p>';
}

// Check for a password and match against the confirmed password.
if (eregi ("^[[:alnum:]]{4,20}$", stripslashes(trim($_POST['password1'])))) {
if ($_POST['password1'] == $_POST['password2']) {
$p = escape_data($_POST['password1']);
} else {
$p = FALSE;
echo '<p class= "warning">Your password did not match the confirmed password!</p>';
}
} else {
$p = FALSE;
echo '<p class= "warning">Please enter a valid password!</p>';
}
// Check for an std code.
if (empty($_POST['std'])) {
$std = FALSE;
$message .= '<p class= "warning">Please enter your std code</p>';
} else {
//
if (!eregi ("^[[:digit:]]+$", stripslashes(trim($_POST['std'])))) {
$std = FALSE;
$message .= '<p class= "warning">Please enter a valid std code.</p>';
} else {
$std = escape_data($_POST['std']);
}
//

}

// Check for an phone number.
if (empty($_POST['phone'])) {
$pn = FALSE;
$message .= '<p class= "warning">You forgot to enter your phone number</p>';
} else {
//
if (!eregi ("^[[:digit:]]+$", stripslashes(trim($_POST['phone'])))) {
$pn = FALSE;
$message .= '<p class= "warning">Please enter a valid phone number.</p>';
} else {
$pn = escape_data($_POST['phone']);
$pn = $std . $pn;
}
//
}
if ($fn && $ln && $e && $u && $p && $pn && $std) { // If everything's OK.

// Make sure the username is available.
$query = "SELECT customer_id FROM customer WHERE username='$u'";
$result = @mysql_query ($query);

if (mysql_num_rows($result) == 0) { // Available.

// Add the user.
$query = "INSERT INTO customer (username, password, first_name, last_name, email, phone, registration_date) VALUES ('$u', '$p', '$fn', '$ln', '$e', $pn, NOW() )";
$result = @mysql_query ($query); // Run the query.

if ($result) { // If it ran OK.

// Send an email, if desired.
$body = "Thank you '{$_POST['first_name']}' for registering with EA-Integration,\n\nYour username is '{$_POST['username']}'\n
your password is '{$_POST['password1']}'\n

info@xxx.com\n";
mail ($_POST['email'], 'Thank you for registering',$body, 'FROM: info@xxx.com');

echo "<div id=\"left\"><p class = \"bttnstyle1\">Thank you for registering {$_POST['first_name']}</p>\n
<p class=\"copy\">click <a href=\"checkout.php?name=$u&pass=$p\"> here </a> to return</p></div>";
include ('./includes/footer_secure.php'); // Include the HTML footer.
exit();

} else { // If it did not run OK.
// Send a message to the error log, if desired.
echo '<p class = "warning"> You could not be registered due to a system error. We apologize for any inconvenience.</p>';
}

} else { // The username is not available.
echo '<p class = "warning">That username is already taken.</p>';
}

mysql_close(); // Close the database connection.

} else { // If one of the data tests failed.
echo '<p class = "warning">Please try again.</p>';
}

} // End of the main Submit conditional.
?>
<div id="whole">
<p class="heading">Register</p>
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<table cellpadding="0" cellspacing="10" width="750">

<tr><td><p class="bttnstyle1">First Name: </p></td><td><input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></td></tr>

<tr><td><p class="bttnstyle1">Last Name: </p></td><td><input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo (stripslashes($_POST['last_name'])); ?>" /></td></tr>

<tr><td><p class="bttnstyle1">Email Address: </p></td><td><input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></td></tr>

<tr><td><p class="bttnstyle1">Phone Number: </p></td><td><input type="text" name="std" size="5" maxlength="5" value="<?php if (isset($_POST['std'])) echo $_POST['std']; ?>" /> <input type="text" name="phone" size="10" maxlength="10" value="<?php if (isset($_POST['phone'])) echo $_POST['phone']; ?>" /></td></tr>

<tr><td><p class="bttnstyle1">User Name: </p></td><td><input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <span class="copy">Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</span></td></tr>

<tr><td><p class="bttnstyle1">Password: </p></td><td><input type="password" name="password1" size="20" maxlength="20" /> <span class="copy">Use only letters and numbers. Must be between 4 and 20 characters long.</span></td></tr>

<tr><td><p class="bttnstyle1">Confirm Password: </p></td><td><input type="password" name="password2" size="20" maxlength="20" /></td></tr>
<tr><td colspan="2" width="750"><p align="center"><input type="submit" name="submit" value="Register" /></p></td></tr>
</table>
</form></div>

<?php
include ('./includes/footer_secure.php'); // Include the HTML footer.
?>

manalone · 05-11-2005, 03:41 PM

I reckon you should replace your script with a simple one to test if post vars are working... try this

Code:

<html>
  <body>
    <pre>
<?php
      print_r($_POST);
      echo("<hr />");
      print_r($_GET);
?>
</pre>
</body>
</html>

mokle · 05-14-2005, 12:42 AM

Using $_REQUEST[] will make no difference, so don't bother.

Chances are it's an older version of PHP (cemented by the fact they need 3 das to upload files? what the f*ck?), so you'd need to use $HTTP_POST_VARS[]

And switch hosts.

05-06-2005, 12:39 AM	#1 (permalink)
d*d Addict	PHP form submission - Help needed I created files in php which contain html form submission sending variables using POST. These files worked fine on my testing server, but now they have been uploaded to a secure server the form submission does not work - it takes three days for the server host to ok any changes made in the files so I can't tinker with them like I usually do - Any ideas as to why this would happen would be greatly appreciated

05-09-2005, 12:20 AM	#5 (permalink)
d*d Addict	yeah they are POST'ed, I've not used $_REQUEST before but will checkit out, I'll find out what version of php they are using, I would just use phpinfo(), but it'd take three days for them to check and ok that Heres the source coding, perhaps someone can spot the problem? <?php include ('./includes/header_secure.php'); if (isset($_POST['submit'])) { // Handle the form. require_once ('./mysql_connect.php'); // Connect to the db. // Check for a first name. if (eregi ("^[[:alpha:].' -]{2,15}$", stripslashes(trim($_POST['first_name'])))) { $fn = escape_data($_POST['first_name']); } else { $fn = FALSE; echo '<p class= "warning">Please enter your first name</p>'; } // Check for a last name. if (eregi ("^[[:alpha:].' -]{2,30}$", stripslashes(trim($_POST['last_name'])))) { $ln = escape_data($_POST['last_name']); } else { $ln = FALSE; echo '<p class= "warning">Please enter your last name</p>'; } // Check for an email address. if (eregi ("^[[:alnum:]][a-z0-9_.-]@[a-z0-9.-]+\.[a-z]{2,4}$", stripslashes(trim($_POST['email'])))) { $e = escape_data($_POST['email']); } else { $e = FALSE; echo '<p class= "warning">Please enter a valid email address</p>'; } // Check for a username. if (eregi ("^[[:alnum:]_]{4,20}$", stripslashes(trim($_POST['username'])))) { $u = escape_data($_POST['username']); } else { $u = FALSE; echo '<p class= "warning">Please enter a valid username!</p>'; } // Check for a password and match against the confirmed password. if (eregi ("^[[:alnum:]]{4,20}$", stripslashes(trim($_POST['password1'])))) { if ($_POST['password1'] == $_POST['password2']) { $p = escape_data($_POST['password1']); } else { $p = FALSE; echo '<p class= "warning">Your password did not match the confirmed password!</p>'; } } else { $p = FALSE; echo '<p class= "warning">Please enter a valid password!</p>'; } // Check for an std code. if (empty($_POST['std'])) { $std = FALSE; $message .= '<p class= "warning">Please enter your std code</p>'; } else { // if (!eregi ("^[[:digit:]]+$", stripslashes(trim($_POST['std'])))) { $std = FALSE; $message .= '<p class= "warning">Please enter a valid std code.</p>'; } else { $std = escape_data($_POST['std']); } // } // Check for an phone number. if (empty($_POST['phone'])) { $pn = FALSE; $message .= '<p class= "warning">You forgot to enter your phone number</p>'; } else { // if (!eregi ("^[[:digit:]]+$", stripslashes(trim($_POST['phone'])))) { $pn = FALSE; $message .= '<p class= "warning">Please enter a valid phone number.</p>'; } else { $pn = escape_data($_POST['phone']); $pn = $std . $pn; } // } if ($fn && $ln && $e && $u && $p && $pn && $std) { // If everything's OK. // Make sure the username is available. $query = "SELECT customer_id FROM customer WHERE username='$u'"; $result = @mysql_query ($query); if (mysql_num_rows($result) == 0) { // Available. // Add the user. $query = "INSERT INTO customer (username, password, first_name, last_name, email, phone, registration_date) VALUES ('$u', '$p', '$fn', '$ln', '$e', $pn, NOW() )"; $result = @mysql_query ($query); // Run the query. if ($result) { // If it ran OK. // Send an email, if desired. $body = "Thank you '{$_POST['first_name']}' for registering with EA-Integration,\n\nYour username is '{$_POST['username']}'\n your password is '{$_POST['password1']}'\n info@xxx.com\n"; mail ($_POST['email'], 'Thank you for registering',$body, 'FROM: info@xxx.com'); echo "<div id=\"left\"><p class = \"bttnstyle1\">Thank you for registering {$_POST['first_name']}</p>\n <p class=\"copy\">click <a href=\"checkout.php?name=$u&pass=$p\"> here </a> to return</p></div>"; include ('./includes/footer_secure.php'); // Include the HTML footer. exit(); } else { // If it did not run OK. // Send a message to the error log, if desired. echo '<p class = "warning"> You could not be registered due to a system error. We apologize for any inconvenience.</p>'; } } else { // The username is not available. echo '<p class = "warning">That username is already taken.</p>'; } mysql_close(); // Close the database connection. } else { // If one of the data tests failed. echo '<p class = "warning">Please try again.</p>'; } } // End of the main Submit conditional. ?> <div id="whole"> <p class="heading">Register</p> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table cellpadding="0" cellspacing="10" width="750"> <tr><td><p class="bttnstyle1">First Name: </p></td><td><input type="text" name="first_name" size="15" maxlength="15" value="<?php if (isset($_POST['first_name'])) echo $_POST['first_name']; ?>" /></td></tr> <tr><td><p class="bttnstyle1">Last Name: </p></td><td><input type="text" name="last_name" size="30" maxlength="30" value="<?php if (isset($_POST['last_name'])) echo (stripslashes($_POST['last_name'])); ?>" /></td></tr> <tr><td><p class="bttnstyle1">Email Address: </p></td><td><input type="text" name="email" size="40" maxlength="40" value="<?php if (isset($_POST['email'])) echo $_POST['email']; ?>" /></td></tr> <tr><td><p class="bttnstyle1">Phone Number: </p></td><td><input type="text" name="std" size="5" maxlength="5" value="<?php if (isset($_POST['std'])) echo $_POST['std']; ?>" /> <input type="text" name="phone" size="10" maxlength="10" value="<?php if (isset($_POST['phone'])) echo $_POST['phone']; ?>" /></td></tr> <tr><td><p class="bttnstyle1">User Name: </p></td><td><input type="text" name="username" size="10" maxlength="20" value="<?php if (isset($_POST['username'])) echo $_POST['username']; ?>" /> <span class="copy">Use only letters, numbers, and the underscore. Must be between 4 and 20 characters long.</span></td></tr> <tr><td><p class="bttnstyle1">Password: </p></td><td><input type="password" name="password1" size="20" maxlength="20" /> <span class="copy">Use only letters and numbers. Must be between 4 and 20 characters long.</span></td></tr> <tr><td><p class="bttnstyle1">Confirm Password: </p></td><td><input type="password" name="password2" size="20" maxlength="20" /></td></tr> <tr><td colspan="2" width="750"><p align="center"><input type="submit" name="submit" value="Register" /></p></td></tr> </table> </form></div><!-- End of Form --> <?php include ('./includes/footer_secure.php'); // Include the HTML footer. ?> Last edited by dd; 05-09-2005 at 02:52 AM..

05-11-2005, 03:41 PM	#6 (permalink)
manalone Once upon a time...	I reckon you should replace your script with a simple one to test if post vars are working... try this Code: <html> <body> <pre> <?php print_r($_POST); echo("<hr />"); print_r($_GET); ?> </pre> </body> </html> __________________ -- Man Alone ======= Abstainer: a weak person who yields to the temptation of denying himself a pleasure. Ambrose Bierce, The Devil's Dictionary.

05-14-2005, 12:42 AM	#7 (permalink)
mokle Psycho Location: Alberta, Canada	Using $_REQUEST[] will make no difference, so don't bother. Chances are it's an older version of PHP (cemented by the fact they need 3 das to upload files? what the fck?), so you'd need to use $HTTP_POST_VARS[] And switch hosts. __________________ Mokle* "Your hands can't hit what your eyes can't see" -Ali

05-06-2005, 07:31 AM	#2 (permalink)
Rawb Crazy Location: Salt Town, UT	The secure server is probably running with register_globals off. (which is the correct way to run), are you using $_REQUEST['varname'] to get to your post requests, or just $varname?

05-06-2005, 08:05 AM	#3 (permalink)
d*d Addict	I am using $_POST['variable'] - could this be why?

05-06-2005, 12:22 PM	#4 (permalink)
Rawb Crazy Location: Salt Town, UT	If the form is POST'ed to (via a form with "method=POST"), that should work fine... I prefer $_REQUEST because then it forces me to remember that all of the elements are from an untrusted source. They could also be running a version of PHP below 4.1.0 (I believe), because that was before the $_POST/$_REQUEST magic variables were created.