Wolverine68 Posted June 10, 2008 Share Posted June 10, 2008 I'm trying to add more security to a request form that will prevent header injections. Upon submission I get the following error: "Parse error: parse error, unexpected ';' in cgi-bin/feedback9.php on line 15. Why would it flag the semi-colon? <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <body> <?php $checkbox0 = $_POST['Programs'][0]; $checkbox1 = $_POST['Programs'][1]; $checkbox2 = $_POST['Programs'][2]; $checkbox3 = $_POST['Programs'][3]; $checkbox4 = $_POST['Programs'][4]; $checkbox5 = $_POST['Programs'][5]; ?> <?php $formBody= preg_replace("([\r\n])", "", "Name:$name\nEmail:$email\nPhone:$phone\nAddress:$address\nI'd like more information on the following programs: $checkbox0, $checkbox1, $checkbox2, $checkbox3, $checkbox4, $checkbox5 \nComments:$comments"; $headers = preg_replace("([\r\n])", "", "From:$email"; $match = "/ (bcc:|cc:|content\-type:)/i"; if (preg_match($match, $formBody) || preg_match($match, $headers)) { die("Header injections have been found."); } if(isset($submit)) { mail("KenB624@yahoo.com", "Information Request",$formBody, $headers); }else{ die("Direct access is prohibited."); } if ($submit) { print "Thank you. Your request has been submitted <br /> <br />"; print "Current date and time :" print date("F j, Y g:i A T"); } ?> </body> </html> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>Request Form</title> </head> <body background="#EEEEEE"> <h3 align="center">Information Request Form</h3> <div> <form action="cgi-bin/feedback9.php" method="post"> <hr width="100%"> <p>Name:     <INPUT TYPE="text" SIZE="35" name="name"></p> <p>E-mail:    <INPUT TYPE="text" SIZE="35" name="email"></p> <p>Phone:    <INPUT TYPE="text" SIZE="35" name="phone"></p> <p>Address:<INPUT TYPE="text" SIZE="35" name="address"></p><br> I would like more information on the following (check all that apply):<br> <INPUT TYPE="checkbox" NAME="Programs[]" VALUE="Adult Sunday School">Adult Sunday School<br> <INPUT TYPE="checkbox" NAME="Programs[]" VALUE="Bible Studies"">Bible Studies<br> <INPUT TYPE="checkbox" NAME="Programs[]" VALUE="Children's Programs">Children's programs<br> <INPUT TYPE="checkbox" NAME="Programs[]" VALUE="Missions">Missions<br> <INPUT TYPE="checkbox" NAME="Programs[]" VALUE="Music">Music/Choir<br> <INPUT TYPE="checkbox" NAME="Programs[]" VALUE="Youth">Youth group<br><br> Please add any additional comments or questions in the box below:<br> <TEXTAREA NAME="comments" ROWS=10 COLS=60> </TEXTAREA> <br><br> <input type="submit" name="submit" value="Submit"><br<br> <hr width="100%"> </div> </body> </html> Quote Link to comment Share on other sites More sharing options...
DarkerAngel Posted June 10, 2008 Share Posted June 10, 2008 change: <?php $formBody= preg_replace("([\r\n])", "", "Name:$name\nEmail:$email\nPhone:$phone\nAddress:$address\nI'd like more information on the following programs: $checkbox0, $checkbox1, $checkbox2, $checkbox3, $checkbox4, $checkbox5 \nComments:$comments"; ?> to <?php $formBody= preg_replace("([\r\n])", "", "Name:$name\nEmail:$email\nPhone:$phone\nAddress:$address\nI'd like more information on the following programs: $checkbox0, $checkbox1, $checkbox2, $checkbox3, $checkbox4, $checkbox5 \nComments:$comments"); ?> Your missing an ')' Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 10, 2008 Author Share Posted June 10, 2008 Thanks. Good eye. Now, upon submission, I get "Parse error: parse error, unexpected T_PRINT in cgi-bin/feedback9.php on line 33" Before I added the code to prevent header injections, those print statements worked. I didn't add or modify anything around that bit of code. Why would it have a problem now? Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 10, 2008 Author Share Posted June 10, 2008 bump Quote Link to comment Share on other sites More sharing options...
jonsjava Posted June 10, 2008 Share Posted June 10, 2008 cleaned up the code <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html> <body> <?php $checkbox0 = $_POST['Programs'][0]; $checkbox1 = $_POST['Programs'][1]; $checkbox2 = $_POST['Programs'][2]; $checkbox3 = $_POST['Programs'][3]; $checkbox4 = $_POST['Programs'][4]; $checkbox5 = $_POST['Programs'][5]; ?> <?php $formBody= preg_replace("([\r\n])", "", "Name:$name\nEmail:$email\nPhone:$phone\nAddress:$address\nI'd like more information on the following programs: $checkbox0, $checkbox1, $checkbox2, $checkbox3, $checkbox4, $checkbox5 \nComments:$comments"); $headers = preg_replace("([\r\n])", "", "From:$email"); $match = "/ (bcc:|cc:|content\-type:)/i"; if (preg_match($match, $formBody) || preg_match($match, $headers)) { die("Header injections have been found."); } if(isset($submit)) { mail("KenB624@yahoo.com", "Information Request",$formBody, $headers); }else{ die("Direct access is prohibited."); } if ($submit) { print "Thank you. Your request has been submitted <br /> <br />"; print "Current date and time :"; print date("F j, Y g:i A T"); } ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 10, 2008 Author Share Posted June 10, 2008 What did you change in the code? I don't see anything different. Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 10, 2008 Author Share Posted June 10, 2008 Oh, I see it. I didn't have a ; at the end of print "Current date and time :" Thanks. Quote Link to comment Share on other sites More sharing options...
Barand Posted June 10, 2008 Share Posted June 10, 2008 They aren't too difficult for you to find. If you get an "unexpected X" then there is something missing before the X. Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 11, 2008 Author Share Posted June 11, 2008 It is working, but when the submitted information arrives in the e-mail it is all scrunched together. So, by using this script to make your forms more secure, I take it you're sacrificing neatness, since the line breaks are stripped away? <br> tags aren't going to work. Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 11, 2008 Author Share Posted June 11, 2008 This code takes away the line breaks, so when the form is submitted, the information shows up in the destination e-mail address all scrunched together. $formBody= preg_replace("([\r\n])", "", I found that if I put "|||||" instead of "", it will put some space between Name, E-mail, phone, address, and comments or if I simply put blank space between the quotation marks. But, is there another way I can have Name, E-mail, address, phone, and comments on separate lines but not sacrificing the security? Quote Link to comment Share on other sites More sharing options...
TravisJRyan Posted June 11, 2008 Share Posted June 11, 2008 ... Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 11, 2008 Author Share Posted June 11, 2008 Could you elaborate on that please? Are you saying that instead of $formBody= preg_replace("([\r\n])", "", it should be $formBody= preg_replace("([\r\n])", " ... ", ? Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 11, 2008 Author Share Posted June 11, 2008 bump Quote Link to comment Share on other sites More sharing options...
Wolverine68 Posted June 12, 2008 Author Share Posted June 12, 2008 bump Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.