A simple echo problem?

[maestroc]

I had several basic PHP forms working fine on a server a few months ago.  Those files have since been moved to another server and I am having problems that I can't figure out the cause of.  As far as I know a server move should not be breaking what appears to be broken.  Any help on this would be greatly appreciated because as you can tell I am a novice at this whole thing.  Here is the problem:

 

After the server move it appears that any variables that a user fills out on form A do not get echoed back to the user after being passed to Script A.  However, the variables are correctly being saved to the SQL database.  The problem is that they just won't echo to the screen.

 

A secondary (related?) issue is that after the server move my basic captcha that I wrote has made it so that no matter what the user puts in the field it always says that it is incorrect.  Again, this all worked before the server move. 

 

The forms can be seen working (sort of) at the following URL:  http://www.bandmasters.org/users/sciba/forms/sciba_membership_form.php

 

I have disabled the captcha for the time being so that I can work on the echo problem first.  I should point out that the email confirmation also does not print the values from the submission form.

 

Pasted below is the initial form and the save script:

<?php 
/* Read data from master configuration file */
include("FormSettings.php");
?>
<html>
<head>
<title>SCIBA District Dues Form</title>
</head>
<body>
<center>
<h1>South Central Iowa Bandmasters Association</h1>
<h3>“Advancing School Bands In Central Iowa”</h3>

<h2>SCIBA District Dues</h2>

<h3>Registration Form</h3>
</center>
Please be reminded that members MUST pay SCIBA dues as well as IBA dues to participate in
SCIBA events. The dues are $<?=$ScibaDuesAmount ?> annually.

<form name="membersubmit" action="sciba_membership_save.php" method="post">

First Name: <input type="text" name="firstname" /><br />
Last Name:  <input type="text" name="lastname" /><br />
Home Address: <input type="text" name="homestreet" /><br />
Home City: <input type="text" name="homecity" /><br /> 
State: <input type="text" name="homestate" /><br /> 
Home Zip Code:<input type="text" name="homezip" /><br />
<br />
School: <input type="text" name="school" /><br />
School Address: <input type="text" name="schooladdress" /><br />
City: <input type="text" name="schoolcity" /><br /> 
State: <input type="text" name="schoolstate" /><br /> 
Zip Code:<input type="text" name="schoolzip" /><br />
<br />
Home Phone: <input type="text" name="homephone" /><br />
School Phone:<input type="text" name="schoolphone" /><br />
Fax: <input type="text" name="fax" /><br />
E-mail: <input type="text" name="email" /><br />
Purchase Order Number: <input type="text" name="PONumber" /><br />
<br />
<BR><BR><BR>
Prove You Are Human-  What is 2+8?:<Input type="text" NAME="captcha" size="6">
<BR><BR>
<input type="submit" value="Submit" />
</form> 

Mail Registration and $<?=$ScibaDuesAmount ?> dues to: <?=$Treasurer ?> , <?=$TreasurerAddress ?>


</body>
</html>

Pasted below is the save script that the data is passed to:

<html>
<head><title>Sciba Membership Save</title></head>
<body>
<center>
<?php

/* Read data from master configuration file */
include("FormSettings.php");

$user="--------";
$pass="I---------";
$db="-------------";
$dbh = mysql_connect("localhost",$user,$pass) or die("Couldn't connect to MySQL");
mysql_select_db($db , $dbh) or die("Couldn't open $db: ".mysql_error());

/* if ( $captcha == 10 ) { */

$re="Sciba Registration Submission Form"; #Title of form being submitted
$today=date("M j, Y");          #provides date of submission

/* HTML Email Headers */
$headers="MIME-Version: 1.0\r\n";
$headers .="Content-type:text/html; ";
$headers .="charset=iso-8859-1\r\n";
$headers .="From: $email \r\n";


/* Queries */
$query = "INSERT INTO membership VALUES (NOW(),'".$_POST['firstname']."','".$_POST['lastname']."','".$_POST['homestreet']."','".$_POST['homecity']."','".$_POST['homestate']."','".$_POST['homezip']."','".$_POST['school']."','".$_POST['schooladdress']."','".$_POST['schoolcity']."','".$_POST['schoolstate']."','".$_POST['schoolzip']."','".$_POST['homephone']."','".$_POST['schoolphone']."','".$_POST['fax']."','".$_POST['email']."','".$_POST['email']."','".$_POST['PONumber']."')";

mysql_query($query);


print "<h2>Successfully Entered</h2>\n";

/* Create Confirmation Message */
$message = "<br>";
$message .= "<b>SCIBA Membership Registration Submission:</b>\r\n\n";
$message .= "<br>";
$message .= "<br>Date Submitted: $today \r\n\n";
$message .= "<br>Name: $firstname $lastname \r\n";
$message .= "<br>Return Email Address: $email\r\n";
$message .= "<br>Home Street: $homestreet\r\n";
$message .= "<br>Home City: $homecity\r\n";
$message .= "<br>Home State and Zip: $homestate , $homezip \r\n";
$message .= "<br>School: $school \r\n";
$message .= "<br>School Address: $schooladdress \r\n";
$message .= "<br>School City, State Zip: $schoolcity , $schoolstate $schoolzip \r\n";
$message .= "<br>Home Phone: $homephone\r\n";
$message .= "<br>School Phone:  $schoolphone \r\n";
$message .= "<br>Fax:  $fax \r\n";
$message .= "<br>";
$message .= "<br>Dues Amount To Pay: $ScibaDuesAmount Dollars \r\n";
$message .= "<br>Purchase Order Number: $PONumber \r\n";

mysql_close($dbh);

/* Send Email Message and Print Confirmation */
mail($TreasurerEmail,$re,$message,$headers);
print "<h2>Your submission of the $re has been received and emailed to $Treasurer, SCIBA Treasurer.  The data submitted is echoed below.</h2>If desired you may print this for your records.\n";

print $message;
/* } else {
echo "Incorrect Captcha";
echo "<p>If you have problems with this form please <a href=\"mailto://$webmasteremail\">contact the webmaster.</a></p>";
}
*/
?>
</body>
</html>

[Pikachu2000]

1) That script has no form data validation or protection from SQL injection or email header injection at all. If you've never had your database compromised to this point, you should consider yourself extremely fortunate.

 

2) Since none of the $_POST vars are assigned to the following variables before they are echoed, the code has to rely on register_globals being on in the php.ini file. Overall, register_globals = On is a bad idea for numerous security reasons.

[PFMaBiSmAd]

Where in YOUR CODE are you setting the php program variables - $firstname, $lastname, $email, ... from the corresponding $_POST source variables?

 

Your code is dependent on a php setting that was depreciated and turned off by default 9 years ago. I won't mention the name of the setting so that you won't be tempted to turn it on because is opens a huge security hole (a lot of web sites have been taken over due to it) and it is going to be removed in an upcoming php version.

 

You must either set the php program variables ($firstname, $lastname, $email, ...) from the correct source $_POST variable or directly use the correct source $_POST variables (like you have in your query statement.)

[WebStyles]

what PFMaBiSmAd is saying is, instead of this:

$message .= "<br>Name: $firstname $lastname \r\n";

 

try this:

$message .= "<br>Name: ".$_POST['firstname']." ".$_POST['lastname']." \r\n";

 

or, before inserting into database and echoing, grab the POST variables into local variables:

$firstname = $_POST['firstname'];
$lastname = $_POST['lastname'];

 

hope that helps

[maestroc]

That makes sense.  The old server must have had the register globals turned on and the new server had it turned off. 

 

Thanks to everyone for the help and especially to WebStyles for spelling it out for me.  Worked like a charm!

 

Fault to me for teaching myself PHP using a book with a 2003 copyright.  If course I wrote those back in 2007 so at that point it wasn't that old of a book.  I basically copy/pasted the scripts out of there and then customized them to meet my needs.  Thank you for your help!

 

-MaestroC