Form fails when double forward slashes entered.

[openpotion]

So I built a form and if anyone puts // in the text area field named

name="background"

it won't work... it fails.

 

This prevents users from entering website URLs, which is an issue since the form is related to website design.  I think I have everything else working just fine.

 

Any ideas how I can change this so it will work and allow // ?  There may be other things that cannot be entered or maybe a security risk I am missing... here is the code...

 

<?php

    // version 2.2

    // All placeholders that are used such as {yourEmail@yourDomain.com}, {yourSolve360Token}, {ownership},
    // {categoryId}, {templateId} should be replaced with real values without the {} brackets.

    // REQUIRED Edit with the email address you login to Solve360 with
    define('USER', 'me@me.com');
    // REQUIRED Edit with token, Workspace > My Account > API Reference > API Token                             
    define('TOKEN', 'itentionallydeleted');  
    
    // Get request data
    $requestData = array();
    parse_str($_SERVER['QUERY_STRING'], $requestData);
    
    // Configure service gateway object
    require 'Solve360Service.php';
    $solve360Service = new Solve360Service(USER, TOKEN);
    
    //
    // Preparing the contact data
    //
    
    $contactFields = array(
        // field name in Solve360 => field name as specified in html form
        'firstname' => 'firstname',
        'lastname' => 'lastname',
        'businessemail' => 'businessemail',
        'cellularphone' => 'cellularphone',
        'background' => 'background',
    );
    
    
    // kill form if spammers use the siteURL field
if ( $_GET['url'] != '' || $_GET['firstname'] == 'Your Name' || $_GET['businessemail'] == 'Email Address' ) {header("Location: http://www.openpotion.com/new/error");}   
    
    else {
    $contactData = array(
        // OPTION Apply category tag(s) and set the owner for the contact to a group
        // You will find a list of IDs for your tags, groups and users in Workspace > My Account > API Reference
        // To enable this option, uncomment the following:

       
        // Specify a different ownership i.e. share the item
        'ownership'     => 18634876,

        // Add categories
        'categories'    => array(
            'add' => array('category' => array(18660073))
        ),

    );
    
    
    // adding not empty fields
    
    foreach ($contactFields as $solve360FieldName => $requestFieldName) {
        if ($requestData[$requestFieldName]) {
            $contactData[$solve360FieldName] = $requestData[$requestFieldName];
        }
    }
    
    // 
    // Saving the contact
    //
    // Check if the contact already exists by searching for a matching email address.
    // If a match is found update the existing contact, otherwise create a new one.
    //
    
    $contacts = $solve360Service->searchContacts(array(
        'filtermode' => 'byemail',
        'filtervalue' => $contactData['businessemail'],
    ));
    if ((integer) $contacts->count > 0) {
        $contactId = (integer) current($contacts->children())->id;
        $contactName = (string) current($contacts->children())->name;
        $contact = $solve360Service->editContact($contactId, $contactData);
    } else {
        $contact = $solve360Service->addContact($contactData);
        $contactName = (string) $contact->item->name;
        $contactId   = (integer) $contact->item->id;        
    }

    if (isset($contact->errors)) {
        // Mail yourself if errors occur  
        mail(
            USER, 
            'Error while adding contact to Solve360', 
            'Error: ' . $contact->errors->asXml()
        );
        die ('System error');
    } else {
        // Mail yourself the result
        mail(
            USER, 
            'A new sales lead has been posted to Solve360', 
            'Contact "' . $contactName . '" https://secure.solve360.com/contact/' . $contactId . ' was posted to Solve360',
            'From: noreply@openpotion.com' . PHP_EOL . 'Reply-To: ' . $contactData['businessemail'] . PHP_EOL . 'X-Mailer: PHP/' . phpversion()
        );
    }
    
    //
    // OPTION Adding a activity 
    //
    
    /*
     * You can attach an activity to the contact you just posted
     * This example creates a Note, to enable this feature just uncomment the following request
     *      
     */    
    
   /*
    // Preparing data for the note
    $noteData = array(
        'details' => nl2br($requestData['note'])
    );

    $note = $solve360Service->addActivity($contactId, 'note', $noteData);
    
    // Mail yourself the result
    mail(
        USER, 
        'Note was added to "' . $contactName . '" contact in Solve360',
        'Note with id ' . $note->id . ' was added to the contact with id ' . $contactId
    );
    // End of adding note activity
*/

    //
    // OPTION Inserting a template of activities
    //
    
    /*
     * You can also insert a template directly into the contact you just posted
     * You will find a list of IDs for your templates in Workspace > My Account > API Reference
     * To enable this feature just uncomment the following request
     *      
     */

    /*
    // Start of template request
    $templateId = {templateId};
    $template = $solve360Service->addActivity($contactId, 'template', array('templateid' => $templateId));
        
    // Mail yourself the result
    mail(
        USER, 
        'Template was added to "' . $contactName . '" contact in Solve360',
        'Template with id ' . $templateId . ' was added to the contact with id ' . $contactId
    );
    // End of template request
    */
    header("Location: http://www.website.com/thank-you");
    
    }

?>

 

Thanks a ton in advance!

Jason

 

 

 

[attachment deleted by admin]

[Pandemikk]

What do you mean it fails? Saving it into the database fails? You get a PHP error?

 

Please shorten the code you posted to just the complete form and the part of the PHP that assigns the forum values.

[voip03]

Use URL validation.

 

 

[voip03]

Make sure you exit after a PHP Header Location

http://techcosupport.com/press/make-sure-you-exit-after-a-php-header-location/

 

your code

// kill form if spammers use the siteURL field	
if ( $_GET['url'] != '' || $_GET['firstname'] == 'Your Name' || $_GET['businessemail'] == 'Email Address' ) 
{header("Location: http://www.openpotion.com/new/error");}   

 

[openpotion]

Thanks! updated this.  I'm an absolute beginner, and have been customizing this API example from my CRM provider.

 

Make sure you exit after a PHP Header Location

http://techcosupport.com/press/make-sure-you-exit-after-a-php-header-location/

 

your code

// kill form if spammers use the siteURL field	
if ( $_GET['url'] != '' || $_GET['firstname'] == 'Your Name' || $_GET['businessemail'] == 'Email Address' ) 
{header("Location: http://www.openpotion.com/new/error");}   

[openpotion]

This is part of the form I am concerned about...

 

form id="form-login" name="form-login" method="GET" action="submit">
<fieldset>
<dl>
<dt><label title="" class="hasTip required" for="jform_contact_message" id="jform_contact_message-lbl">Project Details<span class="star"> *</span></label></dt>
<dd><textarea class="required" rows="2" cols="30" id="jform_contact_message" name="background" aria-required="true" required="required"></textarea></dd>		          			     										
</dl>

 

if someone enters two forward slashes they just get an error.  How do I change the php to allow the slashes to work properly?  I can enter a single slash or anything else I have tried, but not //.

[Pandemikk]

I'm a bit confused. You have a form for user submission, correct? Then why is the meth GET? It should be POST.

 

 

In your PHP code I don't see you accessing "background" from the GET superglobal (which should be accessed from the POST superglobal) so I'm not sure how you're sanitizing it. Nor am I sure where the code is "failing" since you haven't told me how like I asked.

[voip03]

http://www.php.net/manual/en/function.htmlspecialchars.php

[Pandemikk]

http://www.php.net/manual/en/function.htmlspecialchars.php

 

How is that going to help? Last I checked forward slashes aren't HTML entities.

[voip03]

http://www.php.net/manual/en/function.htmlspecialchars.php

 

Answer the wrong post.

[voip03]

Remove  forward slashes , you can use

• ltrim
  
• preg_replace()
  
• substr()
  

[voip03]

$text = preg_replace("   #((http|https|ftp)://(\S*?\.\S*?))(\s|\;|\)|\]|\[|\{|\}|,|\"|'|:|\<|$|\.\s)#ie",   "'<a href=\"$1\" target=\"_blank\">$3</a>$4'",   $text ); 

[openpotion]

wow... apparently it is now working... perhaps the exit on header suggestion.  Thanks!

[openpotion]

ok not working...

 

 

works in the text field:

http:// ebay.com

//

//ebay.com

://ebay.com

test http://wwwebaycom is great.

 

won't work:

http://ebay.com

test http://www.ebay.com is great.

 

here is the GET url that won't work:

http://www.website.com/submit?firstname=aoeu&lastname=test&cellularphone=aaoeu&businessemail=aoeu%40aoeu.com&background=test+http%3A%2F%2Fwww.ebay.com+is+great&url=&Submit=Contact+Me!

 

[openpotion]

Looks like this may not even be a php issue...

 

how frustrating!!! ;-)

http://suhastech.com/blogger/solved-url-in-get-post-request-not-working-403-forbidden-http-urlencode/

[Pikachu2000]

I can't find the part where you tell us what the error actually is.

[Pandemikk]

I can't find the part where you tell us what the error actually is.

Maybe he no know. 

 

OP, maybe you should try telling us your error.

[openpotion]

it stops at the submit.php page...

Forbidden

 

You don't have permission to access /submit on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.domain.com Port 80

 

[openpotion]

I'm now checking with my hosting... I think it is actually a security issue... Sorry if that is the case.. I'm really new to PHP (just started reading up on it) and really appreciate the help.

[Pandemikk]

it stops at the submit.php page...

Forbidden

 

You don't have permission to access /new/form-submit on this server.

 

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

Apache mod_fcgid/2.3.6 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635 Server at www.openpotion.com Port 80

 

Okay, first of all that's a WEB HOST issue. Not a PHP one. Ask your WEB HOST to white list it for (just like the link says you should).

 

 

Secondly, you can avoid this whole problem if you use the proper request method. If a user is submitting data to be processed by the server the form method should be POST (method="post"). Then you can access this data the same way you accessed it before but with $_POST instead of $_GET.

 

Now you've solved your problem and are using proper http protocol.

[openpotion]

Well the API provided by solve360 gives GET example that I modified... because I guess it connects to an existing user and updates it?

[Pandemikk]

GET should never be used except for retrieving data. Your form is submitting data to be processed by the server and updates the existing resource. This is exactly what POST is for.

 

A form that submits information to the server should almost always be post.

[Pikachu2000]

And this is precisely why, when you have an error you should paste it into the first post.

[openpotion]

Sorry... I was getting a blank page for a while... maybe a messup fixed by the suggestion here to put an exit after header?

[Pandemikk]

Sorry... I was getting a blank page for a while... maybe a messup fixed by the suggestion here to put an exit after header?

 

No. Listen to what I've said. Change your form method to post. It will fix the error and it will make your coding more correct. It will also make it slightly safer.