outdoorxtreme Posted April 22, 2014 Share Posted April 22, 2014 Hi, I'm a beginner to PHP scripting. I'm trying to get the error message to work correctly when the number field is left blank in this code. If you see anything else I may be doing wrong or a better way I would appreciate any input. basically what this script will do is that a person can enter their cell number and select their carrier then press submit. It will then send them a message to their moble. Thanks for your help. <?php echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=\"".$_SERVER['PHP_SELF']."\"> <table width=\"400\"> <tr> <td align=\"right\" valign=\"top\">Cell number:</td> <td align=\"left\"><input name=\"number\" type=\"text\" id=\"number\" size=\"10\"> No dashes</td> </tr> <tr> <td align=\"right\" valign=\"top\">Carrier:</td> <td align=\"left\"><select name=\"carrier\" id=\"carrier\"> <option value=\"verizon\">Verizon</option> <option value=\"tmobile\">T-Mobile</option> <option value=\"sprint\">Sprint</option> <option value=\"att\">AT&T</option> <option value=\"virgin\">Virgin Mobile</option> </select></td> </tr> <tr> <td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"Submit\" value=\"Submit\"></td> </tr> </table> </form>"; $number = $_POST['number']; $carrier = $_POST['carrier']; $message = "test"; if( !empty($_POST['number'])) echo "You must enter a number to send to"; else if ($carrier == "verizon") { $formatted_number = $number."@vtext.com"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; } else if ($carrier == "tmobile") { $formatted_number = $number."@tomomail.net"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; } else if ($carrier == "sprint") { $formatted_number = $number."@messaging.sprintpcs.com"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); } else if ($carrier == "att") { $formatted_number = $number."@txt.att.net"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; } else if ($carrier == "virgin") { $formatted_number = $number."@vmobl.com"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; } ?> Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted April 22, 2014 Share Posted April 22, 2014 The message is currently set to display when the number is not empty. Try removing the not operator (!): if( empty($_POST['number'])) echo "You must enter a number to send to"; Also, I would recommend checking out the following article which talks about the security risks with using PHP_SELF as a form action: http://seancoates.com/blogs/xss-woes Quote Link to comment Share on other sites More sharing options...
outdoorxtreme Posted April 22, 2014 Author Share Posted April 22, 2014 Currently, when a number is not entered and submit is pressed, it displays "Success" it should display "You must enter a number to send to". I only want the message displayed after the submit button is pressed. Quote Link to comment Share on other sites More sharing options...
outdoorxtreme Posted April 22, 2014 Author Share Posted April 22, 2014 I fixed the security risk with changing these lines $phpSelf = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL); echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=\"".$phpSelf."\"> Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted April 22, 2014 Share Posted April 22, 2014 No, you didn't fix the vulnerability. And I don't think you understand the problem. Try calling your script with this URL: localhost/yourscript.php/%3Cscript%3Ealert(%27XSS%27)%3C/script%3E This is a perfectly valid URL. But if you open your page with it, you'll see a JavaScript popup saying "XSS". Oops. Your sanitzing stuff doesn't do anything. The problem is that you fail to escape the URL and allow the user to inject malicious JavaScript code into your page. That's what needs to be fixed. Whether or not the URL is valid is completely irrelevant for this. So you need to escape the URL like any other user input: <?php // if you don't use UTF-8, adjust the encoding function html_escape($raw_input) { return htmlspecialchars($raw_input, ENT_QUOTES, 'UTF-8'); } Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted April 22, 2014 Share Posted April 22, 2014 Currently, when a number is not entered and submit is pressed, it displays "Success" it should display "You must enter a number to send to". I only want the message displayed after the submit button is pressed. Before running the code to process the form, you could test to see of the form has been submitted. For example, you could do something like this: if(isset($_POST['Submit'])) { //code to process form here } I fixed the security risk with changing these lines $phpSelf = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL); echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=\"".$phpSelf."\"> You could just leave the action attribute blank. echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=''> Quote Link to comment Share on other sites More sharing options...
outdoorxtreme Posted April 22, 2014 Author Share Posted April 22, 2014 Ok, I have almost everything working but it doesnt echo "Success" if it was successfully submitted. <?php function html_escape($raw_input) { return htmlspecialchars($raw_input, ENT_QUOTES, 'UTF-8'); } echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=\"\"> <table width=\"300\"> <tr> <td align=\"right\" valign=\"top\">Cell number:</td> <td align=\"left\"><input name=\"number\" type=\"text\" id=\"number\" size=\"10\"> No dashes</td> </tr> <tr> <td align=\"right\" valign=\"top\">Carrier:</td> <td align=\"left\"> <select name=\"carrier\" id=\"carrier\"> <option value=\"verizon\">Verizon</option> <option value=\"tmobile\">T-Mobile</option> <option value=\"sprint\">Sprint</option> <option value=\"att\">AT&T</option> <option value=\"virgin\">Virgin Mobile</option> </select> </td> </tr> <tr> <td colspan=\"2\" align=\"center\" ><input type=\"submit\" name=\"Submit\" value=\"Submit\"></td> </tr> </table> </form>"; if(isset($_POST['Submit'])) { $number = $_POST['number']; $carrier = $_POST['carrier']; $message = "test"; if( empty($_POST['number'])) echo "You must enter a number to send to"; else if ($carrier == "verizon") { $formatted_number = $number."@vtext.com"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; } else if ($carrier == "tmobile") { $formatted_number = $number."@tomomail.net"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; } else if ($carrier == "sprint") { $formatted_number = $number."@messaging.sprintpcs.com"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); } else if ($carrier == "att") { $formatted_number = $number."@txt.att.net"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; } else if ($carrier == "virgin") { $formatted_number = $number."@vmobl.com"; mail("$formatted_number", "", "$message", "From: john@gmail.com"); echo "Success"; }} ?> Quote Link to comment Share on other sites More sharing options...
outdoorxtreme Posted April 22, 2014 Author Share Posted April 22, 2014 Ah, I figured it out. The one I was trying to use didn't have and echo. It is working now. Thank you for your help Quote Link to comment Share on other sites More sharing options...
Psycho Posted April 22, 2014 Share Posted April 22, 2014 <?php //Define default data $message = "test"; $fromEmail = "john@gmail.com"; $carriers = array( 'verizon' => 'Verizon', 'tmobile' => 'T-Mobile', 'sprint' => 'Sprint', 'att' => 'AT&T', 'virgin' => 'Virgin Mobile' ); //Parse post data - if sent //Remove any non-numeric characters from phone number $number = isset($_POST['number']) ? preg_replace('#[^\d]#', '', $_POST['number']) : false; //Define the carrier $carrier = isset($_POST['carrier']) ? $_POST['carrier'] : false; $responseMessage = false; if(isset($_POST['number'])) { //Test the length of the number if(strlen($number) != 10) { //Phone number is not 10 digits $responseMessage = "Error: You must enter a 10 digit number for the recipient."; } else { //Determine the phone number format switch($carrier) { case 'verizon': $formatted_number = $number."@vtext.com"; break; case 'tmobile': $formatted_number = $number."@tomomail.net"; break; case 'sprint': $formatted_number = $number."@messaging.sprintpcs.com"; break; case 'att': $formatted_number = $number."@txt.att.net"; break; case 'virgin': $formatted_number = $number."@vmobl.com"; break; default: $responseMessage = "Error: Invalid or no carrier selected."; } } //If formatted number is set, attempt to send message if(isset($formatted_number)) { if(!mail($formatted_number, "", $message, "From: {$fromEmail}")) { $responseMessage = "Error: There was a problem sending the message."; } else { $responseMessage = "Success: Message was sent."; } } } //Create the carrier options $options = ''; foreach($carriers as $carrierID => $carrierName) { $selected = ($carrierID==$carrier) ? ' selected="selected"' : ''; $options .= "<option value='{$carrierID}'{$selected}>{$carrierName}</option>"; } ?> <html> <head></head> <body> <?php echo $responseMessage; ?> <br><br> <form id="sms" name="sms" method="post" action=""> <table width="400"> <tr> <td align="right" valign="top">Cell number:</td> <td align="left"><input name="number" type="text" id="number" size="10" value="<?php echo $number; ?>"></td> </tr> <tr> <td align="right" valign="top">Carrier:</td> <td align="left"> <select name="carrier" id="carrier"> <?php echo $options; ?> </select> </td> </tr> <tr> <td colspan="2" align="right"><button type="submit">Submit</button></td> </tr> </table> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.