Jump to content

Recommended Posts

Hi, I'm a beginner to PHP scripting. I'm trying to get the error message to work correctly when the number field is left blank in this code. If you see anything else I may be doing wrong or a better way I would appreciate any input. basically what this script will do is that a person can enter their cell number and select their carrier then press submit. It will then send them a message to their moble. Thanks for your help.

<?php

echo"<form id=\"sms\" name=\"sms\" method=\"post\"

action=\"".$_SERVER['PHP_SELF']."\">
<table width=\"400\">
<tr>
<td align=\"right\" valign=\"top\">Cell number:</td>
<td align=\"left\"><input name=\"number\" type=\"text\" id=\"number\"

size=\"10\"> No dashes</td>
</tr>
<tr>
<td align=\"right\" valign=\"top\">Carrier:</td>
<td align=\"left\"><select name=\"carrier\" id=\"carrier\">
<option value=\"verizon\">Verizon</option>
<option value=\"tmobile\">T-Mobile</option>
<option value=\"sprint\">Sprint</option>
<option value=\"att\">AT&T</option>
<option value=\"virgin\">Virgin Mobile</option>
</select></td>
</tr>
<tr>
<td colspan=\"2\" align=\"right\"><input type=\"submit\" name=\"Submit\"

value=\"Submit\"></td>
</tr>
</table>
</form>";


$number = $_POST['number'];
$carrier = $_POST['carrier'];
$message = "test";

if( !empty($_POST['number']))
echo "You must enter a number to send to";

else if ($carrier == "verizon") {
$formatted_number = $number."@vtext.com";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

echo "Success";
}

else if ($carrier == "tmobile") {
$formatted_number = $number."@tomomail.net";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

echo "Success";
}

else if ($carrier == "sprint") {
$formatted_number = $number."@messaging.sprintpcs.com";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

}

else if ($carrier == "att") {
$formatted_number = $number."@txt.att.net";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

echo "Success";
}

else if ($carrier == "virgin") {
$formatted_number = $number."@vmobl.com";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

echo "Success";
}
?> 

The message is currently set to display when the number is not empty. Try removing the not operator (!):

if( empty($_POST['number']))
echo "You must enter a number to send to";

Also, I would recommend checking out the following article which talks about the security risks with using PHP_SELF as a form action:

http://seancoates.com/blogs/xss-woes

No, you didn't fix the vulnerability. And I don't think you understand the problem.

 

Try calling your script with this URL:

localhost/yourscript.php/%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

This is a perfectly valid URL. But if you open your page with it, you'll see a JavaScript popup saying "XSS". Oops.

 

Your sanitzing stuff doesn't do anything. The problem is that you fail to escape the URL and allow the user to inject malicious JavaScript code into your page. That's what needs to be fixed. Whether or not the URL is valid is completely irrelevant for this.

 

So you need to escape the URL like any other user input:

<?php

// if you don't use UTF-8, adjust the encoding
function html_escape($raw_input)
{
	return htmlspecialchars($raw_input, ENT_QUOTES, 'UTF-8');
}

Currently, when a number is not entered and submit is pressed, it displays "Success" it should display "You must enter a number to send to". I only want the message displayed after the submit button is pressed.

 

Before running the code to process the form, you could test to see of the form has been submitted. For example, you could do something like this:

if(isset($_POST['Submit'])) {
     //code to process form here
}
 
 

 

I fixed the security risk with changing these lines

$phpSelf = filter_input(INPUT_SERVER, 'PHP_SELF', FILTER_SANITIZE_URL);

echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=\"".$phpSelf."\">

 

You could just leave the action attribute blank.

echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=''>

Ok, I have almost everything working but it doesnt echo "Success" if it was successfully submitted.

<?php

function html_escape($raw_input)
{
	return htmlspecialchars($raw_input, ENT_QUOTES, 'UTF-8');
}

echo"<form id=\"sms\" name=\"sms\" method=\"post\" action=\"\">
<table width=\"300\">
  <tr>
    <td align=\"right\" valign=\"top\">Cell number:</td>
    <td align=\"left\"><input name=\"number\" type=\"text\" id=\"number\" 

size=\"10\"> No dashes</td>
  </tr>
  <tr>
    <td align=\"right\" valign=\"top\">Carrier:</td>
    <td align=\"left\">
      <select name=\"carrier\" id=\"carrier\">
        <option value=\"verizon\">Verizon</option>
        <option value=\"tmobile\">T-Mobile</option>
        <option value=\"sprint\">Sprint</option>
        <option value=\"att\">AT&T</option>
        <option value=\"virgin\">Virgin Mobile</option>
      </select>
    </td>
  </tr>
  <tr>
    <td colspan=\"2\" align=\"center\" ><input type=\"submit\" name=\"Submit\" 

value=\"Submit\"></td>
    </tr>
</table>
</form>";

if(isset($_POST['Submit'])) {
$number = $_POST['number'];
$carrier = $_POST['carrier'];
$message = "test";

if( empty($_POST['number']))
   echo "You must enter a number to send to";

else if ($carrier == "verizon") {
$formatted_number = $number."@vtext.com";
mail("$formatted_number", "", "$message", "From: john@gmail.com"); 

echo "Success";
}

else if ($carrier == "tmobile") {
$formatted_number = $number."@tomomail.net";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

echo "Success";
}

else if ($carrier == "sprint") {
$formatted_number = $number."@messaging.sprintpcs.com";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

}

else if ($carrier == "att") {
$formatted_number = $number."@txt.att.net";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

echo "Success";
}

else if ($carrier == "virgin") {
$formatted_number = $number."@vmobl.com";
mail("$formatted_number", "", "$message", "From: john@gmail.com");

echo "Success";
}}
?>

 

<?php
 
//Define default data
$message = "test";
$fromEmail = "john@gmail.com";
$carriers = array(
    'verizon' => 'Verizon',
    'tmobile' => 'T-Mobile',
    'sprint'  => 'Sprint',
    'att'     => 'AT&T',
    'virgin'  => 'Virgin Mobile'
);
 
//Parse post data - if sent
//Remove any non-numeric characters from phone number
$number = isset($_POST['number']) ? preg_replace('#[^\d]#', '', $_POST['number']) : false;
//Define the carrier
$carrier = isset($_POST['carrier']) ? $_POST['carrier'] : false;
 
$responseMessage = false;
if(isset($_POST['number']))
{
    //Test the length of the number
    if(strlen($number) != 10)
    {
        //Phone number is not 10 digits
        $responseMessage = "Error: You must enter a 10 digit number for the recipient.";
    }
    else
    {
        //Determine the phone number format
        switch($carrier)
        {
            case 'verizon':
                $formatted_number = $number."@vtext.com";
                break;
            case 'tmobile':
                $formatted_number = $number."@tomomail.net";
                break;
            case 'sprint':
                $formatted_number = $number."@messaging.sprintpcs.com";
                break;
            case 'att':
                $formatted_number = $number."@txt.att.net";
                break;
            case 'virgin':
                $formatted_number = $number."@vmobl.com";
                break;
            default:
                $responseMessage = "Error: Invalid or no carrier selected.";
        }
    }
 
    //If formatted number is set, attempt to send message
    if(isset($formatted_number))
    {
        if(!mail($formatted_number, "", $message, "From: {$fromEmail}"))
        {
            $responseMessage = "Error: There was a problem sending the message.";
        }
        else
        {
            $responseMessage = "Success: Message was sent.";
        }
    }
}
 
//Create the carrier options
$options = '';
foreach($carriers as $carrierID => $carrierName)
{
    $selected = ($carrierID==$carrier) ? ' selected="selected"' : '';
    $options .= "<option value='{$carrierID}'{$selected}>{$carrierName}</option>";
}
 
?>
<html>
<head></head>
 
<body>
 
<?php echo $responseMessage; ?>
<br><br>
<form id="sms" name="sms" method="post" action="">
<table width="400">
        <tr>
            <td align="right" valign="top">Cell number:</td>
            <td align="left"><input name="number" type="text" id="number" size="10" value="<?php echo $number; ?>"></td>
    </tr>
    <tr>
        <td align="right" valign="top">Carrier:</td>
        <td align="left">
        <select name="carrier" id="carrier">
            <?php echo $options; ?>
        </select>
        </td>
    </tr>
    <tr>
        <td colspan="2" align="right"><button type="submit">Submit</button></td>
    </tr>
</table>
</form>
 
</body>
</html>
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.