rjo98 Posted September 10, 2014 Share Posted September 10, 2014 Hello everyone. I'm trying to learn php here on the fly because i've been tasked with moving an existing internal website to a new server because the old one is failing fast. The failing server is very old and running a much older version of php. This form when submitted should send an email but the submit button doesn't even show when running the form on the new server. Also, right now all the text fields are showing the VALUE= value. I notice if I remove VALUE= from each part that removes the text but I'm not sure if that's the proper way to fix it. Also, after the "Please wait for confirmation..." message, there is one text box prepopulated with \"ds\", then one below it with \"Click, then it appears to dump the rest of the code after </FORM> up to the last ?> onto the webpage as text. I'm guessing some coding methods changed between php4 and whatever the newest version of php is that comes with a fresh linux server install. Can anyone offer any tips or fixes? Thanks in advance. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Update My Phone Number</title> </head> <body bgcolor="White" > <table width="640"> <tr><td><hr width="640" size="2" color="Red" align="left"></td></tr> <tr><td align="left"><font size="+3"><strong>Update Employee Telephone Numbers</strong></font></td></tr> <tr><td><hr width="640" size="2" color="gray" align="left"></td></tr> </table> <br> <? $form_block = " <FORM METHOD=\"post\" ACTION=\"$PHP_SELF\"> <p><strong>Employee name: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font> <font color=\"#FF0000\">**Required</font></strong><br> <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$employee\" SIZE=\"75\" MAXLENGTH=\"100\"></p> <p><strong>Department: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font> <font color=\"#FF0000\">**Required</font></strong><br> <INPUT TYPE=\"text\" NAME=\"department\" VALUE=\"$department\" SIZE=\"75\" MAXLENGTH=\"50\"></p> <p><strong>Work Phone Number <font color=\"#FF0000\">**Required</font></strong><br> <INPUT TYPE=\"text\" NAME=\"work\" VALUE=\"$work\" SIZE=\"15\" MAXLENGTH=\"15\"></p> <p><strong>Cell Phone Number <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br> <INPUT TYPE=\"text\" NAME=\"cell\" VALUE=\"$cell\" SIZE=\"15\" MAXLENGTH=\"15\"></p> <p><strong>Home Phone Number <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br> <INPUT type=\"text\" Name=\"home\" VALUE=\"$home\" SIZE=15 \" MAXLENGTH=\"15\"> </p> <p><strong>Pager Number <font color=\"#FF0000\">**Leave blank if you don't have a pager</font></strong><br> <INPUT type=\"text\" Name=\"pager\" VALUE=\"$pager\" SIZE=15 MAXLENGTH=\"15\"> </p> <p><strong>Comments:</strong><br> <TEXTAREA NAME=\"message\" ROWS=5 COLS=50 WRAP=virtual>$message</TEXTAREA></p> <br> <p><em>Please wait for confirmation - this may take a few seconds.</em></p> <INPUT type=\"hidden\" name=\"op\" value=\"ds\"> <p><INPUT TYPE=\"submit\" NAME=\"submit\" VALUE=\"Click here to send this report\"></p> <br> </FORM> "; if ($op != "ds") { //they need to see the form echo "$form_block"; } else if ($op == "ds") { if ($employee == "") { $employee_err = "<font color=red>Please enter employee name! **REQUIRED</font><br>"; $send = "no"; } if ($department == "") { $department_err = "<font color=red>Please enter your department! **REQUIRED</font><br>"; $send = "no"; } if ($work == "") { $work_err = "<font color=red>Please enter your work phone! **REQUIRED</font><br>"; $send = "no"; } if ($cell == "") { $cell_err = "<font color=red>Please enter your cell phone! ** REQUIRED, enter \"na\" for not applicable</font><br>"; $send = "no"; } if ($home == "") { $home_err = "<font color=red>Please enter your home phone! *REQUIRED, enter \"na\" for not applicable!</font><br>"; $send = "no"; } if ($send != "no") { // it's okay to send $msg = "Please update the following phone numbers for: \t$employee\n\n"; $msg .= "Employee name:\t$employee\n\n"; $msg .= "Department:\t$department\n\n"; $msg .= "Work:\t$work\n\n"; $msg .= "Cell:\t$cell\n\n"; $msg .= "Home:\t$home\n\n"; $msg .= "Pager:\t$pager\n\n"; $msg .= "Comments:\t$message\n\n"; $to = "me@me.com"; $subject = "Phone Update: \t$employee, - \t$department\n"; $mailheaders = "From: UpdateMyPhone\n\n"; mail($to, $subject, $msg, $mailheaders); echo "<h1><font color=blue>Thank you! Your phone update has been filed. </font></h1><br> $form_block "; } else if ($send == "no") { echo "$employee_err"; echo "$department_err"; echo "$work_err"; echo "$cell_err"; echo "$home_err"; echo "$pager_err"; echo "$message_err"; echo "$form_block"; } } ?> </body> </html> Quote Link to comment Share on other sites More sharing options...
gristoi Posted September 10, 2014 Share Posted September 10, 2014 your two main issues will be down to: 1: server configuration. for example, the script you have pasted above show short opening tags '<?' should be '<?php'. 2. you are correct, you cant port a php4 codebase onto a php5 server. you will have issues with deprecation amonst other things Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted September 10, 2014 Share Posted September 10, 2014 a) change the short-opening php tag <? to a full <?php tag. the short one is not portable between server settings and was a waste of time just to save typing three characters. b) ALL of the program variables, based on form data or server data, don't exist. you will instead need to use the $_POST and $_SERVER variables to access them. setting php's error_reporting to E_ALL and display_errors to ON will help you find these since they will all produce undefined variable error messages. c) if you review the php.net documentation appendixes, there are migration sections that describe what has changed over time in php. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 10, 2014 Share Posted September 10, 2014 (edited) Since you're updating the script, it's worth noted that using the raw value from PHP_SELF in the form's action attribute opens your website up to XSS attacks. More information can be found here: http://seancoates.com/blogs/xss-woes Also, the <font> tag was deprecated in HTML 4.01 and marked obsolete in HTML 5. If you haven't done so already, you'll want to look into using CSS instead. More information can be found here: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/font Edited September 10, 2014 by cyberRobot Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 10, 2014 Author Share Posted September 10, 2014 (edited) ugh. sounds like this is a real mess. OK, I changed the <? to <?php and that magically fixed the text fields are showing the VALUE= value problem! I'm not sure I understand how to fix the PHP_SELF and the other ones, but they are indeed throwing "undefined variable" in error_log that I just found. Could someone tell me how to fix the PHP_SELF and maybe one of the other ones, then I can try the others? I'm just not sure which parts to change exactly of which lines. Looking online, I see a sample php mail form that has <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> in it, but to my untrained eye, that looks very different than what I have, so i'm not sure which parts or part I should use. Edited September 10, 2014 by rjo98 Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 10, 2014 Author Share Posted September 10, 2014 even the HTML isn't good good grief. Thanks for all the help so far guys. Quote Link to comment Share on other sites More sharing options...
CroNiX Posted September 10, 2014 Share Posted September 10, 2014 leave the action blank, action="" and the form will submit to the current url. Or use something like <?php echo htmlentities($_SERVER['PHP_SELF']); ?> Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 10, 2014 Author Share Posted September 10, 2014 so from the code in my original post, I would just make it <FORM METHOD=\"post\" ACTION=""> like that? or is even the METHOD= part not right? Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted September 10, 2014 Share Posted September 10, 2014 (edited) Could someone tell me how to fix the PHP_SELF and maybe one of the other ones, then I can try the others? I'm just not sure which parts to change exactly of which lines. For the others see point b) of mac_gyver's post. You might find reading the PHP documentation on how PHP deals with forms and the bit about GET and POST here helpful As for PHP_SELF remove it. There is no need for it. Set the form action to a blank to submit the form to itself. Basically your code is outdated. It was coded in PHP4.x era (when a setting called regsiter_globals was enabled). In year 2002 (over 10 years ago) this setting was turned off by default but lazy programmers back then opted to keep the setting enabled. Your host has recently upgraded their severs to PHP5.4 (or newer) a lot has changed since PHP4 this is why your code is not functioning correctly. Edited September 10, 2014 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 10, 2014 Author Share Posted September 10, 2014 ok, figure I better take this one thing at a time, and trying to tackle what I thought would be the easier one first. I changed that line to <FORM METHOD="post" ACTION=""> but when I do a php -l on the file, I get PHP Parse error: syntax error, unexpected T_STRING for that line. even if I leave the METHOD= part the same as my OP, I still get the error. Quote Link to comment Share on other sites More sharing options...
CroNiX Posted September 10, 2014 Share Posted September 10, 2014 You probably didn't escape the quotes, since the entire form is contained in a php variable as a string (which is stupid). Quote Link to comment Share on other sites More sharing options...
CroNiX Posted September 10, 2014 Share Posted September 10, 2014 Notice how the original (crap code) is <FORM METHOD=\"post\" ACTION=\"$PHP_SELF\"> So you'd need <FORM METHOD=\"post\" ACTION=\"\"> 1 Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 10, 2014 Share Posted September 10, 2014 You probably didn't escape the quotes... @rjo98 - You could also simplify the code by using single quotes: $form_block = " <FORM METHOD='post' ACTION=''> Or you could look into separating the HTML code from the PHP code. Of course, that's going to take a bit more work. Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 10, 2014 Author Share Posted September 10, 2014 I should have just referenced it as crap code from the start, that would have made all my posts cleaner hahaha Escaping them like post #12 said makes php -l happy. I'd love to simplify by using single quotes or not having to escape everything, but i'm afraid i'd mess up more than I'd fix. ok, error_log no longer complains about that PHP_SELF !!! Can someone dumb down the explanation of how I can define things like employee? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 10, 2014 Share Posted September 10, 2014 It makes little sense to focus on one particular XSS vulnerability (the PHP_SELF stuff) when the entire script is full of them. The question is what exactly you're supposed to do. Is this just a quick hack to get the application up again, no matter how rotten it is on the inside? Or are you supposed to actually repair the code and maybe even modernize it? Those are two entirely different tasks. The former will be relatively quick, but of course all problems are still there and may pop up at any occasion. The latter will take much, much more time, because you'll have to rewrite large parts of the code. If you're not sure, ask the people in charge. Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 10, 2014 Author Share Posted September 10, 2014 Original intent was to move an internal website, which this form is a piece of, to a new server before the old server dies. So the most direct way, and truly the answer to your question, is quick hack to make it work again on the new server with current versions of everything. But for my personal knowledge I'd love to repair/modernize it after the quick hack, just from a purely educational perspective to learn more about php. But really, quick hack would suffice for this. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 10, 2014 Share Posted September 10, 2014 (edited) For a quick hack, you just need to replace the variables which PHP used to define automatically due to the register_globals “feature”. If you're not using an IDE like Netbeans, install it now. This will mark all undefined variables. For each variable, you have to find out where it's supposed to come from and then replace the variable accordingly. Take $employee as an example: This obviously comes from the POST parameters after the form has been submitted. So you replace $employee with $_POST['employee']. But for my personal knowledge I'd love to repair/modernize it after the quick hack, just from a purely educational perspective to learn more about php. You cannot learn anything from this code – except how not to program. If you want to learn PHP, check out modern applications, not shitty amateur code from the late 90s. Edited September 10, 2014 by Jacques1 Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 11, 2014 Author Share Posted September 11, 2014 The way I've been doing it is vi'ing the file on the server, then php -l to see if it's ok, then refreshing the webpage to see what happens. I do see in error_log which lines it doesn't like when I load the page, which are all the INPUT ones, so does that mean I only need to make that one's VALUE=\"$_POST['employee']\" ? I'm going to give it a shot and will post back, maybe i'll get lucky and do something right the first time for once with this haha Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 11, 2014 Author Share Posted September 11, 2014 Tried <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$_POST['employee']\" SIZE=\"75\" MAXLENGTH=\"100\"></p> and <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$_POST["employee"]\" SIZE=\"75\" MAXLENGTH=\"100\"></p> and <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=$_POST['employee'] SIZE=\"75\" MAXLENGTH=\"100\"></p> and they all errored in php -lbut I tried <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=$_POST[employee] SIZE=\"75\" MAXLENGTH=\"100\"></p> and it makes php -l happy, but I still get Undefined variable in error_log Am I even getting warmer? Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted September 11, 2014 Share Posted September 11, 2014 You need to actually submit the form. There are no POST parameters before that. If the notices bother you, then of course you might add all kinds of checks for the request method and the individual parameters. But the checks weren't there before, and they are not necessary to get the application up again. Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 11, 2014 Author Share Posted September 11, 2014 I thought I had to run php -l on the file to make sure the syntax was all correct before trying it, is that not the case? The notices in error_log don't bother me, I just thought that meant there was still a problem so I did something wrong. So was that last way that passed the php -l check the correct way to do it? If it was, I can do the other ones in the morning and see where that gets me. Quote Link to comment Share on other sites More sharing options...
jcbones Posted September 11, 2014 Share Posted September 11, 2014 I'm in a giving mood tonight, see if this helps. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Update My Phone Number</title> </head> <body bgcolor="White" > <table width="640"> <tr><td><hr width="640" size="2" color="Red" align="left"></td></tr> <tr><td align="left"><font size="+3"><strong>Update Employee Telephone Numbers</strong></font></td></tr> <tr><td><hr width="640" size="2" color="gray" align="left"></td></tr> </table> <br> <?php $employee = (!empty($_POST['employee'])) ? htmlentities($_POST['employee'],ENT_QUOTES) : NULL; $department = (!empty($_POST['department'])) ? htmlentities($_POST['department'],ENT_QUOTES) : NULL; $work = (!empty($_POST['work'])) ? htmlentities($_POST['work'],ENT_QUOTES) : NULL; $cell = (!empty($_POST['cell'])) ? htmlentities($_POST['cell'],ENT_QUOTES) : NULL; $home = (!empty($_POST['home'])) ? htmlentities($_POST['home'],ENT_QUOTES) : NULL; $pager = (!empty($_POST['pager'])) ? htmlentities($_POST['pager'],ENT_QUOTES) : NULL; $message = (!empty($_POST['message'])) ? htmlentities($_POST['message'],ENT_QUOTES) : NULL; $form_block = " <FORM METHOD=\"post\" ACTION=\"\"> <p><strong>Employee name: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font> <font color=\"#FF0000\">**Required</font></strong><br> <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$employee\" SIZE=\"75\" MAXLENGTH=\"100\"></p> <p><strong>Department: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font> <font color=\"#FF0000\">**Required</font></strong><br> <INPUT TYPE=\"text\" NAME=\"department\" VALUE=\"$department\" SIZE=\"75\" MAXLENGTH=\"50\"></p> <p><strong>Work Phone Number <font color=\"#FF0000\">**Required</font></strong><br> <INPUT TYPE=\"text\" NAME=\"work\" VALUE=\"$work\" SIZE=\"15\" MAXLENGTH=\"15\"></p> <p><strong>Cell Phone Number <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br> <INPUT TYPE=\"text\" NAME=\"cell\" VALUE=\"$cell\" SIZE=\"15\" MAXLENGTH=\"15\"></p> <p><strong>Home Phone Number <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br> <INPUT type=\"text\" Name=\"home\" VALUE=\"$home\" SIZE=15 \" MAXLENGTH=\"15\"> </p> <p><strong>Pager Number <font color=\"#FF0000\">**Leave blank if you don't have a pager</font></strong><br> <INPUT type=\"text\" Name=\"pager\" VALUE=\"$pager\" SIZE=15 MAXLENGTH=\"15\"> </p> <p><strong>Comments:</strong><br> <TEXTAREA NAME=\"message\" ROWS=5 COLS=50 WRAP=virtual>$message</TEXTAREA></p> <br> <p><em>Please wait for confirmation - this may take a few seconds.</em></p> <INPUT type=\"hidden\" name=\"op\" value=\"ds\"> <p><INPUT TYPE=\"submit\" NAME=\"submit\" VALUE=\"Click here to send this report\"></p> <br> </FORM> "; $send = 'yes'; if (empty($_POST['op']) || $_POST['op'] != "ds") { //they need to see the form echo "$form_block"; } else if (!empty($_POST['op']) && $_POST['op'] == "ds") { if ($employee == "") { $err[] = "<font color=red>Please enter employee name! **REQUIRED</font><br>"; $send = "no"; } if ($department == "") { $err[] = "<font color=red>Please enter your department! **REQUIRED</font><br>"; $send = "no"; } if ($work == "") { $err[] = "<font color=red>Please enter your work phone! **REQUIRED</font><br>"; $send = "no"; } if ($cell == "") { $err[] = "<font color=red>Please enter your cell phone! ** REQUIRED, enter \"na\" for not applicable</font><br>"; $send = "no"; } if ($home == "") { $err[] = "<font color=red>Please enter your home phone! *REQUIRED, enter \"na\" for not applicable!</font><br>"; $send = "no"; } if ($send != "no") { // it's okay to send $msg = "Please update the following phone numbers for: \t$employee\n\n"; $msg .= "Employee name:\t$employee\n\n"; $msg .= "Department:\t$department\n\n"; $msg .= "Work:\t$work\n\n"; $msg .= "Cell:\t$cell\n\n"; $msg .= "Home:\t$home\n\n"; $msg .= "Pager:\t$pager\n\n"; $msg .= "Comments:\t$message\n\n"; $to = "me@me.com"; $subject = "Phone Update: \t$employee, - \t$department\n"; $mailheaders = "From: UpdateMyPhone\n\n"; mail($to, $subject, $msg, $mailheaders); echo "<h1><font color=blue>Thank you! Your phone update has been filed. </font></h1><br> $form_block "; } else if ($send == "no") { foreach($err as $error) { echo $error; } echo $form_block; } } ?> </body> </html> Like This PS. You should be checking for variable types (validation), as well as sanitation. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 11, 2014 Share Posted September 11, 2014 and it makes php -l happy, but I still get Undefined variable in error_log For what it's worth, this <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$_POST['employee']\" SIZE=\"75\" MAXLENGTH=\"100\"></p> Should have been this <INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"{$_POST['employee']}\" SIZE=\"75\" MAXLENGTH=\"100\"></p> Note the curly brackets around the array variable. Of course, that still wouldn't fix the undefined variable. To fix that error, you could use a solution like the one suggested by jcbones You cannot learn anything from this code – except how not to program. I disagree. There is value in knowing how to take an outdated program and prepare it for today's standards. This likely won't be the last time rjo98 needs to upgrade someone else's script. The more experience rjo98 has in upgrading scripts, the faster the process will go. Quote Link to comment Share on other sites More sharing options...
rjo98 Posted September 11, 2014 Author Share Posted September 11, 2014 It works, and looks a LOT better than the old one did! jcbones, many many thanks for your giving spirit. And at least I now have something good to look at to try to figure out how all of this should work and what it does. Oh, so $_POST is actually an array and employee and stuff are the references rather than how other languages use numbers? that makes sense, and I wondered that since it looked like a c++ array kinda. Quote Link to comment Share on other sites More sharing options...
cyberRobot Posted September 11, 2014 Share Posted September 11, 2014 $_POST is an associative array; more information can be found here: http://php.net/manual/en/reserved.variables.post.php Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.