Jump to content

PHP form moved to new server, all kinds of weird issues


Recommended Posts

Hello everyone.  I'm trying to learn php here on the fly because i've been tasked with moving an existing internal website to a new server because the old one is failing fast.  The failing server is very old and running a much older version of php.  This form when submitted should send an email but the submit button doesn't even show when running the form on the new server.  Also, right now all the text fields are showing the VALUE= value.  I notice if I remove VALUE= from each part that removes the text but I'm not sure if that's the proper way to fix it.

 

Also, after the "Please wait for confirmation..." message, there is one text box prepopulated with \"ds\", then one below it with \"Click, then it appears to dump the rest of the code after </FORM> up to the last ?> onto the webpage as text.

 

I'm guessing some coding methods changed between php4 and whatever the newest version of php is that comes with a fresh linux server install.  Can anyone offer any tips or fixes?  Thanks in advance. 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
	<title>Update My Phone Number</title>
</head>


<body bgcolor="White" >

<table width="640">
<tr><td><hr width="640" size="2" color="Red" align="left"></td></tr>
<tr><td align="left"><font size="+3"><strong>Update Employee Telephone Numbers</strong></font></td></tr>
<tr><td><hr width="640" size="2" color="gray" align="left"></td></tr>
</table>
<br>



<? 

$form_block = "
<FORM METHOD=\"post\" ACTION=\"$PHP_SELF\">

<p><strong>Employee name: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font>  <font color=\"#FF0000\">**Required</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$employee\" SIZE=\"75\" MAXLENGTH=\"100\"></p>

<p><strong>Department: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font>  <font color=\"#FF0000\">**Required</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"department\" VALUE=\"$department\" SIZE=\"75\" MAXLENGTH=\"50\"></p>

<p><strong>Work Phone Number  <font color=\"#FF0000\">**Required</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"work\" VALUE=\"$work\" SIZE=\"15\" MAXLENGTH=\"15\"></p>

<p><strong>Cell Phone Number <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"cell\" VALUE=\"$cell\" SIZE=\"15\" MAXLENGTH=\"15\"></p>

<p><strong>Home Phone Number  <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br>
<INPUT type=\"text\" Name=\"home\" VALUE=\"$home\" SIZE=15 \" MAXLENGTH=\"15\"> </p>

<p><strong>Pager Number  <font color=\"#FF0000\">**Leave blank if you don't have a pager</font></strong><br>
<INPUT type=\"text\" Name=\"pager\" VALUE=\"$pager\" SIZE=15 MAXLENGTH=\"15\"> </p>

<p><strong>Comments:</strong><br>
<TEXTAREA NAME=\"message\" ROWS=5 COLS=50 WRAP=virtual>$message</TEXTAREA></p>
<br>

<p><em>Please wait for confirmation - this may take a few seconds.</em></p>


<INPUT type=\"hidden\" name=\"op\" value=\"ds\">

<p><INPUT TYPE=\"submit\" NAME=\"submit\" VALUE=\"Click here to send this report\"></p>


<br>

</FORM>
";


if ($op != "ds") {

	//they need to see the form
	echo "$form_block";

} else if ($op == "ds") {

	if ($employee == "") {
		$employee_err = "<font color=red>Please enter employee name!  **REQUIRED</font><br>";
		$send = "no";
	}

	if ($department == "") {
		$department_err = "<font color=red>Please enter your department!  **REQUIRED</font><br>";
		$send = "no";
	}

	if ($work == "") {
		$work_err = "<font color=red>Please enter your work phone!  **REQUIRED</font><br>";
		$send = "no";
	}

	if ($cell == "") {
		$cell_err = "<font color=red>Please enter your cell phone!  ** REQUIRED, enter \"na\" for not applicable</font><br>";
		$send = "no";
	}

	if ($home == "") {
		$home_err = "<font color=red>Please enter your home phone!  *REQUIRED, enter \"na\" for not applicable!</font><br>";
		$send = "no";
	}


	if ($send != "no") {
	// it's okay to send
	
		$msg = "Please update the following phone numbers for: \t$employee\n\n";

		$msg .= "Employee name:\t$employee\n\n";

		$msg .= "Department:\t$department\n\n";

		$msg .= "Work:\t$work\n\n";

		$msg .= "Cell:\t$cell\n\n";

		$msg .= "Home:\t$home\n\n";

		$msg .= "Pager:\t$pager\n\n";

		$msg .= "Comments:\t$message\n\n";

		$to = "me@me.com"; 

		$subject = "Phone Update: \t$employee, - \t$department\n";

		$mailheaders = "From: UpdateMyPhone\n\n";

		mail($to, $subject, $msg, $mailheaders);

		echo "<h1><font color=blue>Thank you! Your phone update has been filed. </font></h1><br> $form_block ";

	}  else if ($send == "no")  {

		echo "$employee_err";
		echo "$department_err";
		echo "$work_err";
		echo "$cell_err";
		echo "$home_err";
		echo "$pager_err";
		echo "$message_err";
		echo "$form_block";
	}
}

?>

</body>
</html>



your two main issues will be down to:

1: server configuration. for example, the script you have pasted above show short opening tags '<?' should be '<?php'.

2. you are correct, you cant port a php4 codebase onto a php5 server. you will have issues with deprecation amonst other things

a) change the short-opening php tag <? to a full <?php tag. the short one is not portable between server settings and was a waste of time just to save typing three characters.

 

b) ALL of the program variables, based on form data or server data, don't exist. you will instead need to use the $_POST and $_SERVER variables to access them. setting php's error_reporting to E_ALL and display_errors to ON will help you find these since they will all produce undefined variable error messages.

 

c) if you review the php.net documentation appendixes, there are migration sections that describe what has changed over time in php.

Since you're updating the script, it's worth noted that using the raw value from PHP_SELF in the form's action attribute opens your website up to XSS attacks. More information can be found here:

http://seancoates.com/blogs/xss-woes

 

Also, the <font> tag was deprecated in HTML 4.01 and marked obsolete in HTML 5. If you haven't done so already, you'll want to look into using CSS instead. More information can be found here:

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/font

Edited by cyberRobot
  • ugh.  sounds like this is a real mess.

 

OK, I changed the <? to <?php and that magically fixed the text fields are showing the VALUE= value problem!

 

I'm not sure I understand how to fix the PHP_SELF and the other ones, but they are indeed throwing "undefined variable" in error_log that I just found.

 

Could someone tell me how to fix the PHP_SELF and maybe one of the other ones, then I can try the others?  I'm just not sure which parts to change exactly of which lines.  Looking online, I see a sample php mail form that has <form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>"> in it, but to my untrained eye, that looks very different than what I have, so i'm not sure which parts or part I should use. 

Edited by rjo98

 

 

Could someone tell me how to fix the PHP_SELF and maybe one of the other ones, then I can try the others?  I'm just not sure which parts to change exactly of which lines.

For the others see point b) of mac_gyver's post. You might find reading the PHP documentation on how PHP deals with forms and the bit about GET and POST here helpful

 

As for PHP_SELF remove it. There is no need for it. Set the form action to a blank to submit the form to itself.

 

Basically your code is outdated. It was coded in PHP4.x era (when a setting called regsiter_globals was enabled). In year 2002 (over 10 years ago) this setting was turned off by default but lazy programmers back then opted to keep the setting enabled. Your host has recently upgraded their severs to PHP5.4 (or newer) a lot has changed since PHP4 this is why your code is not functioning correctly.

Edited by Ch0cu3r

ok, figure I better take this one thing at a time, and trying to tackle what I thought would be the easier one first.  I changed that line to

 

<FORM METHOD="post" ACTION="">

 

but when I do a php -l on the file, I get
 

PHP Parse error:  syntax error, unexpected T_STRING

 

for that line.  even if I leave the METHOD= part the same as my OP, I still get the error.

 

:-\

You probably didn't escape the quotes...

 

@rjo98 - You could also simplify the code by using single quotes:

$form_block = "
<FORM METHOD='post' ACTION=''>

Or you could look into separating the HTML code from the PHP code. Of course, that's going to take a bit more work.  :happy-04:

I should have just referenced it as crap code from the start, that would have made all my posts cleaner hahaha

 

Escaping them like post #12 said makes php -l happy.

 

I'd love to simplify by using single quotes or not having to escape everything, but i'm afraid i'd mess up more than I'd fix.

 

ok, error_log no longer complains about that PHP_SELF !!!

 

Can someone dumb down the explanation of how I can define things like employee?

It makes little sense to focus on one particular XSS vulnerability (the PHP_SELF stuff) when the entire script is full of them.

 

The question is what exactly you're supposed to do. Is this just a quick hack to get the application up again, no matter how rotten it is on the inside? Or are you supposed to actually repair the code and maybe even modernize it?

 

Those are two entirely different tasks. The former will be relatively quick, but of course all problems are still there and may pop up at any occasion. The latter will take much, much more time, because you'll have to rewrite large parts of the code. 

 

If you're not sure, ask the people in charge.

Original intent was to move an internal website, which this form is a piece of, to a new server before the old server dies. 

 

So the most direct way, and truly the answer to your question, is quick hack to make it work again on the new server with current versions of everything. 

 

But for my personal knowledge I'd love to repair/modernize it after the quick hack, just from a purely educational perspective to learn more about php.  But really, quick hack would suffice for this.

For a quick hack, you just need to replace the variables which PHP used to define automatically due to the register_globals “feature”. 

 

If you're not using an IDE like Netbeans, install it now. This will mark all undefined variables. For each variable, you have to find out where it's supposed to come from and then replace the variable accordingly. Take $employee as an example: This obviously comes from the POST parameters after the form has been submitted. So you replace $employee with $_POST['employee'].

 

 

 

But for my personal knowledge I'd love to repair/modernize it after the quick hack, just from a purely educational perspective to learn more about php.

 

You cannot learn anything from this code – except how not to program.

 

If you want to learn PHP, check out modern applications, not shitty amateur code from the late 90s.

Edited by Jacques1

The way I've been doing it is vi'ing the file on the server, then php -l to see if it's ok, then refreshing the webpage to see what happens.  I do see in error_log which lines it doesn't like when I load the page, which are all the INPUT ones, so does that mean I only need to make that one's VALUE=\"$_POST['employee']\"  ?   I'm going to give it a shot and will post back, maybe i'll get lucky and do something right the first time for once with this haha

Tried

<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$_POST['employee']\" SIZE=\"75\" MAXLENGTH=\"100\"></p>

and

<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$_POST["employee"]\" SIZE=\"75\" MAXLENGTH=\"100\"></p>

and

<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=$_POST['employee'] SIZE=\"75\" MAXLENGTH=\"100\"></p>

and they all errored in php -l
but I tried

<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=$_POST[employee] SIZE=\"75\" MAXLENGTH=\"100\"></p>

and it makes php -l happy, but I still get Undefined variable in error_log

 

Am I even getting warmer?
 

You need to actually submit the form. There are no POST parameters before that.

 

If the notices bother you, then of course you might add all kinds of checks for the request method and the individual parameters. But the checks weren't there before, and they are not necessary to get the application up again.

I thought I had to run php -l on the file to make sure the syntax was all correct before trying it, is that not the case?

 

The notices in error_log don't bother me, I just thought that meant there was still a problem so I did something wrong.

 

So was that last way that passed the php -l check the correct way to do it?  If it was, I can do the other ones in the morning and see where that gets me.

I'm in a giving mood tonight, see if this helps.

 

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">

<html>
<head>
    <title>Update My Phone Number</title>
</head>


<body bgcolor="White" >

<table width="640">
<tr><td><hr width="640" size="2" color="Red" align="left"></td></tr>
<tr><td align="left"><font size="+3"><strong>Update Employee Telephone Numbers</strong></font></td></tr>
<tr><td><hr width="640" size="2" color="gray" align="left"></td></tr>
</table>
<br>



<?php
$employee = (!empty($_POST['employee'])) ? htmlentities($_POST['employee'],ENT_QUOTES) : NULL;
$department = (!empty($_POST['department'])) ? htmlentities($_POST['department'],ENT_QUOTES) : NULL;
$work = (!empty($_POST['work'])) ? htmlentities($_POST['work'],ENT_QUOTES) : NULL;
$cell = (!empty($_POST['cell'])) ? htmlentities($_POST['cell'],ENT_QUOTES) : NULL;
$home = (!empty($_POST['home'])) ? htmlentities($_POST['home'],ENT_QUOTES) : NULL;
$pager = (!empty($_POST['pager'])) ? htmlentities($_POST['pager'],ENT_QUOTES) : NULL;
$message = (!empty($_POST['message'])) ? htmlentities($_POST['message'],ENT_QUOTES) : NULL;

$form_block = "
<FORM METHOD=\"post\" ACTION=\"\">

<p><strong>Employee name: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font>  <font color=\"#FF0000\">**Required</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$employee\" SIZE=\"75\" MAXLENGTH=\"100\"></p>

<p><strong>Department: <font size=\"-1\"><em>(Exactly as it should be listed)</em></font>  <font color=\"#FF0000\">**Required</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"department\" VALUE=\"$department\" SIZE=\"75\" MAXLENGTH=\"50\"></p>

<p><strong>Work Phone Number  <font color=\"#FF0000\">**Required</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"work\" VALUE=\"$work\" SIZE=\"15\" MAXLENGTH=\"15\"></p>

<p><strong>Cell Phone Number <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br>
<INPUT TYPE=\"text\" NAME=\"cell\" VALUE=\"$cell\" SIZE=\"15\" MAXLENGTH=\"15\"></p>

<p><strong>Home Phone Number  <font color=\"#FF0000\">**Required -- enter \"na\" for not applicable</font></strong><br>
<INPUT type=\"text\" Name=\"home\" VALUE=\"$home\" SIZE=15 \" MAXLENGTH=\"15\"> </p>

<p><strong>Pager Number  <font color=\"#FF0000\">**Leave blank if you don't have a pager</font></strong><br>
<INPUT type=\"text\" Name=\"pager\" VALUE=\"$pager\" SIZE=15 MAXLENGTH=\"15\"> </p>

<p><strong>Comments:</strong><br>
<TEXTAREA NAME=\"message\" ROWS=5 COLS=50 WRAP=virtual>$message</TEXTAREA></p>
<br>

<p><em>Please wait for confirmation - this may take a few seconds.</em></p>


<INPUT type=\"hidden\" name=\"op\" value=\"ds\">

<p><INPUT TYPE=\"submit\" NAME=\"submit\" VALUE=\"Click here to send this report\"></p>


<br>

</FORM>
";

$send = 'yes';
if (empty($_POST['op']) || $_POST['op'] != "ds") {

    //they need to see the form
    echo "$form_block";

} else if (!empty($_POST['op']) && $_POST['op'] == "ds") {

    if ($employee == "") {
        $err[] = "<font color=red>Please enter employee name!  **REQUIRED</font><br>";
        $send = "no";
    }

    if ($department == "") {
        $err[]  = "<font color=red>Please enter your department!  **REQUIRED</font><br>";
        $send = "no";
    }

    if ($work == "") {
        $err[]  = "<font color=red>Please enter your work phone!  **REQUIRED</font><br>";
        $send = "no";
    }

    if ($cell == "") {
        $err[]  = "<font color=red>Please enter your cell phone!  ** REQUIRED, enter \"na\" for not applicable</font><br>";
        $send = "no";
    }

    if ($home == "") {
        $err[]  = "<font color=red>Please enter your home phone!  *REQUIRED, enter \"na\" for not applicable!</font><br>";
        $send = "no";
    }


    if ($send != "no") {
    // it's okay to send
    
        $msg = "Please update the following phone numbers for: \t$employee\n\n";

        $msg .= "Employee name:\t$employee\n\n";

        $msg .= "Department:\t$department\n\n";

        $msg .= "Work:\t$work\n\n";

        $msg .= "Cell:\t$cell\n\n";

        $msg .= "Home:\t$home\n\n";

        $msg .= "Pager:\t$pager\n\n";

        $msg .= "Comments:\t$message\n\n";

        $to = "me@me.com";

        $subject = "Phone Update: \t$employee, - \t$department\n";

        $mailheaders = "From: UpdateMyPhone\n\n";

        mail($to, $subject, $msg, $mailheaders);

        echo "<h1><font color=blue>Thank you! Your phone update has been filed. </font></h1><br> $form_block ";

    }  else if ($send == "no")  {
        foreach($err as $error) {
            echo $error;
        }
        echo $form_block;    
    }
}

?>

</body>
</html>



    Like This

 

PS.  You should be checking for variable types (validation), as well as sanitation.

 and it makes php -l happy, but I still get Undefined variable in error_log

 

For what it's worth, this

<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"$_POST['employee']\" SIZE=\"75\" MAXLENGTH=\"100\"></p>

Should have been this

<INPUT TYPE=\"text\" NAME=\"employee\" VALUE=\"{$_POST['employee']}\" SIZE=\"75\" MAXLENGTH=\"100\"></p>

Note the curly brackets around the array variable. Of course, that still wouldn't fix the undefined variable. To fix that error, you could use a solution like the one suggested by jcbones

 

 

 

You cannot learn anything from this code – except how not to program.

 

I disagree. There is value in knowing how to take an outdated program and prepare it for today's standards. This likely won't be the last time rjo98 needs to upgrade someone else's script. The more experience rjo98 has in upgrading scripts, the faster the process will go.

It works, and looks a LOT better than the old one did!  jcbones, many many thanks for your giving spirit.  And at least I now have something good to look at to try to figure out how all of this should work and what it does.

 

Oh, so $_POST is actually an array and employee and stuff are the references rather than how other languages use numbers?  that makes sense, and I wondered that since it looked like a c++ array kinda.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.