[SOLVED] $_POST Superglobal empty

[briand74]

I have some contact form scripts on a shared webhosting server that have worked fine until they upgraded the server.  I'm not sure, but they may have upgraded the version of PHP (now 4.4.7, it may have been 4.3.x).  They also upgraded cpanel to ver 11.  ini_set and phpinfo have been disabled, but shouldn't affect scripts in question.  No errors are being reported.  By the way, I'm not a programmer.  I just have a website that has grown, and have taught my self enough to lift good stuff and make it work.

 

Anyway, after a day and a half I have narrowed it down to the $_POST array is empty.  The form method is post.  If I change to get, what I'm expecting shows up.

 

The web hosting tech support is useless.  You can only contact them via 128 character limit online form, and in 12-24 hours you'll get back a one line answer, usually that everything is OK on their servers.

 

Here is the url of the contact form:  http://waynealumni.org/contactme.php

 

I have some debug code in there right now.  The variable $op should come back as ds after submitting.  Because it's empty, the form block just keeps displaying.

 

Since I haven't changed the code, don't know if it will help to post it here, it worked fine last week and I didn't change it.  I made a small script using ini_get_all to see the php settings.  Didn't see much except ini_set and phpinfo are disabled.

 

I do have a ticket in, but don't expect much help.  Short of moving my website, I was wondering if anyone has experienced a similar situation of $_POST being empty when it shouldn't, or anything else that might point me to a solution.

 

Thanks

[revraz]

Post the Form code and the .php code (if they are seperate) so we can see if there are any obvious errors.

 

Chances are they turned off Register Globals and you may not be assigning variables.

[briand74]

Here is the code, just changed my email and name:

 

<?php
$page_title = 'Contact Webmaster';
include ('./includes/header_1.htm');
?>
<h2 class="clearleft"><a id="maincontent"></a></h2>
</div><div class="clear"></div>
<?php 
//Start of the contact form
$email_address = "justme@myisp.com";
$sender_name = @$_POST['sender_name'];
$sender_email = @$_POST['sender_email'];
$subject = "Wayne Alumni Contact";
$message = @$_POST['message'];
$op = @$_POST['op'];
$form_block = "
<form method=\"POST\" action=\"$_SERVER[php_SELF]\">
<fieldset>
<legend>To: Fred Zeppelin</legend>
    <label for=\"sender_name\">Name:</label>

    <input id=\"sender_name\" type=\"text\" name=\"sender_name\" value=\"$sender_name\" size=\"30\" /><br />

    <label for=\"sender_email\">Your E-Mail:</label>
    <input id=\"sender_email\" type=\"text\" name=\"sender_email\" value=\"$sender_email\" size=\"30\" /><br />

    <!-- <label for=\"subject\">Subject</label>
    <input id=\"subject\" type=\"text\" name=\"subject\" value=\"$subject\" size=\"30\" /><br /> -->
    
    <label for=\"message\">Message</label>
    <textarea id=\"message\" name=\"message\" cols=\"40\" rows=\"15\">$message</textarea><br />
    
    <input class=\"hidden\" type=\"hidden\" name=\"op\" value=\"ds\" /><br />
    <input class=\"submitbutton\" type=\"submit\" name=\"submit\" value=\"Send E-Mail\" />
</fieldset>
</form>";
// First, make sure the form was posted from a browser.
// For basic web-forms, we don't care about anything
// other than requests from a browser:    
if(!isset($_SERVER['HTTP_USER_AGENT'])){
   die("Forbidden - You are not authorized to view this page");
   exit;
}

// Make sure the form was indeed POST'ed:
//  (requires your html form to use: action="post") 
if(!$_SERVER['REQUEST_METHOD'] == "POST"){
   die("Forbidden - You are not authorized to view this page");
   exit;    
}

// Host names from where the form is authorized
// to be posted from: 
$authHosts = array("waynealumni.org", "basketball.waynealumni.org", "soccer.waynealumni.org");

// Where have we been posted from?
$fromArray = parse_url(strtolower($_SERVER['HTTP_REFERER']));

// Test to see if the $fromArray used www to get here.
$wwwUsed = strpos($fromArray['host'], "www.");

// Make sure the form was posted from an approved host name.
if(!in_array(($wwwUsed === false ? $fromArray['host'] : substr(stristr($fromArray['host'], '.'), 1)), $authHosts)){    
   logBadRequest();
   header("HTTP/1.0 403 Forbidden");
       exit;    
}

// Attempt to defend against header injections:
$badStrings = array("Content-Type:",
                     "MIME-Version:",
                     "Content-Transfer-Encoding:",
                     "bcc:",
                     "cc:");

// Loop through each POST'ed value and test if it contains
// one of the $badStrings:
foreach($_POST as $k => $v){
   foreach($badStrings as $v2){
       if(strpos($v, $v2) !== false){
           logBadRequest();
           header("HTTP/1.0 403 Forbidden");
               exit;
       }
   }
}    

// Made it past spammer test, free up some memory
// and continue rest of script:    
unset($k, $v, $v2, $badStrings, $authHosts, $fromArray, $wwwUsed);
// debug section 1/5/08 bwd
echo 'display_errors = ' . ini_get('display_errors') . "\n";
echo 'register_globals = ' . ini_get('register_globals') . "\n";
echo 'variables_order = ' . ini_get('variables_order') . "\n";
echo 'track_vars = ' . ini_get('track_vars') . "\n";
print "<pre>";
print_r($_POST);
print "</pre>";  
echo "\$op = $op <br />\n"; //bwd 1/5/08 debugging
if ($op != "ds") {
   // they need to see the form
   echo "$form_block";
} else if ($op == "ds") {
//This is the line of code stopping the email injection attack       
if(eregi("MIME-Version: ",$_POST['sender_name'].$_POST['sender_email'].$_POST['message'])){die('Connection problem, try later.');
//end of code
}
       if ($sender_name == "") {
            // check value of $_POST[sender_name]
            $name_err = "<p class=\"error\"> Please enter your name!</p>";
            $send = "no";
          }
				if ((!preg_match("/\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*/", $sender_email))) {
            // check value of $_POST[sender_email] is valid email address
            $email_err = "<p class=\"error\">Sorry you have entered an invalid email address, please check and try again</p>";
            $send = "no";
          } 
          //if ($sender_email == "") {
             //check value of $_POST[sender_email];
            //$email_err = "<p class=\"error\">Please enter your e-mail address!</p>";
            //$send = "no";
          //}
          if ($message == "") {
          // check value of $_POST[message]
            $message_err = "<p class=\"error\">Please enter a message!</p>";
            $send = "no";
          }
          
          if (@$send != "no") {
            // it's ok to send so build the mail
            $to = "$email_address";
            $subject = "$subject";
            $mailheaders = "From:  $sender_name\r\n";
            $mailheaders .= "Reply-To: $sender_email\r\n";
            $msg = "E-MAIL SENT FROM THE PAGE\r\n";
            $msg .= "Sender's Name:    $sender_name\r\n";
            $msg .= "Sender's E-Mail:  $sender_email\r\n";
            $msg .= "Message:          $message\r\n";
            mail($to, $subject, $msg, $mailheaders);
            echo "<p>Thank you, $sender_name, your message has been sent. </p>";
          } else if ($send == "no") {
            echo "$name_err";
            echo "$email_err";
            echo "$message_err";
            echo "$form_block";
          }
}


// Include the HTML footer.
include ('./includes/footer_2.htm');
?>

[btherl]

Have you tried posting to a simple script like this:

 

<?php var_dump($_POST); ?>

 

If that doesn't work, then it'll fit into the 128 charater limit   If it does work, then you know that the problem is in the script rather than in the webserver.

[PFMaBiSmAd]

If your total post data exceeds post_max_size, then the $_POST array will be empty. Add the following and post what you get (exactly) -

 

echo 'post_max_size = ' . ini_get('post_max_size') . "<br />\n";

[briand74]

Here is the post_max_size ini setting:

 

post_max_size = 2M

[redarrow]

set it to 8m my opinion

[cyber_ghost]

ok .. please see if the php.ini settings > register_globals is set to "On".. this issue about the empty $_POST[] is already one of my head ache last time..... IIS/PHP...... and after setting.. then restart the machine... this thing works for me perfectly... i hope it work for you....

 

 

 

 

hoping this help..... 

[briand74]

I tried a simple form and then used:

<?php var_dump($_POST); ?>

 

It seems to work.  I got back the fields that were posted.

 

register_globals is off

 

The web host is running Linux - I can't control php.ini, maybe they can increase to local setting to 8M?  ini_set is disabled.

 

Is this my best course, or is something wrong in the script?

 

 

[redarrow]

register_globals is set to "On" << never have on unless you exspect no trouble and the web site is not live register_globals is a bad function in the php.ini to have set to on never do so (hackers love it) trust me mate.........

 

just use the mysql_real_esape_string() when posting any variales.......

 

strip_slashes might help looking quickly at your code.........

[btherl]

Ok, now that you've verified that var_dump($_POST) works in another script, try it in your contact script.  Test it at the very top, and also further down.  That should give you enough information.  What you should see is that it works at the very top, but suddenly the variables vanish further down.  That means they were clobbered inbetween.

 

You might also want to try removing the "@" from the assignments.  I don't know why that would make a difference but maybe it will.

 

You can use binary search to find where the variables are being clobbered.

[redarrow]

TRY A TEST MAIL SHOT.....

 

your php hosting company might off stopped users sending emails

this has become a problam for some time now try

 

this code to see if u are still allowed to send mail

 

<?php
$to = 'bob@barnyard.com';
$subject = 'Wakeup bob!';
$message = '<b>yo</b>, whassup?';
$headers = "From: server@barnyard.com\r\n" .
        'X-Mailer: PHP/' . phpversion() . "\r\n" .
        "MIME-Version: 1.0\r\n" .
        "Content-Type: text/html; charset=utf-8\r\n" .
        "Content-Transfer-Encoding: 8bit\r\n\r\n";

// Send
mail($to, $subject, $message, $headers);
?>

 

 

it might not even be the code trust me!

[briand74]

Adding  <?php var_dump($_POST); ?> to my script at the top showed nothing coming back.

 

Removing the @ from the assignments also didn't help.

[redarrow]

replace

<form method=\"POST\" action=\"$_SERVER[php_SELF]\">

 

to this then try

 

<form method=\"POST\" action=\"  \">

[briand74]

Great, some progress.  Removing the <form method=\"POST\" action=\"$_SERVER[php_SELF]\">

 

and replacing with <form method=\"POST\" action=\"  \">

 

seems to have worked.  All my $_POST values come back, and the form block is replaced with the mail was sent message.

 

If the action is blank, does it default to self, or what?    I will marked this solved, but would like to understand first if anyone would care to comment.

 

My mail is not being delivered, but it looks like a new problem.  My send mail path looks wrong to me.

[PFMaBiSmAd]

That is pretty wild, because the way it was, without an echo statement would have resulted in an empty action="" statement, unless there was a php error actually being generated and inserted there (you could look at the view source of the page in your browser using the old code.)

 

An empty parameter on the action="" means the "same" page. Likewise, no action parameter at all means the same page.

[briand74]

Interesting, must be that the previous version of PHP on the server treated it as empty, and for some reason now it doesn't.  Oh well, thanks to redarrow and everyone else that helped.

 

Brian