[RESOLVED] Form validates, inputs to DB, then variables go blank

W9FZ

I'm inheriting a website to run a conference. Using PHP and MySQL is all that I'm expecting.

The page loads with a blank form just fine. I fill out the blanks and submit. By tracing execution, I can tell that the form gets validated, and then input to the db. But then all the variables are blank and confirming emails don't send and the page doesn't reload--instead shows lots of errors for undefined variables.

It probably is something simple.

Right now I'm wondering if I have the form action correct.

What I inherited is:

<form id="reg_form" action="" method="post">

Will having it blank reload the page? I tried putting in the full URL and I get the same errors so maybe it's ok this way. I even tried $_SERVER[PHP_SELF] to no avail.

On the page there about 12 entries for the user to fill in. Each has, for example:

<input type="text" name="call_sign" value="<?php echo (isset($_POST['call_sign'])?$_POST['call_sign']:''); ?>" />

by each appropriate blanks. Should I be using id="call_sign" as well??

The file I'm working on is temporarily at: http://w9fz.com/theis2/mud_registration.php

Thanks in advance for suggestions.
Bruce

TeraTask

The code you've posted here is correct. The code posted on the URL you gave is correct. The id attribute doesn't play a role here, so that's not it. You could simplify this code

<input type="text" name="call_sign" value="<?php echo (isset($_POST['call_sign'])?$_POST['call_sign']:''); ?>" />

<input type="text" name="call_sign" value="<?php echo $_POST['call_sign']; ?>" />

But, that isn't your problem. We'd need to see the code after the database insert through the email code (but strip personal data, of course) to really help.

bradgrafelman

TeraTask wrote:
You could simplify this code

No, not really; the second code snippet in your post will cause warnings to be issued on the first page visit.

As TeraTask points out, you should show us some of the processing code that does/does not work. Do you redirect the user to any other page once the form is submitted, or is it all processed in one script?

W9FZ

Thanks for your help.

I'll try to bring in more of the code and try to explain what's going on. I may snip some to ease reading. I appreciate you wading through my code.

<form id="reg_form" action="" method="post">

Here's the first part of meat:

if(!db_connect($db, $error_array['db']))
{
    echo '<tr><td colspan="3" class="error">We are experiencing technical difficulties.  Please try again later.</td></tr>';
    mail_admin($self_file, $error_array['db']);
}
else
{
//First check for how many banquets remain to 
//decide what messages to feed to user
    if(count_banquet($db, $count, $error_message))
	{
        $max_banquet = 200;
        if($count < $max_banquet)
		{
            $price[1] = 79;
            $price[2] = 89;
            $price[3] = 99;
            $banquet_full = false;
            $registration_input_name = 'number_registrations';
            $banquet_remain = $max_banquet - $count;
            $registration_note = '<span class="note">Only '.$banquet_remain.' banquet seats left.  Register today!</span>';
        }
		else
		{
            $price[1] = 40;
            $price[2] = 50;
            $price[3] = 60;
            $banquet_full = true;
            $registration_input_name = 'number_registrations_no_banquet';
            $registration_note = '<span class="note">Banquet is full.  Registration includes sessions and proceedings only.</span>';
        }
    }
	else
	{
         trigger_error($error_message, E_USER_ERROR);
    }

//Here's where the form is validated

if(isset($_POST) && !empty($_POST)){
     if(!validate_data($db, $_POST, $cutoff, $price,'normal', $error_array))
	 {
         if(isset($error_array) && !empty($error_array))
		 {
             echo '<tr><td colspan="3" class="error">Please see error(s) below.</td></tr>';
         }
     }
	 else
	 {

// Here's where the data is then inserted to the db

         if(!insert_data($db, $_POST, $error_array['insert']))
		 {
             echo '<tr><td class="error" colspan="2">We are experiencing technical difficulties.  Please try again later.</td></tr>';
             mail_admin($self_file, $error_array['insert']);
         }
		 else
		 {
             $registration_successful = true;
			 unset($error_array['insert']);
             echo '<tr><td class="success">Your registration for the MUD conference has been accepted.</td></tr>';
             echo '<tr><td align="center">Print a copy for your records</td></tr>';
         }
     }

     if(!close_db($db, $error_array))
	 {
         mail_admin($self_file, $error_array['db']);
     }
	 else
	 {    
//I added this
			 echo '<tr><td class="success">The Database did, in fact, close.</td></tr>';
		 }
    }
}

//
//Here's where I get frustrated. It just successfully wrote to the db and closed it
//so $registration_successful has to be true
//Yet, here's where all the variables are unrecognized in this next stretch
//Not sure if the $registration_successful variable is unrecognized--don't recall
//

if($registration_successful)
{
//
//Message is built up for sending to the emailer routine
//
    $email_message = 'Dear '.$first_name.' '.$last_name.','."\n"; 
	$email_message.= 'Your registration has been accepted for the MUD 2007 conference.'."\n";
    $email_message.= 'The information you submitted is as follows:'."\n";
    $email_message.= $call_sign."\n".
    $first_name.' '.$last_name."\n".
    $street.
    $street_2."\n".
    $city.', '.$state.' '.$country.' '.$postal_code."\n".
    $phone."\n". 
    $email."\n".
    'Name Tag: '.$nametag."\n";
    //
//snip a bunch of checking deciding what 
//personalized message to send user about banquets
//

$email_message.='Total Due to Microwave Update $'.money_format('%n', $total)."\n".
'Payment for $'.money_format('%n',$_POST['total']).' will be accepted by."\n".
Microwave Update, via PayPal, at some weblink
 or by check, payable to:
            Microwave Update
            Send to: Someguy     
            Some address
            Some address'."\n\n".
'See you in Bloomington, MN in October!
    Your Microwave Update Hosts';

//
//Here a message is built up for display on the screen
//Admittedly, it could be these variables that are showing as undefined
//
    $message = '<tr><td>'.$call_sign.'</td></tr>
    <tr><td>'.$first_name.' '.$last_name.'</td></tr>
    <tr><td>'.$street.'</td></tr>
    <tr><td>'.$street_2.'</td></tr>
    <tr><td>'.$city.', '.$state.' '.$country.' '.$postal_code.'</td></tr>
    <tr><td>'.$phone.'</td></tr>
    <tr><td>'.$email.'</td></tr>
    <tr><td>Name Tag: '.$nametag.'</td></tr>';
//
//snip a bunch of checking deciding what 
//personalized message to send user about banquets
//
       $message.='<tr><td>Total Due to the Microwave Update  <strong>$'.money_format('%n', $total).'</strong></td></tr>
    <tr><td>You can pay $'.money_format('%n',$_POST['total']).' by PayPal, at <a href="http://www.microwaveupdate.org/index.php">MUD</a></td></tr>
    <tr><td>You can also pay by check, payable to:<br />
                Microwave Update<br /> 
                 Send to: Some guy<br /> 
                Some Address <br />
                Some address<br /></td></tr>
    <tr><td class="success">See you in Bloomington, MN in Oct!</td></tr>  

    <tr><td colspan="3" class="note">Note: Both registration and payment must be received(or post marked) by the date to recieve discounted price.</td></tr>';
    $message.= '<tr><td><a href="registered_attendees.php">See who is registered to come</a></td></tr>';
	// Is the next line the one that is dumping all the variables? 
	//I can see it dumping the post variables but haven't I read them 
	//out to my own variables?
        $_POST = array();

//Display the big message on the screen
    echo $message;  

//
//The following is always coming back failing mostly because the $email variable
//is empty or not defined at this point
//

if(send_success_email($email, $email_message))
{
    echo '<tr><td>A confirmation email has been sent to the email address you submitted</td></tr>';
}
else
{
    echo '<tr><td>Please print this page for your reference.  Sending of email failed.</td.</tr>';
    mail_admin($self_file, 'FAILED TO SEND EMAIL to registrant '.$callsign);
}
}
else
{
    if(isset($error_array['db']))
	{
        echo 'database problem';
        echo '<tr><td colspan="3">Database problem '.$error_array['db'].'</td></tr>';
    }
?>

This is followed by the HTML/PHP mix of the actual form with a sample:

    <tr><th colspan="3" align="center">Name and Call Sign</th></tr>
    <tr><td align="right"><span class="required">*</span> Call:</td><td colspan="2"><input type="text" name="call_sign" value="<?php echo (isset($_POST['call_sign'])?$_POST['call_sign']:''); ?>" /></td></tr>
<?php
         echo (isset($error_array['call_sign'])?'<tr><td colspan="3" class="error">'.$error_array['call_sign'].'</td></tr>':'');
?>
    <tr><td align="right"><span class="required">*</span> First Name:</td><td colspan="2"><input type="text" name="first_name" value="<?php echo (isset($_POST['first_name'])?$_POST['first_name']:''); ?>" /></td></tr>
<?php
         echo (isset($error_array['first_name'])?'<tr><td colspan="3" class="error">'.$error_array['first_name'].'</td></tr>':'');
?>
        <tr><td align="right"><span class="required">*</span> Last Name:</td><td colspan="2"><input type="text" name="last_name" value="<?php echo (isset($_POST['last_name'])?$_POST['last_name']:''); ?>" /></td></tr>
<?php
    echo (isset($error_array['last_name'])?'<tr><td colspan="3" class="error">'.$error_array['last_name'].'</td></tr>':'');
?>

Ya know, I'll admit to being hazy on where the $POST variables are really being read to my local variables. I'll have to look harder for that. I can see the validation routine is handed the entire $POST array.

I'll send along my functions if they would help.

Many thanks again for your time looking.
Bruce

TeraTask

bradgrafelman wrote:
No, not really; the second code snippet in your post will cause warnings to be issued on the first page visit.

If you have warnings set to show, then you're not on a properly configured live server.

W9FZ

Ok, let's see if this tidbit of info helps. The person who loaned/gave me the code still has last year's registration forms up on their website. They tell me that the files they sent me are identical to what they have on their site. I tried the one on their site again and it works perfectly. I'm requestioning them if they are SURE the files are identical--waiting on response.

Yet those same files, when adjusted for a new database user, database, and table, don't work on my webhost. Would printing out my phpinfo() data be of any help? I know my webhost and will be able to have his help when he returns on Monday.

THanks
Bruce

TeraTask

The code in the insert area uses the $_POST array, but the code below doesn't reference that array. It acts like they are all just variables. This probably means that the other dude has register globals on. Having them on is a bad thing.

To check, change


if($registration_successful)
{

extract($_POST);
if($registration_successful)
{

If it works, then you know that is the cause. You should sanitize those variables before just plugging them into an email. My little bit of code above should not be your only patch.

If it doesn't, then I'm not sure as that's the only thing that stands out to me.

W9FZ

Yes, what you suggested basically worked which does imply the other guy has "register globals" on. I looked around my php configuration on my webhost and saw "off".

With that said, two questions arise:

What is an example techique to avoid registered globals? In other words, there's a simple way to pull those $_POST variables into local variables isn't there?
You mention sanitization prior to emailing. Can you point me in the right direction? I have no problem enhancing and improving the code I've been given (even if it's tedious :-) ). Are you speaking here of the actual variables or having an email routine that's exploitable? Yes, making the emailing routine more robust is one of the things I'm searching for here in the phpbuilder forums.

That's why I'm here. Experienced folks get their "aha's" more easily/quickly. Thanks!

TeraTask

W9FZ wrote:
1. What is an example techique to avoid registered globals? In other words, there's a simple way to pull those $_POST variables into local variables isn't there?

The "simple" way is the way I've shown.

W9FZ wrote:
2. You mention sanitization prior to emailing. Can you point me in the right direction? I have no problem enhancing and improving the code I've been given (even if it's tedious :-) ). Are you speaking here of the actual variables or having an email routine that's exploitable? Yes, making the emailing routine more robust is one of the things I'm searching for here in the phpbuilder forums.

You would need to do something which ensures that the data contains only allowable characters. For example, sanitize the email address, one might use something like

//There are much better routines for email sanitization.  This is simply an example.
$email_address = preg_replace('/[^a-z0-9@\.]/i','',$_POST['email_address']);

//Something fairly standard
$first_name = preg_replace('/[^a-z]/i','',$_POST['first_name']);

Sanitization means removing data which doesn't belong. The rule for each field depends on what's appropriate for that field.

Hope that helps!

bradgrafelman

TeraTask wrote:
If you have warnings set to show, then you're not on a properly configured live server.

I don't have display_errors set to On, of course; I log all of my errors. That's why I can't upload sloppy coding - I don't want my PHP error logs filling up with warnings and notices.

@: As TeraTask points out, you shouldn't simply use [man]extract/man to pull all $_POST data into variables; this is exactly what register_globals does, and that directive has been disabled by default (and removed in PHP6 IIRC) because of the security exploits long ago discovered/recgonized.

W9FZ

Ok, I shouldn't just use extract() .

Should I write another step where all my post variables are pulled into variables of differing names? I need to validate the _post variables and I need to construct an email that includes info from many of the variables as well as display a screen response that shows many of the variables contents. Apparently with register_globals "on" it was easy for the original writer. Now I need to do it the right way.

I think I'm missing something here. I guess I'd better prowl around phpbuilder and see if I can see some other examples.

Thoughts?
Thanks
Bruce

bradgrafelman

Well, you could either create variables as TeraTask showed in his code snippet above, or simply reference the $_POST array throughout your code.

TeraTask

I wouldn't recommend using the POST array directly. You want to sanitize your variables first.

bradgrafelman

Well that depends. If you're going to use them in a query (or perhaps in an e-mail header), then you'd definitely want to do some sanitization.

If you're just displaying them... I guess it would depend on the implementation on whether you want to alter the data or not.

TeraTask

If you're just displaying them, I recently learned, you'll also want to sanitize. Why? Because by not sanitizing, one allows XSS attacks. I personally hadn't done that, but a client recently pointed out some hack results from some code where this very issue became an issue.

W9FZ

The nut was register_globals "on" on the machine used by the person who sent me this code. My server will keep "register_globals" "off". So, you've introduced me to the idea of sanitizing variables. I've searched phpbuilder forums for just those words and have learned a lot.

But you might see a question from me soon on the topic of "sanitzing variables" :-) .

THanks for your help recognizing my problem.
Bruce