I have a contact form, it works fine when hosted on my server, but when I uploaded it to my clients server I ran into problems. Please check out the page here: http://www.conceptonegfx.com/contact.php
I get the following errors at the top of the form
Notice: Use of undefined constant ’PHP_SELF’ - assumed '’PHP_SELF’' in E:\Domains\c\conceptonegfx.com\user\htdocs\fns.php on line 42
Notice: Undefined index: ’PHP_SELF’ in E:\Domains\c\conceptonegfx.com\user\htdocs\fns.php on line 42" id="uploadform" enctype="multipart/form-data">
Here are the problem lines on fns.php:
<?php
//start session
if(!isset($_SESSION))
{
session_start();
}
// prints form
function print_form(){
?>
<form method="post" class="action="<?php echo $_SERVER[’PHP_SELF’];?>" id="uploadform" enctype="multipart/form-data">
<p><label for="namefrom">Name <span class="required">*</span></label>
<input name="namefrom" id="namefrom" type="text" class="field" value="<?= $_SESSION['myForm']['namefrom']; ?>" tabindex="1"/></p>
<p><label for="emailfrom">Email <span class="required">*</span></label>
<input name="emailfrom" id="emailfrom" type="text" class="field" value="<?= $_SESSION['myForm']['emailfrom']; ?>" tabindex="3"/></p>
<p><label for="phone">Phone</label>
<input name="phone" id="phone" type="text" class="field" value="<?= $_SESSION['myForm']['phone']; ?>" tabindex="4"/></p>
<p><label for="message">Message <span class="required">*</span></label>
<textarea name="comments" id="comments" rows="10" cols="35" align="left" class="field" tabindex="6"><?= $_SESSION['myForm']['comments']; ?></textarea></p>
<p><label for="attachment">File Upload<br /></label>
<input name="attachment" id="attachment" type="file" tabindex="7">
<p><input align="left" type="submit" name="submit" id="submit" value="Send Email" tabindex="8"/></p>
<p><input type="hidden" name="submitted" value="true" /></p>
</form>
Not sure if this is the problem or a copy paste thing but:
’PHP_SELF’
should really be
'PHP_SELF'
Have a look at the manual
Edit from rdlowrey's post:
You shouldn't use the $_SERVER['PHP_SELF'] as it's not very secure. Simply leave the action attribute empty like this: action="". An empty action will cause the form to POST to the address where it originated (same as using PHP_SELF, but without the security disadvantages).
You have a couple of issues that no one else has mentioned. In full, your problems are:
- First, you shouldn't use the
$_SERVER['PHP_SELF'] as it's not very secure.
- Second, you're using backticks instead of single quotes:
$_SERVER[’PHP_SELF’] should be $_SERVER['PHP_SELF']
- Third, your HTML is broken.
Consider the code you've specified:
class="action="<?php echo $_SERVER[’PHP_SELF’];?>" id="uploadform"
This specifies your form's class attribute as action= and leaves a random php snippet followed by an orphaned double quote character before the id attribute.
The correct <form> specification should be:
<form method="post" action="" id="uploadform" enctype="multipart/form-data">
UPDATE
As requested, here's some further explication of why $_SERVER['PHP_SELF'] is vulnerable to XSS attacks ...
First, understand that $_SERVER['PHP_SELF'] can be manipulated by the user. You might ask how this is possible. After all, for a script located at /mypage.php, shouldn't $_SERVER['PHP_SELF'] always equal /mypage.php?
Not necessarily.
Apache (and perhaps other servers I don't have experience with) utilize a lookback feature with URLs that allows it to look "backwards" down the URL for file matches if the full URL doesn't match a specific resource. For example, the following address will find a match in the mypage.php file if mypage.php is an actual readable file in the webroot and not the name of a directory:
http://domain.com/mypage.php/pretty-url <<--- apache serves up /mypage.php
At this point you may be thinking, "that's nice but how is that vulnerable to XSS?"
I'm glad you asked. Consider the following scenario:
- You have a form at
/mypage.php that uses $_SERVER['PHP_SELF'] in its action attribute.
- A malicious user decides to put the following in her address bar:
http://domain.com/mypage.php/%22%3E%3Cscript%3Ealert('pwned')%3C/script%3E
Suddenly, the html you specified as:
<form action="<?php echo $_SERVER['PHP_SELF']; ?>">
Now renders like this:
<form action="/mypage.php/"><script>alert('pwned')</script>
This is a fairly innocuous example because all it does is popup an alert that says "pwned." However, a nefarious person could use javascript code like this to do much nastier things.
You could avoid this particular problem by using htmlentities on your $_SERVER['PHP_SELF'] variable, however, IMHO it's best just to avoid it altogether in this scenario.
You seem to have copy-pasted the code.
Fix the ''. Notice you hve used ’ instead of '
Change $_SERVER[’PHP_SELF’] to $_SERVER['PHP_SELF']
