{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 Root(大扎) 的问题《PHP Form - Undefined constant ’PHP_SELF’》','https://www.manongdao.com/q-1046450.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a contact form, it works fine when hosted on my server, but when I uploaded it to my clients server I ran into problems. Please check out the page here: http://www.conceptonegfx.com/contact.php
I get the following errors at the top of the form
Notice: Use of undefined constant ’PHP_SELF’ - assumed '’PHP_SELF’' in E:\Domains\c\conceptonegfx.com\user\htdocs\fns.php on line 42
Notice: Undefined index: ’PHP_SELF’ in E:\Domains\c\conceptonegfx.com\user\htdocs\fns.php on line 42" id="uploadform" enctype="multipart/form-data">
Here are the problem lines on fns.php:
<?php
//start session
if(!isset($_SESSION))
{
session_start();
}
// prints form
function print_form(){
?>
<form method="post" class="action="<?php echo $_SERVER[’PHP_SELF’];?>" id="uploadform" enctype="multipart/form-data">
<p><label for="namefrom">Name <span class="required">*</span></label>
<input name="namefrom" id="namefrom" type="text" class="field" value="<?= $_SESSION['myForm']['namefrom']; ?>" tabindex="1"/></p>
<p><label for="emailfrom">Email <span class="required">*</span></label>
<input name="emailfrom" id="emailfrom" type="text" class="field" value="<?= $_SESSION['myForm']['emailfrom']; ?>" tabindex="3"/></p>
<p><label for="phone">Phone</label>
<input name="phone" id="phone" type="text" class="field" value="<?= $_SESSION['myForm']['phone']; ?>" tabindex="4"/></p>
<p><label for="message">Message <span class="required">*</span></label>
<textarea name="comments" id="comments" rows="10" cols="35" align="left" class="field" tabindex="6"><?= $_SESSION['myForm']['comments']; ?></textarea></p>
<p><label for="attachment">File Upload<br /></label>
<input name="attachment" id="attachment" type="file" tabindex="7">
<p><input align="left" type="submit" name="submit" id="submit" value="Send Email" tabindex="8"/></p>
<p><input type="hidden" name="submitted" value="true" /></p>
</form>
You have a couple of issues that no one else has mentioned. In full, your problems are:
$_SERVER['PHP_SELF']as it's not very secure.$_SERVER[’PHP_SELF’]should be$_SERVER['PHP_SELF']Consider the code you've specified:
This specifies your form's class attribute as
action=and leaves a random php snippet followed by an orphaned double quote character before theidattribute.The correct
<form>specification should be:UPDATE
As requested, here's some further explication of why
$_SERVER['PHP_SELF']is vulnerable to XSS attacks ...First, understand that
$_SERVER['PHP_SELF']can be manipulated by the user. You might ask how this is possible. After all, for a script located at/mypage.php, shouldn't$_SERVER['PHP_SELF']always equal/mypage.php?Not necessarily.
Apache (and perhaps other servers I don't have experience with) utilize a lookback feature with URLs that allows it to look "backwards" down the URL for file matches if the full URL doesn't match a specific resource. For example, the following address will find a match in the mypage.php file if
mypage.phpis an actual readable file in the webroot and not the name of a directory:At this point you may be thinking, "that's nice but how is that vulnerable to XSS?"
I'm glad you asked. Consider the following scenario:
/mypage.phpthat uses$_SERVER['PHP_SELF']in its action attribute.Suddenly, the html you specified as:
Now renders like this:
This is a fairly innocuous example because all it does is popup an alert that says "pwned." However, a nefarious person could use javascript code like this to do much nastier things.
You could avoid this particular problem by using
htmlentitieson your$_SERVER['PHP_SELF']variable, however, IMHO it's best just to avoid it altogether in this scenario.Not sure if this is the problem or a copy paste thing but:
should really be
Have a look at the manual
Edit from rdlowrey's post: You shouldn't use the $_SERVER['PHP_SELF'] as it's not very secure. Simply leave the action attribute empty like this: action="". An empty action will cause the form to POST to the address where it originated (same as using PHP_SELF, but without the security disadvantages).
You seem to have copy-pasted the code.
Fix the
''. Notice you hve used’instead of'Change
$_SERVER[’PHP_SELF’]to$_SERVER['PHP_SELF']