Transfering form data to another page

#1

I am trying to input my name and email into a form and have it shown on another localhost page.
For some reason when I put my name and email into the first form it does not transfer into the the greeting.
It shows as: Hello Your mail is
When it should come out as Hello “my name” Your mail is “my email”

can anyone tell me why the things I am inputting are not showing up?

I am using this simple code

Title: index.php

<html>
<body>

<form action="site2.php" method="post">
Name: <input type="text" name="name">
Email: <input type="text" name="email">
<input type="submit">
</form>

</body>
</html>

and

Title: Site2.php

<html>
 <body>

 Hello <?php echo $_POST["name"]; ?>!<br>
 Your mail is <?php echo $_POST["mail"]; ?>.

 </body>
 </html>
#2

You called your email input “email”, but you look for the $_POST parameter “mail” - you’ve left the e out.

Other than that, this script seems ok - it runs fine on my computer.

#3

No, it is not OK. It is vulnerable to an XSS Attack.

NEVER EVER TRUST USER SUPPLIED DATA!

1 Like
#4

NEVER EVER TRUST USER SUPPLIED DATA!

Strictly speaking, the user can only XSS themselves in this script… But yeh, better to foster the habit.

The vulnerability @benanamen mentions is that you’re just printing out whatever data the user is providing; this could be malicious. To demonstrate this, try pasting <script>alert('hacked!')</script> into your name input and clicking submit; you’ll get a popup.

To prevent this, you should always escape variables before outputting them as part of a web page. The easiest way to do this for PHP is to pass the output through the function htmlspecialchars, as shown in an updated site2.php below:

<html>
    <body>
        Hello <?php echo htmlspecialchars($_POST["name"]) ?>!<br>
        Your mail is <?php echo htmlspecialchars($_POST["mail"]) ?>.
    </body>
</html>

Now when you attempt to submit the script tag above, it will just be shown on the page as normal text.

#5

Again, just not true.

#6

It’s not storing data. How are they going to attack anyone else?

Sponsor our Newsletter | Privacy Policy | Terms of Service