Use variable after button click

Beginners - Learning PHP
#1

I am a total beginner and is trying to develop my first script for password recovery in PlayFab. I have been watching tutorials and read quite a lot but still not being able to fix my problem.

The PlayFab process I am trying to create is: Using Email Templates to Send an Account Recovery Email - PlayFab | Microsoft Docs

…and the REST API I am trying to get working is: Account Management - Reset Password - REST API (PlayFab Admin) | Microsoft Docs

However I do believe I was able to create a “working” script except I had no payload. I am now rewriting the script to clean it up etc. and most important solve my problem (which I need help with).

With the attached script I am trying to solve the problem with the token.

  1. When the website load I am able to extract, read and display the token
  2. After I pressed the button the $token = null.

This is what I am not able to solve and need some help with, which I would really appreciate.

Here is the current test script I am working on:

<!DOCTYPE HTML>
<html>
  <head>
    <style>
      .error {color #FF0000;}
      .button {
        background-color: black;
        border: none;
        color: white;
        padding: 15px 32px;
t       ext-align: center:
        text-decoration: none;
        display: inline-block;
        margin: 4px 2px;
        cursor: pointer;
        font-size: 15px;
      }
    </style>
  </head>

  <body>

      <?php

          //error_reporting(E_ALL);
          error_reporting(E_NOTICE);


          ini_set('display_errors', 1);

          header("Content-Type: text/html");

          // Define variables and null them
          $url = "";
          $token = "";
          $actual_link = "";
          $emailErr = "";
          $email = "";
          $pw1Err = "";
          $pw2Err = "";
          $token = "";
          $myTest = "";
          $xTest = "";


          // Read actual link
          $actual_link = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";

          // Extract token from url
          $url_components = parse_url($actual_link);
          parse_str($url_components['query'], $token);

          //$myTest = $_POST['token'];
          //echo $myTest;

        

/*
          if ($_SERVER["REQUEST_METHOD"] == "POST")
          {

              // CHECK EMAIL INPUT
              if (empty($_POST["email"]))
              {
                  $emailErr = "Email is required";
              }
              else
              {
                  $email = test_input($_POST["email"]);

                  // check if e-mail address is well-formed
                  if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                      $emailErr = "Invalid email format";
                  }
              }
          }
*/
          // Test validity of the email address
          function test_input($data) {
              $data = trim($data);
              $data = stripslashes($data);
              $data = htmlspecialchars($data);
              return $data;
          }

          if (isset($_POST['submitBtn']))
          {
              echo "submitBtn 1 has been pressed";
              echo "<br>";
              echo $token['token']
          }
    ?>




    <h2>Password Recovery</h2>
    <p><span class="error">*required field</span></p>
    <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
        E-mail:<input type="text" name="email" value="<?php echo $email;?>">
        <span class="error">*<?php echo $emailErr;?></span>
        <br><br>

        New Password:<input type="text" name=pw1 value="";">
        <span class="error">*<?php echo $pw1Err;?></span>
        <br><br>

        Confirm Password:<input type="text" name=pw2 value="";">
        <span class="error">*<?php echo $pw2Err;?></span>
        <br><br><br>

        <input type="submit" class="button" name="submitBtn" value="Submit" if="myButton" />
    </form>

    <br><br><br>';
    <h3>PRINT VARIABLES</h3>

    <?php

        // Print values
        echo 'TOKEN: ' . $token['token'];
        echo "<br>";
        echo 'MYTEST: ' . $myTest[0];
        echo "<br>";
        echo 'FULL URL: ' . $actual_link;
        echo "<br>";
        echo 'EMAIL: ' . $email;
        echo "<br>";
        echo 'XTEST: ' . $xTest;

    ?>

  </body>
</html>
#2

There is much wrong with the code. Whatever tutorial you have been using is no good. Looks like w3schools. Lets forget about PlayFab for a moment and deal with the PHP you presented.

  1. Php Code should be at the top of the page, HTML below that.
  2. The test_input function is an old relic from the 90’s and incorrectly uses htmlspecialchars which is an OUTPUT function, NOT an input function. Get rid of the function.
  3. The empty variables for nothing are not needed when you have proper code.
  4. You commented out the correct process of checking the REQUEST METHOD for POST. Put it back.
  5. get rid of the isset button check. It will completely fail in certain cases. It is not needed with #4 implemented.
  6. Get rid of the form action completely.
  7. Your code is vulnerable to an XSS Attack. Never ever trust user imput. NOW is the time and place for htmlspecialchars.
  8. The submit button does not need a name.
  9. if is not valid for an input tag (Line 112)
  10. Get rid of the header content type.
  11. Error reporting should be set in the php.ini, not the code.
  12. You are missing a semi-colon line 90
  13. You need to trim the POST array before you check for empty in the commented error checks. The errors should be put into an errors array, not individual variables.
  14. Your CSS is messed up.
#3

Wow a BIG thank you, REALLY appreciate it. Will implement all of your recommendations and learn as I go. I have been watching a few tutorials on YouTube and is considering purchasing a class at Udemy.

Your #4 I have already put back in my test code.

However I have been watching YouTube and testing A LOT during the weekend to in one way or another get this to work towards PlayFab. Installed Postman today and tested the API and got it to work perfectly but when I implement it in the code I receive the following error:

{"code":400,"status":"BadRequest","error":"InvalidContentType","errorCode":1144,"errorMessage":"Request HTTP header: \"Content-Type: application/x-www-form-urlencoded\" does not match required value: application/json"}

I am currently using this REST code:


      $data = array('Password' => $pw1, 'Token' => $params['token']);
      $hData = array('X-SecretKey' => 'xxxxxxxxx', 'Content-Type' => "application/json");

                    $options = array(
                        'http' => array(
                            'method'  => 'POST',
                            'content' => http_build_query($data),
                            'header' => http_build_query($hData),
                            'ignore_errors' => true
                        )
                    );

                    $context  = stream_context_create($options);
                    $resp = file_get_contents($url, false, $context);
                    var_dump($resp);

In Postman there is a reference to Body and under that tab “x-www-url-encoded” is marked.My assumption is that I need to include Body and the “x-www-url-encoded” in my request and have been trying to find out how with no success.

Again, really appreciate your help!

#4

I was able to solve this using Postman. The following is the code snippet för the actual ResetPassword.

I will now clean my code as recommended by @bennamen.

Thanks

echo '>>>>>>>>>> TEST <<<<<<<<<<';

        $curl = curl_init();

        curl_setopt_array($curl, array(
            CURLOPT_URL => 'https://99999.playfabapi.com/Admin/ResetPassword?Password=pekapeka&Token=1B5A9C01EFD5DB69',
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_ENCODING => '',
            CURLOPT_MAXREDIRS => 10,
            CURLOPT_TIMEOUT => 0,
            CURLOPT_FOLLOWLOCATION => true,
            CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
            CURLOPT_CUSTOMREQUEST => 'POST',
            CURLOPT_HTTPHEADER => array(
                'X-SecretKey:xxxxxxxx',
                'Content-Type: application/json\\'
            ),
        ));

        $response = curl_exec($curl);

        curl_close($curl);
        echo $response;
        print_r($response);

        echo '<br>========== END ==========';
Sponsor our Newsletter | Privacy Policy | Terms of Service