why not submit

KARFER

hi all i try to develope feedback system by php and i make two pages the first is feedback.php and this is it's code //this is feedback.php <form name="feedback" method="post" action="FeedBackCheck.php"> <table width="550" border="0" align="center" cellpadding="1" cellspacing="2"> <tr> <td colspan="2"><div align="center"> </div></td> </tr> <tr> <td width="114">&nbsp;</td> <td width="426">&nbsp;</td> </tr> <tr> <td>Name</td> <td><label> <input name="txtName" type="text" id="txtName" tabindex="0" size="54" maxlength="254" /> </label></td> </tr> <tr> <td>Subject</td> <td><label> <input name="txtSubject" type="text" id="txtSubject" tabindex="1" size="54" maxlength="254" /> </label></td> </tr> <tr> <td>Email</td> <td><label> <input name="txtEmail" type="text" id="txtEmail" tabindex="2" size="54" maxlength="254" /> </label></td> </tr> <tr> <td>Message</td> <td><label> <textarea name="txtMessage" cols="41" rows="7" id="EDITOR" tabindex="3"></textarea> </label></td> </tr> <tr> <td colspan="2"><label> <div align="center"> <input name="btnSend" type="submit" id="btnSend" tabindex="4" value="send" /> </div> </label></td> </tr> </table> </form> and the second page name FeedBackCheck.php and it's code $txtName = trim($_POST['txtName']); $txtSubject = trim($_POST['txtSubject']); $txtEmail = trim($_POST['txtEmail']); $txtMessage = trim($_POST["txtMessage"]); $txtDate = date('d-m-Y'); if ($btnSend == "send") { $to = "jameil_hamzh@yahoo.com"; $insertFe

Marc Firth

because you are trying to get a value from a submit button. to see what data has been sent from a form try this:

<?php
if (!empty($_POST)){
foreach ($_POST as $key=>$value){
$info .= $key.": ".$value."<br />";
}
echo $info;
} else {
echo "no data";
}
?>

Portfolio | Surrey Web Design, Web Hosting & IT Support

KARFER

thanks a lot Mr.Marc Firth it's working now thank you again Regrads KARFER

-*-*-*-*-*-*-*-*-* To Be Or Not To Be (KARFER) -*-*-*-*-*-*-*-*-*

cjoki

I would not process a post like this....I would suspect an exploit is opened this way. Instead just change the $_POST to $_POST['form_elm_name'] where form_elm_name = the value of the forms name attribute. also do not trust the users input to be harmless. If the expected value of a form is a age, then check that the post only has numbers in it php is_numeric($_POST['form_elm_name']; if it is going to be text only then I usually include a custom function to remove all non-characters from the input. This funct only permits lowercase letters a dash and a space as valid. It alse swaps all spaces for a dash.

function clean_input($input)
{
$valid = array('a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9','-',' ');
$cnt = strlen($input);
$input = strtolower($input);
$output='';
for($i=0;$i<$cnt;$i++)
{
if(in_array($input[$i],$valid))
{
if($input[$i]==' ')
{
$output.='-';
}
else
{
$output.=$input[$i];
}
}
}
return $output;
}