Transfering form data to another page

I am trying to input my name and email into a form and have it shown on another localhost page.
For some reason when I put my name and email into the first form it does not transfer into the the greeting.
It shows as: Hello Your mail is
When it should come out as Hello “my name” Your mail is “my email”

can anyone tell me why the things I am inputting are not showing up?

I am using this simple code

Title: index.php

<html>
<body>

<form action="site2.php" method="post">
Name: <input type="text" name="name">
Email: <input type="text" name="email">
<input type="submit">
</form>

</body>
</html> 

and

Title: Site2.php

<html>
 <body>

 Hello <?php echo $_POST["name"]; ?>!<br>
 Your mail is <?php echo $_POST["mail"]; ?>.

 </body>
 </html> 

You called your email input “email”, but you look for the $_POST parameter “mail” - you’ve left the e out.

Other than that, this script seems ok - it runs fine on my computer.

No, it is not OK. It is vulnerable to an XSS Attack.

NEVER EVER TRUST USER SUPPLIED DATA!

1 Like

NEVER EVER TRUST USER SUPPLIED DATA!

Strictly speaking, the user can only XSS themselves in this script… But yeh, better to foster the habit.

The vulnerability @benanamen mentions is that you’re just printing out whatever data the user is providing; this could be malicious. To demonstrate this, try pasting <script>alert('hacked!')</script> into your name input and clicking submit; you’ll get a popup.

To prevent this, you should always escape variables before outputting them as part of a web page. The easiest way to do this for PHP is to pass the output through the function htmlspecialchars, as shown in an updated site2.php below:

<html>
    <body>
        Hello <?php echo htmlspecialchars($_POST["name"]) ?>!<br>
        Your mail is <?php echo htmlspecialchars($_POST["mail"]) ?>.
    </body>
</html> 

Now when you attempt to submit the script tag above, it will just be shown on the page as normal text.

Again, just not true.

It’s not storing data. How are they going to attack anyone else?

Sponsor our Newsletter | Privacy Policy | Terms of Service