Simple content form not working

[familychoice]

Years ago I set up a simple CMS based on some basic form scripts, but since updating my hosting account these are no longer working. Here's a sample of the form code which adds a website to the links page:

Code:

   

 <?php
if ($submit) {
  // process form
  $db = mysql_connect("localhost", "username", "password");
  mysql_select_db("databasename",$db);
  $sql = "INSERT INTO mydatabase_links (link_details,title,link) 
  VALUES ('$link_details','$title','$link')";
  $result = mysql_query($sql);
  echo "Thank you! Information entered.\n";
    echo "<a href='links_form.php'><br>
<br>
Add another entry</a><br>
<a href='main.php'>Home</a><br>";
} else{
  // display form
  ?>
<form method="post" action="<?php echo $PHP_SELF?>">
<p>Website Address (for example - http://www.example.com)</p>
<p><input name="link" type="Text" size="50" value="http://www."></p>
<p>Website title</p>
<p><input name="title" type="Text" size="50"></p>
<p>Link Details</p>
<textarea name="link_details" cols="40" rows="5"></textarea>
<p><input type="Submit" name="submit" value="Enter information"> </p>
</form>
      <?php
} // end if
?>
 

I then have another form to remove items. All very basic, but it was written ten years ago. There are other parts to the form - image uploaders, password protection etc., but the basic script above appears to have stopped working.

Is there anything in the main part of the code that isn't working with PHP5, and if so is there an easy fix to get it working again? All it needs to do is to upload the data into the tables specified.

Thanks.

[sarahA]

The issue is you've assumed registered globals are set to on (security risk, now defaults to off on PHP installation). You could override this with one line of code but really not a good idea. You'd be better calling $_POST['fieldname'] rather than just $submit, $title etc.

And an aside, you really should be escaping those inputs using something like addslashes() or mysql_real_escape_string() (personally I would use the latter)

[familychoice]

The issue is you've assumed registered globals are set to on (security risk, now defaults to off on PHP installation). You could override this with one line of code but really not a good idea. You'd be better calling $_POST['fieldname'] rather than just $submit, $title etc.

And an aside, you really should be escaping those inputs using something like addslashes() or mysql_real_escape_string() (personally I would use the latter)

Thanks Sarah, I'll have a go at updating the script using what you've suggested.

[familychoice]

This seems to do the job, using a separate form and script as the example here: http://www.w3schools.com/php/php_mysql_insert.asp

[Jem]

^ that's because that specifies the path to the PHP stuff directly, instead of $PHP_SELF which in this case is an undefined variable because, as Sarah said, reg globals is off. Replacing $PHP_SELF with $_SERVER['PHP_SELF'] would have achieved the same thing, but then you'd still have to change $link_details to $_POST['link_details'] and so on.

All that aside, the w3schools example still suffers from the same problems as the above because you're not escaping the input going into the database (and if I read your post correctly, it's probably only because it's password protected that has prevented it from being exploited..)

[familychoice]

^ that's because that specifies the path to the PHP stuff directly, instead of $PHP_SELF which in this case is an undefined variable because, as Sarah said, reg globals is off. Replacing $PHP_SELF with $_SERVER['PHP_SELF'] would have achieved the same thing, but then you'd still have to change $link_details to $_POST['link_details'] and so on.

I tried that first, couldn't get it to work though...probably my sausage fingers though typing the wrong things.

All that aside, the w3schools example still suffers from the same problems as the above because you're not escaping the input going into the database (and if I read your post correctly, it's probably only because it's password protected that has prevented it from being exploited..)

Yeah, all the pages are password protected.

I wish the miserable buggers would update their sites or pay me to create a shiny new system for them though, the site I've just updated is 8 years old.

[sarahA]

Remember the TradingEye hack? It's because they didn't escape the username and password for the login. I rest my case

Are you getting paid to update this script? If not then leave it. You were commissioned several years ago to create what you've done and, whilst it wasn't best practice even then, it was quite common to do. The site owners have to appreciate that technology updates and you can't predict the future. This is why you charge for fixing sites broken by the latest version of IE.

Yur script should/could be

Code:

<?php
if ($_POST['submit']) {
  // process form
  $db = mysql_connect("localhost", "username", "password");
  mysql_select_db("databasename",$db);
  $sql = "INSERT INTO mydatabase_links (link_details,title,link) 
  VALUES ('".mysql_real_escape_string($_POST['link_details'])."','".mysql_real_escape_string($_POST['title'])."','".mysql_real_escape_string($_POST['link'])."')";
  $result = mysql_query($sql);
  echo "Thank you! Information entered.\n";
    echo "<a href='links_form.php'><br>
<br>
Add another entry</a><br>
<a href='main.php'>Home</a><br>";
} else{
  // display form
  ?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>">
<p>Website Address (for example - http://www.example.com)</p>
<p><input name="link" type="Text" size="50" value="http://www."></p>
<p>Website title</p>
<p><input name="title" type="Text" size="50"></p>
<p>Link Details</p>
<textarea name="link_details" cols="40" rows="5"></textarea>
<p><input type="Submit" name="submit" value="Enter information"> </p>
</form>
      <?php
} // end if
?>

Note, in theory I guess you should also upgrade to mysqli but I'm not sure if they are going to phase out mysql or not.

[familychoice]

Remember the TradingEye hack? It's because they didn't escape the username and password for the login. I rest my case

Thanks Sarah, and thanks for the code I'll update what I've used.

Are you getting paid to update this script? If not then leave it. You were commissioned several years ago to create what you've done and, whilst it wasn't best practice even then, it was quite common to do. The site owners have to appreciate that technology updates and you can't predict the future. This is why you charge for fixing sites broken by the latest version of IE.

I put the script together nearly ten years ago based on tutorials I found on some of the most reputable sites around at the time and a big PHP/MySQL book I bought. I think it was the way to go in those days, and at the time commercial/open source systems were almost non-existent.

I'm not getting paid for it, no, and they probably only paid shirt buttons for the site in the first place. I'm also updating another 4 sites of similar vintage on the server.

I know theoretically I should be charging for it, but to be honest it's not worth the backlash. A few hours work versus hours of emails and bad feeling. Three of the site owners have muttered about updating their systems recently and had rough quotes so I don't want to fall out with them at this stage, and it's nice having the hosting income too.

Of course if they go and have a new site built with someone else my cunning plan will have failed again but it's par for the course this year.