Submit Restrictions Is there anyway to bypass this on my localhost?

This can be considered my first php page after a long while, I did a little basic php years ago and I have totally forgotten most of it. But I have come up with a page; a simple calculator if you will with the essential add, subtract, multiply and divide functions. When I load the page on my localhost, I get this error

 

 

However when I upload it to Xisto, there is no problem, please take a look

 

http://forums.xisto.com/no_longer_exists/

 

I know this does not matter but I want to find out where I went wrong on my first php page.

 

The code listing for my calculator.php are as follows

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;<html xmlns="http://www.w3.org/1999/xhtml/;<head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /><title>Calculator</title><style type="text/css"><!--.style1 {font-family: Georgia, "Times New Roman", Times, serif}.style3 {font-family: Georgia, "Times New Roman", Times, serif; font-size: 36px; }body,td,th {	font-family: Georgia, Times New Roman, Times, serif;}--></style></head><body>	<form id="frmCalculator" name="Calculator" method="POST" action="<?php echo $_SERVER['PHP_SELF']; ?>">  <br />  <br />  <br />  <br />  <br />  <br />  <br />  <br />  <table width="200" border="1" align="center" cellpadding="50" cellspacing="0" bordercolor="#000000">	<tr>	  <td><table width="562" border="0" cellspacing="0" cellpadding="0">		<tr>		  <td><div align="center"><span class="style3">Simple Calculator</span> </div></td>		</tr>	  </table>		<br />		<table width="546" border="0" align="center" cellpadding="5" cellspacing="0" bordercolor="#000000">		<tr>		  <td width="101"><span class="style1">1st Number </span></td>		  <td width="151"><span class="style1">			<label>			<input name="txt1stNumber" type="text" id="txt1stNumber" />			</label>		  </span></td>		  <td width="110"><span class="style1">2nd Number </span></td>		  <td width="144"><span class="style1"></span>			  <input name="txt2ndNumber" type="text" id="txt2ndNumber" /></td>		</tr>		<tr>		  <td colspan="4"><label></label>			  <span class="style1">				<label></label>			  <label></label>			  <label></label>			  </span>			  <label></label>			  <div align="center">				<label> <span class="style1">				<input type="radio" name="rad1" value="Add" />				  Add</span></label>				<span class="style1">				<input type="radio" name="rad1" value="Subtract" />				<label>Subtract</label>				<label>				<input type="radio" name="rad1" value="Multiply" />				  Multiply</label>				<label>				<input type="radio" name="rad1" value="Divide" />				  Divide</label>			</span></div></td>		</tr>		<tr>		  <td colspan="4"><div align="center">			  <input name="btnSubmit" type="submit" class="style1" value="Submit"/>			  <input name="btnReset" type="reset" class="style1" id="btnReset" value="Reset"/>		  </div></td>		</tr>		<tr>		  <td colspan="4"><strong>Result:</strong>   <?php 				$rad1 = $_POST['rad1'];				  $_1stNumber =  $_POST['txt1stNumber'];				$_2ndNumber = $_POST['txt2ndNumber'];				$result = "";				if ($rad1 != null){					  switch($rad1){						case "Add": $result = $_1stNumber + $_2ndNumber;						break;						case "Subtract": $result = $_1stNumber - $_2ndNumber;						break;						case "Multiply": $result = $_1stNumber * $_2ndNumber;						break;						case "Divide": $result = $_1stNumber / $_2ndNumber;						break;					}							echo("<font color=#FF0000>$result</font>");				}	?></td>		</tr>	  </table></td>	</tr>  </table></form><p> </p></body></html>

I would appreciate it if anyone of you can guide me in this?

PHP does not work when opened in a browser. for instance, when i try to look at my webpages in a browser when not uploaded to a website it will not show the PHP Includes that i have in my webpage. i dont know why, but it just wont show PHP functions like that

I believe php works when opened in a browser, I mean I uploaded the php page into my Xisto host and it works fine. However when I do it on a localhost, I have errors coming. I think when you upload it, for security reason, Firefox or IE will simply format it. Anyway do you know what is wrong with my page? They both have the same code except 1 is previewed using my localhost and the other, on the Xisto host

what do you mean by your localhost?

he means hes got apache and php instaled on his local computer or a local server at his place for testing...or something along those lines i belive...if not theres the problem lol

Edited September 17, 2006 by tdktank59 (see edit history)

tdktank59 says it. I have got apache and php installed in my system and the problem should not be anything pertaining to these services not installed in my system.

Typically, I would've handled this differntly than you have done. Check the following code which includes an input form for calculating the value of a purchase. Notice the difference in the logical structure?The first thing this form does is check for a previously 'submitted' value and then handle the form or else present the form and include the 'hidden' field which is what is used in the first logic block above it.

<title>Widget Cost Calculator</title></head><body>
<?php // Check if the form has been submitted.if (isset($_POST['submitted'])) { // Cast all the variables to a specific type. $quantity = (int) $_POST['quantity']; $price = (float) $_POST['price']; $tax = (float) $_POST['tax']; // All variables should be positive! if ( ($quantity > 0) && ($price > 0) && ($tax > 0)) { // Calculate the total. $total = ($quantity * $price) * (($tax/100) + 1); // Print the result. echo '<p>The total cost of purchasing ' . $quantity . ' widget(s) at $' . number_format ($price, 2) . ' each is $' . number_format ($total, 2) . '.</p>'; } else { // Invalid submitted values. echo '<p><font color="red">Please enter a valid quantity, price, and tax rate.</font></p>'; } } // End of main isset() IF.// Leave the PHP section and create the HTML form.?><h2>Widget Cost Calculator</h2><form action="calculator.php" method="post"> <p>Quantity: <input type="text" name="quantity" size="5" maxlength="10" value="<?php if (isset($quantity)) echo $quantity; ?>" /></p> <p>Price: <input type="text" name="price" size="5" maxlength="10" value="<?php if (isset($price)) echo $price; ?>" /></p> <p>Tax (%): <input type="text" name="tax" size="5" maxlength="10" value="<?php if (isset($tax)) echo $tax; ?>" /> (optional)</p> <p><input type="submit" name="submit" value="Calculate!" /></p> <input type="hidden" name="submitted" value="TRUE" /></form></body></html>

There is always 'another way to do things, so check this page to see if you can recognize the difference in structure. As to what is wrong with your form? I don't know. I had a terribly diffifult time when I read it. Tables and div's all mashed in together? No hidden field to see if the form had been submitted? Multiple uses of the same 'name'. The best thing I can do about your problem is to show you a sample of code which I would've used and perhaps you can learn from it and find the error. Besides, it is late at night and I need some sleep. Might have another look in the morning.What version of php are you running on the XAMMP set-up? Might be a version problem. And the reset button doesn't clear a calculated value when I tried to use the page you posted.Good effort for the first page, at least you got a result. Besides, the messages are 'Notices', not errors. Keep learning.

Typically, I would've handled this differntly than you have done. Check the following code which includes an input form for calculating the value of a purchase. Notice the difference in the logical structure?The first thing this form does is check for a previously 'submitted' value and then handle the form or else present the form and include the 'hidden' field which is what is used in the first logic block above it.

There is always 'another way to do things, so check this page to see if you can recognize the difference in structure.
As to what is wrong with your form? I don't know. I had a terribly diffifult time when I read it. Tables and div's all mashed in together? No hidden field to see if the form had been submitted? Multiple uses of the same 'name'. The best thing I can do about your problem is to show you a sample of code which I would've used and perhaps you can learn from it and find the error. Besides, it is late at night and I need some sleep. Might have another look in the morning.

What version of php are you running on the XAMMP set-up? Might be a version problem. And the reset button doesn't clear a calculated value when I tried to use the page you posted.

Good effort for the first page, at least you got a result. Besides, the messages are 'Notices', not errors. Keep learning.

I have checked the structure of my code, based on the difference, I am missing a hidden input type and my php code is being placed at the bottom. Based on my understanding with your code, the isset() method checks for whether a variable is null or not, and this checks for the submission of the form. Correct? However I am not too sure how the hidden field 'submitted' works, does the boolean value changes after I submit. For e.g. will the value of the hidden field be false until I submit the form?

And also the reason I put the php code at the bottom is because I want to print the error message in a particular td of the table. Is there a way I can do this but at the same time putting the php code at the very beginning of the body tag?

The issue with you seeing all the tables and divs being mashed up is because I wanted to organise my simple calculator page in a table layout and do some centralising. The centralising was done using the GUI of Dreamweaver, and I am sure that there is no problem since I did not move the codes. However there are such redundant codes in there, I will clear that up.

I do not recall installing PHP in my system. XAMPP only provides Apache and MySQL, and I am using easyPHP for the server. Clearing the result value? I am not too sure how to do that, I just need to reset the $result variable to null right? But where is the place which allows me to do that? I am thinking along the lines of this, do look it through

<?php if (isset($_POST['reset']) {$result = null;}

Am I right or is there a more appropriate way of doing it?

Thank you for the compliments, I will continue working on it to make it a perfect page, but I do need your help in certain areas.
Edited September 17, 2006 by darran (see edit history)

I did some modification to the codes

$_1stNumber = $_POST['txt1stNumber'];
$_2ndNumber = $_POST['txt2ndNumber'];

if (!is_numeric($_1stNumber) || !is_numeric($_2ndNumber)) {
echo("<font color=#FF0000>Enter a number in the textbox</font>");
} else {
if (isset($_POST['rad1'])){
$rad1 = $_POST['rad1'];
switch($rad1){
case "Add" linenums:0'><?php $result = ""; if (isset($_POST['submitted'])){ $_1stNumber = $_POST['txt1stNumber']; $_2ndNumber = $_POST['txt2ndNumber']; if (!is_numeric($_1stNumber) || !is_numeric($_2ndNumber)) { echo("<font color=#FF0000>Enter a number in the textbox</font>"); } else { if (isset($_POST['rad1'])){ $rad1 = $_POST['rad1']; switch($rad1){ case "Add": $result = $_1stNumber + $_2ndNumber; break; case "Subtract": $result = $_1stNumber - $_2ndNumber; break; case "Multiply": $result = $_1stNumber * $_2ndNumber; break; case "Divide": $result = $_1stNumber / $_2ndNumber; break; } echo("<font color=#FF0000>$result</font>"); } else { exit("<font color=#FF0000>No operation selected</font>"); } } } ?>
However I am left still with the placing of the php code as well as the reset button. I want to place the error message in a particular place but at the same time I want the php codes to be at the beginning of the <body> tag. And the reset button, I want to reset the $result as well.

I have done some validation, and you can preview this page at http://forums.xisto.com/no_longer_exists/

Nice clean code now.Try setting the $result = 0; in the line where you have $result = ''; at the top of the page.Also, watch for division by zero if the rad1=divide.XAMPP provides Apache, MySQL,Perl, Php, Mercury Mail, an FTP client, phpadmin and even more. It is very easy to install. A default install will handle most situations. It should NOT be used in a live web situation, though, due to security factors without changes to its security. You need to know what settings to change on the server, etc.

Just try adding some simple checking of each element:

$rad1 = !empty($_POST['rad1']) ? $_POST['rad1'] : '';$_1stNumber = !empty($_POST['txt1stNumber']) ? $_POST['txt1stNumber'] : 0;$_2ndNumber = !empty($_POST['txt2ndNumber']) ? $_POST['txt2ndNumber'] : 0;if( $rad1 == 'Divide' ) {  if( $_2ndNumber == 0 ) {	 echo('<font color="#FF0000">Cannot divide by 0.</font>');	 $rad1 = '';  }}$result = "";if ($rad1 != null){

Edited September 17, 2006 by Spectre (see edit history)

I am pretty new to testing php pages on a live server. Can you give me a guide as to which security changes must be made? And can all these be done on the CPanel? I believe my first php page is more or less completed with the exception of some minor glitches and also the security regarding XAMPP. PS: Changing the value of $result to 0 did not reset the value when I clicked the reset button.

Edited September 18, 2006 by darran (see edit history)

Three rules of Security on php pages are as follows:

Never trust user input

Never trust user input

Never trust user input

A common method is to set the variables using the following techique:

... code to input the value from the User ...$my_variable = stripslashes(trim($_POST['user_input']));... rest of code uses $myvariable ...

trim() removes white-space before or after the data in $_POST['user_input']

and stripslashes() removes any backslashes found in $_POST['user_input']

Is that the security issue you are talking about? I thought it had something to do with Apache or on the server side. Another PHP question from me, I want to create a button to handle the clearing of values, but from my understanding, only javascript is able to do this but what if it was disabled by the user, how am I to interact with the button in a php page? How about the reset button? It does not reset the value to 0.

When you're just dealing with numeric values, you don't need to do any form of sanitization outside of is_numeric() - if the value is not numeric, then cancel. Additonally, unless you are passing the value to something outside of PHP, evaluating it as code, or treating it as a filename (as well as a few other exceptions), there isn't really a lot that can be manipulated by user input. The worst that could happen in this particular case is the operation failing, resulting in an error being displayed and revealing path information etc.darran, set the initial value of the input fields to '0' and the reset action should result in them reverting to this (ie. <input type="text" name="field" value="0">).