How does the file receive the $_POST?

Question

How does the file receive the $_POST?

Asked 10 years, 1 month ago

Viewed 142 times

7

Good morning guys, I have to do a maintenance on an old form and I’m trying to understand how it works...

Below the form_proposta.php file

<?
$msg = "Mais informações de imóvel enviado em " . date("d/m/Y") . ", os dados seguem abaixo: " . chr(13) . chr(10) . chr(10); //nessa linha, estará impresso em que data e hora foi enviado o formulário
$msg .= "Código : " .$codigo . chr(13) . chr(10);
$msg .= "Nome : " . $nome . chr(13) . chr(10); //aqui o campo nome 
$msg .= "E-mail  : " . $email . chr(13) . chr(10); //campo email
$msg .= "Endereço : " . $endereco . chr(13) . chr(10); //campo endereco
$msg .= "Telefone : " . $telefone . chr(13) . chr(10); //campo telefone
$msg .= "Mensagem : " . $mensagem . chr(13) . chr(10); //campo mensagem

$Remetente = $email; //aqui, colocamos que o email digitado seja quem enviou o formulário, pode ser substituido por "Contato do Site", assim, sairá sempre que quem  enviou o email, seja Contato do Site

$para = $email_from;

mail($para, "Proposta do site",$msg,"From: $Remetente\n");
?>

Below follows the html of the page

<form action="../exec/form_proposta.php" method="post" >
                    <table align="center" border="0" cellpadding="0" cellspacing="1" >
                        <tr align="left">
                            <td align="left">C&oacute;digo:&nbsp;&nbsp; </td>
                            <td align="left">
                                <h1>{$imo_cod}</h1>
                            </td>
                        </tr>
                        <tr align="left">
                            <td >Nome:&nbsp;&nbsp;</td>
                            <td align="left"> <input type="text" name="nome" style="width:400px;" class="campo"> </td>
                        </tr>

                        <tr align="left">
                            <td>E-mail:&nbsp;&nbsp;</td>
                            <td align="left"> <input type="text" name="email" style="width:400px;" class="campo">  </td>
                        </tr>

                        <tr align="left">
                            <td>Telefone:&nbsp;&nbsp;</td>
                            <td align="left"> <input type="text" name="telefone" style="width:400px;" class="campo"> </td>
                        </tr>

                        <tr align="left">
                            <td>Endere&ccedil;o:&nbsp;&nbsp;</td>
                            <td align="left"> <input type="text" name="endereco" style="width:400px;" class="campo"> </td>
                        </tr>


                        <tr align="left">
                            <td align="left">Mensagem:&nbsp;&nbsp; </td>
                            <td align="left"> <textarea rows="6" name="mensagem" style="width:400px;" class="campo"></textarea> </td>
                        </tr>
                        <tr>
                          <td colspan="2" align="center"><br>
                            <input type="submit" name="submit" value="Enviar" style="width:100px;" class="campo" /> &nbsp;&nbsp;&nbsp;                  
                            <input type="reset" name="reset" value="Limpar" style="width:100px;" class="campo" />   
                            <input type="hidden" name="codigo" value="{$imo_cod}" />
                            <input type="hidden" name="email_from" value="{$alt_email}" />  
                          </td>
                        </tr>
                    </table>
                </form>

I’ve been looking at these codes for a long time and do not understand how this business can work, the php file is not included in nor is another file triggered directly by the form...

At no time did I find the location where $_POST is taken and $variables are assigned...

Basically my conclusion so far is that it works with magic kkk Could someone help me understand how this business works?

You are aver the wrong php file. Have a look at ../exec/form_proposta.php

– Sergio

2014/09/22 at 13:12
@Sergio am not (unfortunately). the php code I put in question is the code of this file

– RodrigoBorth

2014/09/22 at 13:13
2

Has no extract() lost there? or register_globals enabled(php.ini)?

– rray

2014/09/22 at 13:13
@lost register_globals is enabled... extract() I didn’t find any

– RodrigoBorth

2014/09/22 at 13:20
2

Now disable this bagasse! any parameter passed in a url becomes a variable when the register_globals is on.

– rray

2014/09/22 at 13:26
@lost gave a read about and it is really very dangerous to leave it active, the problem is that the old company sites were based on this "thing"... I can not disable, but at least I know how it is working now...

– RodrigoBorth

2014/09/22 at 13:32
2

@Rodrigoborth what is your company’s website? hahaha

– gmsantos

2014/09/22 at 13:40
@gmsantos is terra.com.br xD aushaushau

– RodrigoBorth

2014/09/22 at 13:45
I think I could take the example and change the question to "What are the most common problems and dangers to qualify register_globals?" what do you think?

– RodrigoBorth

2014/09/22 at 13:46
1

@Rodrigoborth I think it’s a good idea. This or a new question.

– Sergio

2014/09/22 at 13:47

Show 5 more comments

2 answers

7

When the Register Globals is enabled the querystrings passed in a variable url will come or it is a wide open port for attackers to inject malicious code. Na in php5.3 this feature was discontinued and php5.4 removed.

To solve the problem you will need to manually assign the variables the value of $_POST/$_GET and gradually migrate this because this feature is evil level 9999³³³³³³³.

with Register globals on

$msg = "Código : " .$codigo . chr(13) . chr(10);

As it should be

$msg = "Código : " . $_POST['codigo'] . chr(13) . chr(10);

Browser other questions tagged php form

You are not signed in. Login or sign up in order to post.

by Otto • **5,653** points · Answer 1 · 2014-09-22T14:14:56+00:00

0

Another thing that can be done not to need to move a lot is to use the extract().

Since you have a form with the names of the correctly defined fields, you could use extract($_POST), solving the problem;

3

it is interesting to negative a constructive explanation so we all evolved

– Otto

2014/09/22 at 14:20
3

Good to add in the response the risks of extract, how to overwrite variables in an unwanted way, because the flag default is EXTR_OVERWRITE, that "tramples" everything that had previously been defined. To put it well, in my humble opinion, the extract should only be used in highly controlled situations (and preferably replaced with the best as soon as possible).

– Bacco

2014/09/22 at 15:49
Agree @Bacco

– Otto

2014/09/22 at 16:04