$_POST['input'] into PHP define string

Question

I am attempting to insert the $_POST inputs from a form into a php page. Is there any reason that this shouldn't work? I'm not getting any errors, but I am also not getting the intended result

HTML

<form action="cross-domain-page.php" method="post">
<input type="text" name="phone" value="555555555">
<input type="text" name="fname" value="john">
<input type="text" name="lname" value="doe">
<input type="text" name="email" value="example@address.com">
<input type="text" name="attr" value="<xml>xml-value</xml>">
<input type="submit" name="submit" value="submit">
</form>

PHP

<?php
/*
$phone = $_POST['phone'];
$fname = $_POST['fname'];
$lname = $_POST['lname'];
$email = $_POST['email'];
$attr = $_POST['attr'];
*/
/**
 * Define POST URL and also payload
 */
define('XML_PAYLOAD', '<subscriptions><opt_in>invite</opt_in><user><mobile-phone>' . $_POST['phone'] . '</mobile-phone><first-name>' . $_POST['fname'] . '</first-name><last-name>' . $_POST['lname'] . '</last-name><email>' . $_POST['email'] . '</email>' . $_POST['attr'] . '</user></subscriptions>');
define('XML_POST_URL', $_POST['URL']);

/**
 * Initialize handle and set options
 */
$username = 'username';
$password = 'password';
$ch = curl_init();
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Content-Type: application/xml'));
curl_setopt($ch, CURLOPT_URL, XML_POST_URL);
curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_BASIC ) ; 
curl_setopt($ch, CURLOPT_USERPWD, $username . ":" . $password);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 4);
curl_setopt($ch, CURLOPT_POSTFIELDS, XML_PAYLOAD);
curl_setopt($ch, CURLOPT_VERBOSE, true);


/**
 * Execute the request and also time the transaction
 */
$start = array_sum(explode(' ', microtime()));
$result = curl_exec($ch);
$stop = array_sum(explode(' ', microtime()));
$totalTime = $stop - $start;

/**
 * Check for errors
 */
if ( curl_errno($ch) ) {
    $result = 'cURL ERROR -> ' . curl_errno($ch) . ': ' . curl_error($ch);
} else {
    $returnCode = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
    switch($returnCode){
        case 200:
            break;
        default:
            $result = 'HTTP ERROR -> ' . $returnCode;
            break;
    }
}

/**
 * Close the handle
 */
curl_close($ch);

/**
 * Output the results and time
 */
echo 'Total time for request: ' . $totalTime . "\n";
echo $result;  

/**
 * Exit the script
 */
exit(0);
?>

I'm not getting any errors, but I'm also not getting the intended results. — Joseph Casey, Jun 12 '14 at 22:19
@JosephCasey: Is this a real question? If so then please ask it, because so far this is hard to decipher. And also try to create some different example code that is provoking the same issue. I think you're intelligent enough to try a differentiating example (hint: the original code you re-used really was pretty bad, you have enough intellect to write your own code. there is no need to take over others errors while you know better). — hakre, Jun 12 '14 at 22:25
and don't use constants for variables. that's not for what they are good for (even you only read them once) — hakre, Jun 12 '14 at 22:26
@hakre You're right. I'm costing myself time by trying to save time, and my last few problems were extremely small things like typos. As for XSS vulnerabilities, I'll have to read up on how to make sure that I have a secure form. As of now people can just read the admin username/password from the XHRRequest. — Joseph Casey, Jun 12 '14 at 22:42

score 1 · Accepted Answer · answered Jun 12 '14 at 22:26

1

What is the intended result? Assuming that the constant XML_PAYLOAD should contain the XML with the inserted values...
What is the symptom?
It may also help to post the html code of the form you are using to send the post data.
Besides: all input should be XML encoded when embedded into an XML document. Think of XSS attacks that exploit potential vulnerabilities of the component reading the XML document - or input being sent that is simply not valid XML.

answered Jun 12 '14 at 22:26

Sascha Wildgrube

57
4

1

Thank you for telling me to post the code. It immediately helped me see that the test form I had created had a missing letter under the (sic) name="phon". I hate when I ask people to help me out, and I was careless enough to miss a typo. I'll be trying to write a script that isn't as vulnerable from XSS tomorrow. – Joseph Casey Jun 12 '14 at 22:44
1

Even though this is the accepted answer, it does not attempt to answer the question. It should possibly be a comment as it is a series of questions asking for further information/advice on how to improve the question/advice on good practice. All good, I hasten to add, but not an answer. – vascowhite Jun 14 '14 at 13:06
Got the point. At the time, I was not allowed to comment. Blame the System. – Sascha Wildgrube Jun 15 '14 at 20:48

score 0 · Answer 2 · answered Jun 12 '14 at 22:14

0

Use this instead

 define('XML_POST_URL', $_POST['URL']);

Sidenote: it's very bad practice to be defining user input as constants..

answered Jun 12 '14 at 22:14

David Xu

5,555
3
28
50

The quoting around $_POST['URL'] was a typo that occurred when I was transferring the script. =\ – Joseph Casey Jun 12 '14 at 22:20

$_POST['input'] into PHP define string

2 Answers2