PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Sep 27, 2020 8:55 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Tue Dec 02, 2014 9:50 pm 
Offline
Forum Newbie

Joined: Tue Jan 04, 2005 9:13 pm
Posts: 9
Hi. I am a novice at PHP but Im learning.

I created a form page that accepts some input and posts some variables to a php page. It is a text messaging api that runs via Twilio which is a MMS service I signed up for. They supplied me with the parameters and the php page which gets called in my post page. My form is..

Syntax: [ Download ] [ Hide ]
<form action="sendit.php" method="post" name="form1">
<table>
        <tr>
                <td align="right">Phone:</td>
                <td><input type="text" name="phone" value=""></td>
        </tr>
    <tr>
                <td align="right">Your Message:</td>
                <td><input type="text" name="mymessage" value=""></td>
        </tr>
           
        <tr>
                <td align="right"><input type="submit" value="Submit" name="submit"></td>
        </tr>
</table>
</form>


sendit.php looks like...

Syntax: [ Download ] [ Hide ]
<?php
// this line loads the library
require('Services/Twilio.php');
 
$account_sid = 'xxxxx';
$auth_token = 'xxxxx';
$client = new Services_Twilio($account_sid, $auth_token);

        $myto["phone"]    = $_POST["phone"];
        $mybody["mymessage"]    = $_POST["mymessage"];
;
$client->account->messages->create(array(
        'To' => $myto,
        'From' => "+19145551212",
        'Body' => $mybody,  
));
 echo 'Sent ' .$_POST["mymessage"]. ' to '.$_POST["phone"];


This is working and it sends a text message to the number in $myto ... but Im not sure if it is proper coding technique to use the $_POST["mymessage"] again down there. I originally tried ...

Syntax: [ Download ] [ Hide ]
echo 'Sent ' .$mybody. ' to '.$myto;


but that resulted in an echo that looked like this: Sent Array to Array.

So my first question is - Why cant I use my variables in an echo?

My 2nd question which will just make my life easier is: How can I send the phone number I would like to send the text message to the form (<input type="text" name="phone" value="">) from a link in an email so that it automatically gets filled in?

Thanks!


Top
 Profile  
 
PostPosted: Tue Dec 02, 2014 10:17 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
The trouble is that you're trying to echo arrays. You're saving $_POST['phone'] in $myto['phone'], so you'd need to echo $myto['phone'] rather than just $myto.

_________________


Top
 Profile  
 
PostPosted: Tue Dec 02, 2014 10:21 pm 
Offline
Forum Newbie

Joined: Tue Jan 04, 2005 9:13 pm
Posts: 9
Thanks. Is it ok to leave it the way it is since it is working? or is it better to use the variable instead of the POST?


Top
 Profile  
 
PostPosted: Tue Dec 02, 2014 10:22 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
Makes no difference. They contain the exact same value.

_________________


Top
 Profile  
 
PostPosted: Tue Dec 02, 2014 10:27 pm 
Offline
Forum Newbie

Joined: Tue Jan 04, 2005 9:13 pm
Posts: 9
Thanks for your help!


Top
 Profile  
 
PostPosted: Wed Dec 03, 2014 10:34 am 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
You need validate and filter $_POST["phone"] and $_POST["mymessage"] before using them. And encode HTML characters in them before echoing them. This script is very hackable.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Wed Dec 03, 2014 10:42 am 
Offline
Forum Newbie

Joined: Tue Jan 04, 2005 9:13 pm
Posts: 9
What do you mean? Im not familiar with validation and encoding. Thanks.


Top
 Profile  
 
PostPosted: Thu Dec 04, 2014 6:30 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13592
Location: New York, NY, US
You accept a string of characters from the Internet and then echo them back verbatim. There are many exploits that inject Javascript, etc. into you page. There may also be mail system exploits since you are putting the string into the email as well.

http://www.sitepoint.com/input-validati ... functions/

_________________
(#10850)


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Majestic-12 [Bot] and 26 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group