i am new to php. i have designed a form in html and its php part in different file.now i want to connect the file with each other. i have tried using
<form action="file.php" method="post">
but connecting in this way is not secured and i cannot connect using
<form method="post" action="<?php echo $_SERVER["PHP_SELF"];?>">
as this will work only if the php codes and html codes are written in same file. please help me.
if i use
and if someone enters this url as
http://www.variable.com/file.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
then it will show alert box telling it is hacked.
As the Method is 'POST', it's Secure. No need to worry.
Or else..
Create a 'Session' on submiting the form. So no direct access to the php file would occur.
Thanks.
I can't understand you well, but connecting it this way is secure. If you have this form in html file:
<form action="file.php" method="post">
<input type="password" name="password">
</form>
And you have file called file.php in the same directory it is perfectly fine. In the PHP file you should have:
<?php
$password = $_POST["password"];
To get your input. Ask me something else if you don't understand it :)
As you wrote in your comments, your field shows raw text without "escaping" HTML characters.
In your file.php put or edit with:
echo htmlspecialchars($_POST['yourfield']);
Then output will not be "hacked" by JavaScript.