patternphpMinor
Script to upload CV with cookie control
Viewed 0 times
scriptcontrolwithuploadcookie
Problem
I have created a script which presents a popup on every 5th pageview.
I would like to try to use just PHP cookies. However, due to the requirement of setting them before any content is output, it has made it tricky.
I would also like to just include this script and have it run. At the moment I believe the breaks are stopping the rest of the page/content underneath rendering. Standalone, however, works great.
Anyway, it's pretty ugly, and I was wondering if I could have some feedback.
```
@media only screen and (min-width : 650px) {
h4{color: #FB7E12;font-size: 2em;}
#uploadCv{font-size: 20px;}
#uploadCv input{ padding: 2.5px; display: block; height: 30px; margin: 20px 0;}
#buttons{width: 264px; margin: 20px auto;}
#popup form label{ display: inline;float: left;width: 150px;}
#popupBlack{ height: 100%; width: 100%; position: fixed; background-color: rgba(0,0,0,0.7); z-index: 100; top: 0; left: 0;}
#buttons input{height: auto;margin: 0 10px;}
input[type="submit"]:hover, input[type="button"]:hover, button:hover, .button:hover {
background: ;
border: ;
}
input[type="submit"], input[type="button"], button, .button {
border: 1px solid #FB7E12;
background: #FB7E12;
padding: 5px 10px;
font-weight: bold;
color: #FFF;
cursor: pointer;
height: 35px;
font-size: 1em;
float: left;
min-width: 100px;
margin: 0 16px;
}
#popupWrap{position: fixed; top: 50%; margin-top: -200px;/ half of #popup height/
left: 0;
width: 100%;
z-index: 101;
}
#popup{
width: 500px;
margin-left: auto;
margin-right: auto;
height: 400px;
border:1px solid black;
padding:0 20px;
background-color: white;
I would like to try to use just PHP cookies. However, due to the requirement of setting them before any content is output, it has made it tricky.
I would also like to just include this script and have it run. At the moment I believe the breaks are stopping the rest of the page/content underneath rendering. Standalone, however, works great.
Anyway, it's pretty ugly, and I was wondering if I could have some feedback.
```
@media only screen and (min-width : 650px) {
h4{color: #FB7E12;font-size: 2em;}
#uploadCv{font-size: 20px;}
#uploadCv input{ padding: 2.5px; display: block; height: 30px; margin: 20px 0;}
#buttons{width: 264px; margin: 20px auto;}
#popup form label{ display: inline;float: left;width: 150px;}
#popupBlack{ height: 100%; width: 100%; position: fixed; background-color: rgba(0,0,0,0.7); z-index: 100; top: 0; left: 0;}
#buttons input{height: auto;margin: 0 10px;}
input[type="submit"]:hover, input[type="button"]:hover, button:hover, .button:hover {
background: ;
border: ;
}
input[type="submit"], input[type="button"], button, .button {
border: 1px solid #FB7E12;
background: #FB7E12;
padding: 5px 10px;
font-weight: bold;
color: #FFF;
cursor: pointer;
height: 35px;
font-size: 1em;
float: left;
min-width: 100px;
margin: 0 16px;
}
#popupWrap{position: fixed; top: 50%; margin-top: -200px;/ half of #popup height/
left: 0;
width: 100%;
z-index: 101;
}
#popup{
width: 500px;
margin-left: auto;
margin-right: auto;
height: 400px;
border:1px solid black;
padding:0 20px;
background-color: white;
Solution
Reflected XSS via POST
Echoing user input unsanitized is a really bad idea. XSS is also possible via POST, and thus an attacker could steal your cookies, display phishing forms on your website, log all keystrokes, and so on.
So when echoing user data, always protect against XSS.
Misc
Echoing user input unsanitized is a really bad idea. XSS is also possible via POST, and thus an attacker could steal your cookies, display phishing forms on your website, log all keystrokes, and so on.
So when echoing user data, always protect against XSS.
Misc
- you mix HTML and PHP too much. For example
mail_attachmentshould only mail the attachment. The success/error HTML should be somewhere else, along with all the other HTML.
- along that note: a function should only do one thing. Your
mail_attachmentfunction reads from a file, sends a mail, echoes something to the user and displays HTML.
$showPopupsisn't a good name, as it doesn't tell me what it does.
- your indentation is off, which makes your code hard to read (eg it looks as if
mail_attachmentwas called recursively).
- naming consistency: sometimes, you use camelCase, sometimes snake_case and sometimes alllowercase (which is really hard to read). It's better to choose one and stick with it.
- also, it's easier to read code if equal things have equal names. eg
$my_filevs$fileName,$my_pathvs$uploadedImagePath, etc.
- in theory, it might be possible to inject into the body of an email (I didn't test this).
Context
StackExchange Code Review Q#82757, answer score: 2
Revisions (0)
No revisions yet.