Asked  7 Months ago    Answers:  5   Viewed   39 times

I'm trying to test out if PHP works from my Firebase hosting using the following:


<form action="welcome.php" method="post">
   <input type="submit">



   $to = "";
   $subject = "My subject";
   $txt = "Hello world!";
   $headers = "From:";



Every time I try this the browser keeps on attempting to open the PHP file rather than processing it. Is simple PHP enabled on the Firebase server hosting to process a simple form like this? If I can get it to work this way, I will be building the form out correctly including validation etc.




From the Firebase Hosting site (emphasis mine):

We deliver all of your static content (html, js, images, etc.) over a secure SSL connection and serve it on a CDN.

Firebase Hosting is for hosting static assets. Firebase currently doesn't offer any way to execute your code on Firebase's servers.

Update (2018-08-08): You can now run Node.js/JavaScript code but connecting your Firebase Hosting project to Cloud Functions + Firebase Hosting. But that still won't allow you to run PHP code.

Wednesday, March 31, 2021
answered 7 Months ago

By using $_FILES['imageToUpload']['tmp_name'], you are using the temporary name of the uploaded image as the contents, not the actual image file.

The quickes way to solve this is to use:

        'name' => $_FILES['imageToUpload']['name']

The upload method accepts an array of options (including the target file name) as described in the method's PHPDoc:

Please keep in mind though that there are security implications when using the uploaded file name (not the tmp_name) directly, so please make sure to validate and sanitize the uploaded files before moving them to your cloud storage.

Saturday, May 29, 2021
answered 5 Months ago

First of all make sure that you've included the necessary JavaScript resource to render reCAPTCHA widget properly, like this:

    <title>reCAPTCHA demo: Simple page</title>
     <script src="" async defer></script>
    <form action="?" method="POST">
      <div class="g-recaptcha" data-sitekey="your_site_key"></div>
      <input type="submit" value="Submit">

Here's the reference:

  • Displaying the widget

Now comes to your user's response. The response from the user's captcha challenge can be fetched in three ways. It can be as,

Now comes to your user's response. The response from the user's captcha challenge can be fetched in three ways. It can be as,

  • g-recaptcha-response - a POST parameter in the submitted form
  • grecaptcha.getResponse(widget_id) - will provide the response after the user completes the captcha.
  • A string argument to the callback function specified in the config object passed to the render method.

Here's the reference:

  • Verifying the user's response

For your purpose use g-recaptcha-response to get the user's response. So your code should be like this:


<form method="POST" action="Form_Activation.php">
   <div class="form-group">
    <label for="name">Name:</label>
        <input type="text" class="form-control" id="name" name="name" placeholder="Full Name" value="" required/>
    <div class="form-group">
        <label for="email">Email:</label>
        <input type="email" class="form-control" id="email" name="email" value="" placeholder="" required/>
    <div class="form-group">
        <label for="number">Number:</label>
        <input class="form-control" name="number" id="number" value="" placeholder="Contact Number" required/>
    <div class="form-group">
        <label for="message">Message:</label>
        <textarea class="form-control" name="message" id="message" placeholder="Enter Message.." required></textarea>
    <div class="form-group">
        <input type="checkbox"/> <b> Subscribe to Newsletter</b>
    <div class="g-recaptcha" data-sitekey="6Le2SBQTAAAAADIOrUEPpcEVvR_c0vN9GzQpLg05"></div>
    <button type="submit" name="submit" class="btn btn-default sendbutton">SEND</button>

Add a name attribute in your submit button.




        //your site secret key
        $secret = 'XXXXXXX_Secret-key_XXXXXXX';

        if(isset($_POST['g-recaptcha-response']) && !empty($_POST['g-recaptcha-response'])){
            //get verified response data
            $param = "".$secret."&response=".$_POST['g-recaptcha-response'];
            $verifyResponse = file_get_contents($param);
            $responseData = json_decode($verifyResponse);

                // success

                $name = $_POST['name'];
                $email = $_POST['email'];
                $number = $_POST['number'];
                $message = $_POST['message'];

                // so on

                // failure




Don't forget to add your secret key in $secret variable.

Saturday, May 29, 2021
answered 5 Months ago

How can i know wich public key should i use if the kid is encoded and for decode it i need that public key?

KID header is not encoded. It is a string value that represents an array key, which points to valid public key. First, you have to get the public keys JSON from Then, decode it to an array and use your KID to get the proper public key.

The second trouble I'm having is that I'm using the firebase/php-jwt library, and I'm following the docs provided by them to decode the token and it does not work

What is the error you are getting? Are you using correct algorithm? Try changing RS256 to HS256.

Saturday, May 29, 2021
answered 5 Months ago

$sender_lname = filter_var($_POST["fname"], FILTER_SANITIZE_STRING); Should be, $sender_lname = filter_var($_POST["lname"], FILTER_SANITIZE_STRING);

If you are refreshing a browser, they tend to cache the last POST request. You may be asked if you want to re-submit form data. Try adding a hidden field with a hash value for a token.

<input type="hidden" name="token" value="someHashValue">

Implement sessions to compare the submitted token against the one stored in $_SESSION.

session_regenerate_id(); //Used properly, helps deter session fixation;
$_SESSION['token'] = "someHashValue"; //Must be unique for each page load.

Use a good hashing function to create the token. I would steer clear of md5 and sha1.


if($_SESSION['token'] === $_POST['token'])
    //Good. You want to filter, validate, and check this early on.
    //Whatever you do, just be consistent.

Also, be wary of using the file name ($file_name = $_FILES['file_upload']['name'];) supplied by the browser in your code. Most would say find a way not to use it, but if you do, you still need to filter and validate it in some way. Re-naming the file might be appropriate. Checking the file size is a good idea, too. Don't rely too heavily on the php.ini on the file size bit. If file type matters, you can even try to inspect the file before accepting it.

Lastly, when you get there, if you are going to use PHP filter functions, it may be a good idea to use filter_input_array() with INPUT_POST for your POST data. For the $_FILES superglobal, I made a separate routine just for validating it (but, you cannot use filter_input_array() for that). Good luck! You are on your way!

Saturday, May 29, 2021
answered 5 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :