PHP - Cleaning User Supplied Input - 3 Situations
Just want to finalize what the best options/functions are when cleaning user supplied input in the following 3 situations:
1. Inserting data into a database 2. Sending data to an email (and displaying it as HTML) 3. Displaying data back to screen Similar Tutorialsi'm creating a small app for someone who wants to control the content of each page from a DB. effectively it'd be a template file with header, footer, etc all pre-built, and the content area supplied from a TEXT field in a MySQL table - basically the same idea wordpress uses. this is all fine, but a couple pages would require some php - e.g., a list of events or users or articles, whatever, that are managed in different tables. i can do this with eval - something like: Code: [Select] function render_content($string) { ob_start(); eval("?>$string<?php "); $returns = ob_get_contents(); ob_end_clean(); return $returns; } but i wonder if there's a better way. i can probably limit whatever code needs to be executed in include files, so i thought maybe include some arbitrary tag and use regexp to parse it out... maybe modeled after a conditional comment, e.g., Code: [Select] <!--[include]some-file.inc.php--> // or even... <include>some-file.inc.php</include> but, again, not thrilled with the approach, and wondered if anyone had a better idea. i should probably mention that it's not going to be a "content or include" setup - it probably won't be one or the other, exclusively, and is likely to be a mix on those pages that require it - the php might need to appear before, after, or in the middle of whatever arbitrary markup the user happens to supply, e.g. Code: [Select] <h1>This is a list of stuff</h1> <p>Some explanation lorem ipsum dolor sit ahmet.</p> <?php include('some-file.inc.php'); ?> <em>But this caveat applies to the above list.</em> <div> Something totally unrelated. <img src="pic.jpg" /> </div> not sure I explained that very well, but hopefully the concept comes across. TYIA For some reason the line commented // executes unexectedly does exactly that Any ideas why? if ($_POST['user'] == null){ $errors[] = 'An Interviewer ID is Required'; }elseif ($_POST['task'] != 'receipting' || $_POST['task'] != 'dataentry'){ $errors[] = 'Invalid Task'; // EXECUTES UNEXPECTEDLY } if (!empty($errors)){ print_LoginForm($errors); } Code: [Select] echo "</b><select name='task'>\n"; echo "<option value='receipting'>Receipting</option>\n"; echo "<option value='dataentry'>Data Entry</option>\n"; echo "</select>\n"; Hey guys! I'm pretty new to php and starting work on a project, the first part I'm working on is a html page with text fields like this: Quote URL: Dropdown box: Submit when the submit happens I want it to post to a php page, parse whatever is inside a set of <h2> tags and print it to to the php page, also the user selects four options from the dropdown box and I need to print the string contained in the selection to the next page as well, As I said I'm pretty new but here's what i threw together so far based on references I found, but it doesn't work correctly: parse.html: Code: [Select] <html> <body> <form action="parse.php" method="post"> URL: <input type="text" name="turl" /> <br> Option: <select name="selectskill"> <option value="1">Low</option> <option value="2">Mid</option> <option value="3">High</option> <option value="4">Known</option> </select> <br> <br> <input type="submit" /> </form> </body> </html> parse.php: Code: [Select] <html> <head></head> <body> <?php $lol = $_POST["turl"]; $str = file_get_contents($lol); $DOM = new DOMDocument; $DOM->loadHTML($str); // Grab text inside the heading 2 tags $items = $DOM->getElementsByTagName('h2'); echo "option: " . $lol; // Display the content inside the second set of H2 tags echo $items->item(1)->nodeValue . "<br/>"; ?> </body> </head> </html> Thanks for all the help in advance! Hi, what is they best way to validate user input of strings? A couple of examples would be : 1> If i wanted to check for the existance on the coma ',' character in a string and replace it with a dash '-' character? 2> To check wether a user has entered a valid ip address in the form of x.x.x.x where x can range from 0-255? I think i may need ereg/preg to do this but i have no idea about how to layout the syntax. Thanks for looking. Hello, Firstly I am only just learning php so please bear with me. What I want to be able to do is for a user to be able to enter a youtube url eg: Code: [Select] http://www.youtube.com/watch?v=8xz7ShMCWls I want the scrip to take the video ID (after watch?v=) and append it into a html embed code for our forums that do not have the feature to auto embed a youtube vid. Code: [Select] <p> <img height="350" width="425" class="fw_media_youtube fw-parse" alt="YouTube-AFTER WATCH?V=CODE" src="http://thumbs.webs.com/Platform/mediaPreview.jsp?type=YouTube&id=AFTER WATCH?V=CODE"/></p> Where you see AFTER WATCH?V=CODE is where I want it to place the video id and then return this completed code for the user to copy and paste: Code: [Select] <p> <img height="350" width="425" class="fw_media_youtube fw-parse" alt="YouTube-8xz7ShMCWls" src="http://thumbs.webs.com/Platform/mediaPreview.jsp?type=YouTube&id=8xz7ShMCWls"/></p> How would I be able to get this done. I do not expect to be spoon fed but just a litlle help please. Thank you so much if you do help. I appreciate your help guys. I was able to do something to the code. Now it looks like this: <?php include "include/dbc.php"; include "include/header.inc"; ?> <script type="text/javascript"> <!--Hide Code // Function Statements //Function to confirm submit function confirmSubmit() { var submitform = window.confirm("Are you sure you want to submit the activities?"); if (submitform == true) return validateForm(); return false; } // End Hide--> </script> <style type="text/css"> .mydate{ color:#00F; text-decoration:underline; cursor:pointer; } </style> <script type="text/javascript"> function displayDate(d){ var date=new Date(); var D=date.getDate(); date.setDate(D+d); var YYYY=date.getFullYear(); var MM=date.getMonth()+1; MM<10?MM='0'+MM:null; var DD=date.getDate(); DD<10?DD='0'+DD:null; var span=document.getElementById('date'); span.innerHTML= 'Entries for '+MM+'/'+DD+'/'+YYYY; } onload=function(){displayDate(0)}; </script> <h1>Food Diary</h1> <div class="full"> <center><div><span class="mydate" onclick="displayDate(-1)"><img src="images/left_arrow.png" border="0">Yesterday</span> <span id="date" style="font-size:2em;"></span> <span class="mydate" onclick="displayDate(1)">Tomorrow<img src="images/right_arrow.png" border="0"></span></div><br /> <a href="#" onclick="displayDate(0);return false;">Today</a> </center> <div class="full"> <form name="exercise" id="exercise" method="GET" action=""> <center><table> <tr> <td><h3>Add an Activity</h3></td> </tr> <tr> <td><input name="NewSearchString" style="width: 100px" type="text"/> <input type="submit" value="Search" /> </td> </tr> <tr> <td> <select name="activity"> <option value="_">Activity Browse...</option> <option value="all">All Activities</option> <option value="biking">Biking</option> <option value="condition">Conditioning</option> <option value="dancing">Dancing</option> <option value="fish">Fishing & Hunting</option> <option value="Home">Home Activities</option> <option value="misc">Miscellaneous</option> <option value="music">Music Playing</option> <option value="occupation">Occupation</option> <option value="running">Running</option> <option value="sports">Sports</option> <option value="walking">Walking</option> <option value="water">Water Activities</option> <option value="winter">Winter Activities</option> </select> <input type="submit" value="Submit" /></td></tr></table></center></form> </td> </tr> </table> </center> <table width="100%"> <tr bgcolor="#66CC33"> <td><div>Activity</div></td> <td><div>Specific Activity</div></td> <td><div>Time (hh:mm)</div></td> <td><div>Distance</div></td> <td><div>Units</div></td> </tr> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr> <?php if(isset($_GET[activity])) { $category=$_GET[activity]; $result = mysql_query("SELECT * FROM exercise WHERE type='$category'"); ?> <form action="add_activity.php" method="POST"> <?php while($row = mysql_fetch_array($result)) { echo '<tr><td><div>'.$row[Type].'</div></td>'; echo '<td><div>'.$row[Name].'<input type="hidden" name="exerciseid" value="'.$row[Name].'"></div></td>'; echo '<td><div><input type="text" name="duration['.$row['Name'].']"></div></td>'; echo '<td><div><input type="text" name="distance['.$row['Name'].']"></div></td>'; echo '<td><div><select> <option value="mile" name="mile">mile</option> <option value="Km" name="Km">km</option> <option value="M" name="M">m</option> <option value="Yard" name="yard">yrd</option> <option value="Feet" name="feet">ft</option> </select></div></td></tr>'; } mysql_close(); ?> <tr><td colspan="6" align="center"><input type="submit" name="submit" value="Add Activities"></td></tr> </form> <?php } ?> <tr bgcolor="#66CC33"> <td><div></div></td> <td><div></div></td> <td><div></div></td> <td><div class="Float"></div></td> <td class="cp_Distance"><div></div></td> </tr></table> This somewhat works. The problem is that this code passes all the activities to the second page, where the output looks like this: Array ( [exerciseid] => Hunting, general [duration] => Array ( [Fishing from boat, sitting] => 20 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [distance] => Array ( [Fishing from boat, sitting] => 25 [Fishing from river bank, standing] => [Fishing in stream, in waders] => [Fishing, general] => [Fishing, ice, sitting] => [Hunting, general] => ) [submit] => Add Activities ) Is there a way I can pass what the user input instead of passing everything (form validation maybe?) OK so i have a textfield and i have everything going to the database and then displaying on the page. Now is there a way to display code on the page but disable it from executing? There are some break tags in there so i would still like them to be executed on the page. Hi, I'm using the form data type 'date', and trying to verify it. It seems a little too complicated to check that it's in the correct format (with "/" between day/month/year), unless I use regular expression, which I don't know much about and seems feels like there's an alternate solution or it's not necessary. Currently, the script accepts DD*MM*YYYY, where * is any character, since it just strips the 3rd and 6th character and checks the day/month/year using checkdate(). I'm not even sure if this is a problem. I am giving the user a "verify" page, where I could put it in the correct format (DD/MM/YYYY), but is that enough? Feel like I'm missing something here, so any feedback would be great I manage a simple website for a small business - nothin fancy. I'm interested using some php to enhance the site a bit. I'm looking to accept some user input and put it into a database then display it back to them on another page. What php functions would be best to use to accomplish this? Thanks for the input! I have a page that has roughly 100 text input fields. Once the user is done, I need to put the data in my mysql db. How do I get the data from the user input page to the php page that will process the data (e.g. process.php)? I've done some searching and found a few possibilities use a ajax style call back to load a seperate asp page (e.g. createsession.asp) and that page set session variables that can then be read by process.php write everything to a cookie using some sort of a delimiter so that it can handle multiple variables (e.g. cookie data => var1/var2/var3/var4... write all the data to a text file and then have process.php load that file Which should I pursue? Is there a better option? Ok so I got BB Code working. Now I want to prevent Users from inserting HTML into Posts. I have the following: $PostText = mysql_escape_string($_POST['replytext']); $Replace = Array ('/(<)(.+)(>)/','/(<\/)(.+)(>)/'); $ReplaceWith = Array ('<\\2>','</\\2>'); $PostText = preg_replace($Replace, $ReplaceWith, $PostText); Now If I were to input Code: [Select] <a href=http://phpfreaks.net>Php Freaks</a>Into a forum reply it would return: Code: [Select] <a href=http://phpfreaks.net>Php Freaks When Checking the database it has: Code: [Select] <a href=http://phpfreaks.net>Php Freaks</a> Any help on solving this? I have a family site with a member list and a forum that both run on MySql. One of the items in the member list is the birthday. What I like to achieve is that a day or 2 before a member's birthday, a post wil be automaticly inserted in the forum, (a post that contains that this persons birthday is comming up in a few days) without any user input. I like to have this done automaticly because I don't feel like setting up a cron job for every member seperatly. There are just too many members. What I need is a script that will create a cron job or something simular the moment a new member registers and updates his profile and sets his birthday. hello all, i have a php form with multiple submits (one calculates price, one checks date and one submits the form and the data to mysql database) when i hit calculate price, for example, the function works fine but all the fields are cleared and i would like for all the input to remain as the user sent. here is part of the code (the form): Code: [Select] <form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post"> <fieldset> <legend ><span><a>video</span></a></legend> <ol> <li> <label for="hover_camera">hover camera</label> <input id="hover_camera" type="radio" name="hover_camera" value="yes" /><b>yes</b> <input id="hover_camera" type="radio" name="hover_camera" value="no" /><b>no</b> </li> <li> <label for="video_photographers">video photographers</label> <input id="video_photographers" type="text" name="video_photographers" maxlength="1" size="1"/> </li> <li> <label for="video_edit">video edit</label> <input id="video_edit" type="radio" name="video_edit" value="short" /><b>short</b> <input id="video_edit" type="radio" name="video_edit" value="long" /><b>long</b> </li> <li> <label for="video_clip">video clip</label> <select name="video_clip"> <option value="no">no</option> <option value="regular">regular</option> <option value="staged">staged</option> </select> </li> </ol> </fieldset><br /> <fieldset align="right"> <legend><span><a>stills</span></a></legend> <ol> <li> <label for="stills">stills</label> <input id="stills" type="text" name="stills" maxlength="1" size="1" /> </li> <li> <label for="increase">increase amount</label> <input id="increase" type="text" name="increase" maxlength="4" size="1" /> </li> <li> <label for="magnets">magnets</label> <input id="magnets" type="text" name="magnets" maxlength="4" size="1" /> </ol> </fieldset><br /> <fieldset align="right"> <legend><span><a>albums</span></a></legend> <ol> <li> <label for="digital_album">digital album</label> <input id="digital_album" type="radio" name="digital_album" value="yes" /><b>yes</b> <input id="digital_album" type="radio" name="digital_album" value="no" /><b>no</b> </li> <li> <label for="photo_album">photo album</label> <input id="photo_album" type="radio" name="photo_album" value="yes" /><b>yes</b> <input id="photo_album" type="radio" name="photo_album" value="no" /><b>no</b> </li> <li> <label for="small_digital_album">small digital album</label> <input id="small_digital_album" type="radio" name="small_digital_album" value="yes" /><b>yes</b> <input id="small_digital_album" type="radio" name="small_digital_album" value="no" /><b>no</b> </li> </ol> </fieldset><br /> <fieldset align="right"> <ol> <li> <label for="comments">comments</label> <textarea id="comments" name="comments"></textarea><br /><br /> </li> <li> <label for="price">price</label> <td><input type="submit" id = "price" name="price" value="calculate price" /></td> </li> </ol> </fieldset><br /> <fieldset align="right"> <legend><span><a>choose date</span></a></legend> <ol> <li> <input type="submit" id="isavailable" name="isavailable" value="isavailable" /> </li> </ol> </fieldset> <fieldset class="submit"> <ol> <li> <input class="submit" type="submit" id="submit" name="submit" value="done!" /> <input class="submit" type="reset" id="reset" name="reset" value="reset" /> </li> </ol> </fieldset> </form> thanks for the help The code below is a function that checks to see if an email address exists in a database, if so it alerts the user. The db has one table and one field. It works fine when there is ONE record! However, if there are > 1 it doesn't work. How can I step through each record and compare it to what the user entered? Of course, $_POST is the user's value and the db record is the $myAddy value. <?php function emailLookup() { include ('file:///Library/WebServer/Documents/re_connect_scripts/emailLookup.php'); while ($row = mysqli_fetch_array($result)) { extract ($row); $myAddy = $addy; } if ($_POST["add_email"] == $myAddy) { global $lookupError; $lookupError = 'This email address is already on the list.'; global $counter; $counter++; } else { return; } } ?> Well this may sound confusing. I tried to findways to allow users to input an integer value and then assign it to a variable called $quantity, but all I could find from the internet was the usage of forms. Do I have to use forms, or can I just try this this simple syntax: $quantity = "<input name='quantity' type='text' id='quantity' size='3' maxlength='3'>"; If I do have to use forms, then how can I ever assign user's input value to a variable? Please help. Hi, How do I generate a Google Map from user registration form? For example, user enters username, password, and address. I want to show the username, address + corresponding map on following confirmation page. I have already used static API to render the map as an image, but this is hard-coded. I don't know how to pass the address into the address param. Any help would be much appreciated. Thanks! I have a form a user may submit which has a text area. If the user enters "Today is the first day of the week" it will be stored in the database like that (note the carriage returns etc). If I then get that data from the table and echo it, it will print as 'Today is the first day of the week'. How can I print it so that it will retain the user's input formatting/the formatting shown stored in the table? Hello, I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: Code: [Select] <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? Hi there, I found a Javascript with what I want, but I want it to be in PHP because if people don't have Javascript enabled, they won't see the login. Here is what I have, but I need it to be converted to PHP: Code: [Select] function loginArea() { val = document.loginForm.password.value; switch(val) { case "password1": document.location = 'http://www.google.com/password1-page/'; break; case "password2": document.location = 'http://www.google.com/password2-page/'; break; default: document.location ='http://www.google.com/sorry/'; break; } } Code: [Select] <form name="loginForm" id="loginForm" method="post" action=""> <input name="password" type="text" id="password" maxlength="5" /> <input name="login" type="button" id="login" value="Check" onclick="loginArea()" /> </form> Help? - Steph |