|
PHP - Apply Mysql_real_escape_string To All Post Variables?
Code: [Select]
<?php if(isset($_POST['submit'])) { $drop = mysql_real_escape_string($_POST['drop_1']); $tier_two = mysql_real_escape_string($_POST['Subtype']); $Name = mysql_real_escape_string($_POST["Name"]); $Phone = mysql_real_escape_string($_POST["Phone"]); $Email = mysql_real_escape_string($_POST["Email"]); $Postcode = mysql_real_escape_string($_POST["Postcode"]); $Website = mysql_real_escape_string($_POST["Website"]); if($Name == '') { ....... ?> Could I remove this code and use the below code and still have the same effect? Code: [Select] <?php if(isset($_POST['submit'])) { foreach ($_POST as $key => $value) { $_POST[$key] = mysql_real_escape_string($value); } ?> Similar TutorialsHello dear friends, say i've form with 2 variables which i want to post to another file file 1 Code: [Select] <script type="text/javascript"> // <![CDATA[ $(document).ready(function(){ $('#loader').hide(); $('#inner').children().click(function(){ var a = $(this).attr("name"); $.post("rating.php?value="+a,{}, function(response){ $('#inner').fadeOut(); $('#inner').html(unescape(response)); $('#inner').fadeIn(); setTimeout("hideMesg();", 2000); }); }); }); function hideMesg(){ $('.rating_message').fadeOut(); $.post("rating.php?show=1", {}, function(response){ $('#inner').html(unescape(response)); $('#inner').fadeIn('slow'); }); } // ]]> </script> this will post the following ( the value of name ) Code: [Select] <div class="rating_dis" name="<?php echo $k?>" id="<?=$id?>"> </div> but i want it also to post the value of the (id) here is the second file which should get the name Code: [Select] if($_REQUEST['value']){ $name = $_REQUEST['value']; $query = "insert into rating (rated, channelid) values ('$name', '$idz')"; mysql_query( $query); } so the problem is how to send from file 1 to file 2 both the (name) and (id) how to double this ? Code: [Select] var a = $(this).attr("name"); $.post("rating.php?value="+a,{}, to be also Code: [Select] var a = $(this).attr("id"); $.post("rating.php?any="+a,{}, then i can get it from file 2 easily get both. thank you I have a form that is producing the following : Array ( [formID] => 3154008308 [q1_applicationDate] => Array ( [month] => 11 [day] => 15 [year] => 2010 ) [q4_fullName4] => Array ( [first] => TOM [last] => STONE ) [q5_email] => TSTONE@YAHOO.COM [q6_address6] => Array ( [addr_line1] => 325 E LINCOLN [addr_line2] => [city] => GENESEE [state] => NY [postal] => 33256 [country] => United States ) [q38_selectProvider38] => Sprint [q39_selectPlan] => Individual [website] => [simple_spc] => 3154008308-3154008308 ) HOW do I automatically get each item above into it's own PHP variable? The page that receives this Array is the second page of a 3 or 4 page form. I need to send the above information on through the remainder of the form?? Would appreciate any help! Thanks! I have sort of an odd request. I wish make a POST to roblox.com with the Xsrf token, let me give you what code might help then ill explain more.
So, I need to parse the page http://www.roblox.co...spx?gid=1039951 to get
the token, which is between the (' ') below (this is taken from the site, as an example and the token changes each time the page refreshes/changes.
<script type="text/javascript">Roblox.XsrfToken.setToken('IVzHt8XOUJpy');</script>
After you get the token, I need to make a post with that token to http://www.roblox.co...nge-member-rank with the variables:
groupId=
newRoleSetId= ,
targetUserId= ,
X-CSRF-TOKEN: IVzHt8XOUJpy,
X-Requested-With: XMLHttpRequest
I also might need to log in?
which I think is done like so:
POST https://m.roblox.com/Login HTTP/1.1
Host: m.roblox.com
Content-Length: 29
Content-Type: application/json
{"username":"","password":""}
but I am not sure, that is just something I found during my research. I know this is possible, I have seen it done multiple times in the past, and I think I have something going... Just not sure how to put it all together...
All of my form POST data (from multiple forms) is managed through a file called formdata.php. Formdata.php and check_input() performs trim/stripslashes/htmlspecialchars etc on the posted variables. (it also indirectly calls relevant database functions such as insert or select). What is the correct way to add all of the variables to an array so that I can so that I can pass the array(ofvariables) to a function. ie the checked variables (only a few of them): Code: [Select] $subject = check_input($_POST['subject']); $repphone = check_input($_POST['repphone']); $repfirstname = check_input($_POST['repfirstname']); $replastname = check_input($_POST['replastname']); $streetnum = check_input($_POST['streetnum']); $streetname = check_input($_POST['streetname']); $suburb = check_input($_POST['suburb']); $postcode = check_input($_POST['postcode']); there will be many subjects and many more variables so instead of listing the variables such as: Code: [Select] function post_to_table(){ // variables global $subject;, $streetnum, $streetname, $suburb, $postcode; global $repphone, $repfirstname, $replastname; if ($subject === "specifiedsubject"){ post_to_appropriate_table($streetnum, $streetname, $suburb, $postcode, $repphone, $repfirstname, $replastname); } I would rather use an array instead of passing each variable individually: Code: [Select] function post_to_appropriate_table ($streetnum, $streetname, $suburb, $postcode $repphone, $repfirstname, $replastname) { global $database; $sql = "INSERT INTO incident ("; $sql .= "streetnum, "; $sql .= "streetname, "; $sql .= "suburb, "; $sql .= "postcode, "; $sql .= "repphone, "; $sql .= "repfirstname, "; $sql .= "replastname"; $sql .= ") "; $sql .= "VALUES ("; $sql .= "'{$streetnum}', "; $sql .= "'{$streetname}', "; $sql .= "'{$suburb}', "; $sql .= "'{$postcode}', "; $sql .= "'{$repfirstname}', "; $sql .= "'{$replastname}'"; $sql .= ") "; // echo $sql; //for debugging if required; return $database->query($sql); } how can I ditch the ever growing list of variables and use an array? Thanks. This works: $result = mysql_query("SELECT * FROM mydatabase WHERE username = 'billybob'"); This does not: $user = "billybob" $result = mysql_query("SELECT * FROM mydatabase WHERE username = $user"); Shouldn't these be identical? If I echo $user, I get, of course, "billybob", so does anyone know why the variable isn't working in the query itself? I'm stuck at trying to figure out out to complete the 3 Step scripts to accomplish passing $variables between 2 different servers. Since there will actually be 12 Non-POST $variables involved in the SERVER #1 to SERVER #2 transfer , it doesn't appear that trying to put these all in a URL string and going the 'GET' route is practical.
I'm just using 3 short test variables in the examples. My eyeballs started rolling within I ran across something about 'CURL' that might be a necessary part of the solution?
The code I have been able to hammer out so far is below as STEP 1, STEP 2 and STEP 3.
STEP 1
<?php // submit.php // STEP 1 // On (LOCAL) SERVER #1 TO relay $variables to 'process.php' on (REMOTE) SERVER #2 // To submit $variables to directly another destination server script // NOTE: The $variable are NOT the result of Form Input !!! // For login Authenticaion ALL 3 must match db entries on SERVER #2 // NOTE: (Again) The $variables are NOT the result of Form Input !!! $userid = "adam"; $passwd = "eve"; $pscode = "peterpan"; // NOTE: (Again) The $variable are NOT the result of Form Input !!! // These $variables are needed for MySQL db INSERT on the destination URL server // For testing simplicity (actual data will be 12 $variables) $a = "apple"; $b = "banana"; $u = "1234567; // // Not sure if something called 'CURL' is needed here ??? // $submit_to_url = http://www.blahblah.com/process.php"; ?>STEP 2
<?php
// processor.php
// STEP 2
// ON SERVER #2 TO RECEIVE DATA DIRECTLY FROM SERVER #1 'submit.php'
// To receive and process the $variables into a MySQL db on SERVER #2
// NOTE: The $variables are NOT the result of Form Input !!!
// First validate $userid, $passwd & $pscode against `verify` table MySQL records
require '/SERVER_2_securelocation_for_database_connection/secret_mysqli.php';
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
//
// Not sure if something called 'CURL' is needed here ???
//
// These login $variables are from submit.php on SERVER #1
$userid
$passwd
$pscode
$sql="SELECT `userid`, `passwd`, `pscode` FROM `verify`
WHERE `userid` = '$userid'" AND `passwd` = '$passwd` AND `pscode` = '$pscode';
$result = mysqli_query($con,$sql);
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
//
// Then some Authentication code if ALL 3 components match
//
// If Authentication = true then $passed = "YES" must sent
// be sent back to the 'finalstep.php' script on SERVER #1
// If Authentication (or connection) = false ... $passed = "NO"
$return_to_url = http://www.blahblah.com/finalstep.php";
// These $variables are from submit.php on SERVER #1
$a = "apple";
$b = "banana";
$u = "1234567";
$sql="INSERT INTO `data` (`a`, `b`, `u`)
VALUES ('$a', '$b', '$u')";
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
// If $SQL INSERT into `data` on SERVER #2 works ...
// $status = "Pending" must be sent back to the 'finalstep.php'
// script on SERVER #1 for MySQL db Table insertion
// If $SQL INSERT into `data` = false, then $status = "Error"
// NOTE: The '$u' $variable also needs send back to finalstep.php !!!
$return_to_url = http://www.blahblah.com/finalstep.php";
mysqli_close($con);
?>
STEP 3
<?php
// finalstep.php
// STEP 3
// ON SERVER #1 TO RECEIVE DATA DIRECTLY BACK FROM SERVER #2 process.php
// To receive the $passed, $status and $u $variables for final step action
// NOTE: The $variable are NOT the result of Form Input !!!
require '/SERVER_1_securelocation_for_database_connection/secret_mysqli.php';
if (mysqli_connect_errno()) {
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
// These $variables are from process.php on SERVER #2
$passed
$status
$u
$sql="UPDATE `tracking`
SET `passed` = '$passed',
`status` = '$status'
WHERE `uniqueid` = '$u' ";
$result = mysqli_query($con,$sql);
if (!mysqli_query($con,$sql)) {
die('Error: ' . mysqli_error($con));
}
mysqli_close($con);
?>
Thanks very much for any assistance and guidance.
-freakingOUT
Hi all, Thanks for reading. I'm developing my first website with user registration, login, and account settings, and I was wondering what the best way would be to prevent the site from security flaws, SQL injection, etc. I've read up on it, but, as an example, would the following be suitable? Code: [Select] $username = trim(stripslashes(mysql_real_escape_string($_POST['username']))); I guess what I'm asking is, is the above normal? Is there a simpler way to make input from the user secure? Thank you. Hello, I need to do the following: I have 2 forms on two different pages: Form 1: Name, Email, Phone Form 2: Name, Email, Phone, Address, etc. 1. User fills out Form 1, presses submit 2. Form 1 gets processed and I receive an email with the visitors Name, Email, Phone 3. After the Form has been processed I need to redirect the visitor to a new page (Form 2) 4. When Form 2 loads, fill in the form with the posted variables (Name, Email, Phone) from the previous process Here is my code: Form 1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> </head> <body> <form method="post" action="process_form.php"> <input type="text" name="name" /> <input type="text" name="email" /> <input type="text" name="phone" /> <input type="submit" name="submit" value="submit" /> </form> </div> </body> </html> process_form.php <?php $name = $_POST['name']; $email = $_POST['email']; $phone = $_POST['phone']; $to = 'email@provider.com'; $subject = "Contact Form"; $message = "Contact Information\r\n" ."$name\r\n" ."$email\r\n" ."$phone\r\n\"; $headers = "From: $email\r\n"; mail($to, $subject, $message, $headers); // Redirect header("Location: http://www.domain.com/form2/"); ?> Form 2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> </head> <body> <form method="post" action="process_form_2.php"> <input type="text" name="name" /> <input type="text" name="email" /> <input type="text" name="phone" /> <input type="text" name="address" /> <input type="text" name="city" /> <input type="text" name="state" /> . . . <input type="submit" name="submit" value="submit" /> </form> </div> </body> </html> The form does get processed and I do get an email with the visitor's info. But I'm not able to pass on the variables from From1 to Form2. Thank you in advance. what I am trying to accomplish is for the user to select the state they wish, hit submit. At this point another form should show asking which county based on the state they picked, then hit search. At this point, I'm having an issue having the state variable being passed to the 2nd form also having the state they selected stay selected. <?php $default = "Step 1. Pick Your State"; $select = "<option name='statebox'>$default</option>"; echo "<br/><form method='POST' action=".$_SERVER['PHP_SELF']." >"; echo "<select name='search'>"; echo "$select"; /////////////////////////////////////////////////////////////// //Connect to the database include_once 'phpforms/connect.php'; $sql = mysql_query("SELECT * FROM states"); while($row = mysql_fetch_array($sql)){ $state = $row['states']; echo "<option name='statebox'>$state</option>"; }//End While /////////////////////////////////////////////////////////////// echo "</select>"; echo "<input align='left' type='submit' name='stateboxbutton' value='Ok'> "; echo "</form>"; echo "</td>"; echo "<td>"; if(isset($_POST['stateboxbutton'])){ $statesearch = $_POST['statebox']; $selected = $_POST['statebox']; $select = "<option name='statebox'>$selected</option>"; echo "<br/><form action='../search-results.php' method='POST'>"; echo "<select name='search'>"; echo "<option name='default'>Step 2. Pick Your County</option>"; /////////////////////////////////////////////////////////////// //Connect to the database include_once 'phpforms/connect.php'; $sql = mysql_query("SELECT * FROM counties WHERE state LIKE '$statesearch'"); while($row = mysql_fetch_array($sql)){ $co = $row['counties']; echo "<option name='county'>$co</option>"; }//End While /////////////////////////////////////////////////////////////// echo "</select>"; echo "<input align='left' type='submit' name='button' value='Search'> "; echo "</form>"; }else{ }//End Else ?> This topic has been moved to Third Party PHP Scripts. http://www.phpfreaks.com/forums/index.php?topic=315683.0 This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=347360.0 Is it correct to use mysql_real_escape_string() function on every query that i wonna insert or search ? I have fields like TEXT(dectription of article), VARCHAR(name of article) and more like that, and is there correct to use mysql_real_escape_string for all fields when query is INSERT ? Hello All, Wondering if someone can help. I have a piece of code which I use on all data I post to my database which uses mysql_real_escape_string on all my forms for security purposes that I found on t'internet: if(!get_magic_quotes_gpc()){ $_GET = array_map('mysql_real_escape_string', $_GET); $_POST = array_map('mysql_real_escape_string', $_POST); $_REQUEST = array_map('mysql_real_escape_string', $_REQUEST); $_COOKIE = array_map('mysql_real_escape_string', $_COOKIE); } However, ever since i've installed this i'm having problems with other elements, such as deleting records from a MYSQL database like so: <?php $msg = ""; if(isset($_POST['Submit'])){ $total = $_POST['total']; $news_ids = $_POST['nws_id']; foreach($news_ids as $id){ mysql_query("DELETE FROM news WHERE news_id='$id'"); } $msg = count($news_ids) . " News Item(s) deleted!"; } $result = mysql_query("SELECT *, DATE_FORMAT(published, '%d-%m-%Y') as formatted_date from news order by news_id desc;"); $num = mysql_num_rows($result); $n = 0; ?> Yet if I delete the piece of code above code it works fine, but I don't understand why the above code effects this? Anyone plese help me understand? Thanks Good morning,
I am trying to implement a simple sanitization of data before inserting in my database and am having a little trouble due to the fact that I am using a third party script that is accessing posted variables in a way that is unfamiliar to me... here's the data. The problem area is red. The form simply hangs up when submitted. I have used this method in the past, but not with an object operator.
// insert into database Code: [Select] $update = "UPDATE model SET name = '$name', age = '$age', height = '" . mysql_real_escape_string($height) . "', hair = '$hair', bust = '$bust', waist = '$waist', hips = '$hips' ......... WHERE id = '$id' "; $rsUpdate = mysql_query($update); After reading the manual at php.net on this function, I should be inserting the mysql_real_escape_string for each variable, correct? Right now I just have it for $height. The reason I'm asking is because I have 28 columns in this table and want to make sure I'm using this function properly as it seems like a tedious process and messy code. Hello and thanks in advance for the input. I a fully functioning form. I am validating the input and successfully inserting the input into the mysql database. Now I am trying to escape the data by adding the basic line of code: $name = mysql_real_escape_string($_POST['name']); The input is successful but the mysql_database for name field is empty. If I remove the above line of code and just input the value for $name (without escape) the update works great. So the question is obvious for the above. Why? This code gives an error. Please help fix. $mydb = mysql_connect("localhost","my_un","my_pw"); mysql_select_db("my_db"); $query =sprintf("SELECT * FROM idb1 WHERE username = '%s' AND authority = 'Banned'", mysql_real_escape_string($userNm)); if(mysql_num_rows($query)) { $login = "&err=Not allowed."; echo($login); } else { $result=sprintf("SELECT * FROM idb1 WHERE username = '%s' AND password ='%s'", mysql_real_escape_string($userNm), mysql_real_escape_string($passWd)); if(mysql_num_rows ($result) == 0) { $login = "&err=Retry!!"; echo($login); } else { $row = mysql_fetch_array($result); $userNm=$row['username']; $passWd=$row['password']; $login = "$userNm=" . $userNm . "$passWd=" . $passWd . "&err=Successful."; echo($login); } } Hi, just wondering do i need to use mysql_real_escape_string() on login information (username and password). I use it as shown below but get an error when connecting. Code: [Select] if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } $n=mysql_real_escape_string($_POST['uname']); $p=mysql_real_escape_string($_POST['upass']); include('config.php'); $query="select * from country where uname='$n' and pw='$p'"; $result=mysql_query($query); I have a form that allows users to submit to a database and for security reasons I am using mysql_real_scape_string on all of their input values. However this means that if the user puts something in speech marks such as "hello" It will then show up in the database as \"hello\" This means that whenever I fetch anything from the database it will have slashes in which doesn't look good. How do other people get round this problem. When I fetch something from my database should I do a string replace and just delete these slashes or is there a better method? Thanks for any help. hey guys, just wondering, is it advisable to use mysql_real_escape_string() with <select> boxes, i know the web designer will always set the values for options within select boxes, therefore there shouldn't be any danger, but then i found such js code as: Code: [Select] javascript:document.body.contentEditable='true'; document.designMode='on'; void 0 (this allows the user of any site to edit content on the users end) so with something like the above, is it at all possible for a user to alter the option values within a select box and successfully submit the altered form? thanks |
|||||||