PHP - Php Code Protection

How can you protect mysql injection? (from inserting different statements into the input field)

Thanks

I have a contact form, and I want to make sure it doesn't send a bunch of duplicates if the page is refreshed after being submitted.

Simple way is to make sure this record isn't identical to the one before it:

select * from `contacts` where `Name`='$name' and `Phone`='$phone' and `Message`='$message' and `Subject`='$subject' and `Email`='$email'

But, that checks against all records. While not likely, this could cause problems, if the same customer came back a month later and put in the same exact contact. Any way I can check it only against the very last record in the database? Something like: and `id`=XX , where XX is one less than the current auto inc id?

im having some robots injecting gibberish

i wnat to deny amy links in the requesttext of the form
for some reason i tested it and it accepted a http link
Code: [Select]
if (preg_match("/http/i","$RequestText")){ exit();}

thanks

<?php
include ("database.php");
// show comments
$result = mysql_query("SELECT * FROM gamecomments");
while($row = mysql_fetch_array($result))
  {
  echo $row['username'] . ": <Br> " . $row['comment'];
  echo "<p>";
}
      ini_set ("display_errors", "1");
      error_reporting(E_ALL);
      

      
      if (isset($_POST['submit'])) {
         
      
         
           // now we insert it into the database
   $insert = "INSERT INTO gamecomments (username, comment)
   VALUES ('[$username]', '$_POST[comment]')";

   $add_comment = mysql_query($insert);
{
 echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">";
  }
 }

I haven't had a problem with sql injection yet, but I'm scarred to death. 

I didn't do any form data validation as I was building my site. I'm just now starting to learn how.

Magic_quotes is turned on at my host.
I know about htmlspecialchars and mysql_real_escape_string and stripslashes and htmlentities.
In testing each of these, it seems they all miss one thing or another.

so, I created an array of words and characters that I can't for the life of me imagine anyone would ever need on any form in my site, that I THINK addresses most if not all of the really bad things. But hey... I'm new to this. So here is my array and using print_r() it looks pretty good.

Code: [Select]
$badstuff = array('select','delete','update','insert','drop','=',';','"','\'','<','>','/');
Code: [Select]
Array ( [0] => select [1] => delete [2] => update [3] => insert [4] => drop [5] => select [6] => delete [7] => update [8] => insert [9] => drop [10] => = [11] => ; [12] => " [13] => ' [14] => < [15] => > [16] => / )

My str_ireplace() function works fine within the code, but I'd like to create a function using str_ireplace(). I am failing miserably.

Here is my function that doesn't work...
Code: [Select]
function strip($string){
return str_ireplace($badstuff,"",$string);
}

Here below..... the first line, that uses the function does NOT work.
The second line that just uses str_replace() function works fine.

Code: [Select]
echo strip($string).'<br>';
echo str_ireplace($badstuff,"",$string)

Can anyone tell me why my function does not work? I've read and watched 20 tutorials and just can't see the problem.

Thanks for any input.
 

Hey,

Wondering if this would work, it is based on the idea that everyone who is a real visitor will be using a browser, is that correct? Do robots use browsers too? if so, it wont work! haha.

<?

$browser = mb_substr($_SERVER['HTTP_USER_AGENT'], 0, 31);

if   (!empty($browser)){echo '<form action="send.php" method="post">';}
   
?>

Just thought it was nice and simple, and couldnt see anywhere if it would work or not...

I have never looked into sanitizing before, Is using htmlentities() good enough to protect against sql injection ?

Thanks.

'[$username]' is using a variable from a cookie varifying that you are logged in, this code works except i need to put real escape strings and protection from mysql injection and dont really know where to put them.

Code: [Select]
if (isset($_POST['submit'])) {

        // now we insert it into the database
$insert = "INSERT INTO gamecomments (username, comment)
VALUES ('[$username]', '$_POST[comment]')";

$add_comment = mysql_query($insert);
{
 echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">";
  }
 }
[CODE]

I have a comment section that is secure against everything except spam..
Is there anyway to do like a 10second minimum wait time between posts?

Hi, I have some code which displays my blog post in a foreach loop, and I want to add some social sharing code(FB like button, share on Twitter etc.), but the problem is the way I have my code now, creates 3 instances of the sharing buttons, but if you like one post, all three are liked and any thing you do affects all of the blog post. How can I fix this?


<?php
include ("includes/includes.php");

$blogPosts = GetBlogPosts();

foreach ($blogPosts as $post)
{
echo "<div class='post'>";
echo "<h2>" . $post->title . "</h2>";
echo "<p class='postnote'>" . $post->post . "</p";
echo "<span class='footer'>Posted By: " . $post->author . "</span>";
echo "<span class='footer'>Posted On: " . $post->datePosted . "</span>";
echo "<span class='footer'>Tags: " . $post->tags . "</span>";
echo '
<div class="addthis_toolbox addthis_default_style ">
<a class="addthis_button_facebook_like" fb:like:layout="button_count"></a>
<a class="addthis_button_tweet"></a>
<a class="addthis_counter addthis_pill_style"></a>
</div>
<script type="text/javascript">var addthis_config = {"data_track_clickback":true};</script>
<script type="text/javascript" src="http://s7.addthis.com/js/250/addthis_widget.js#username=webguync"></script>';

echo "</div>";
}


?>

I have the following code in html:

<html>
<head>
<script type="text/javascript">
<!--
function delayer(){
    window.location = "http://VARIABLEVALUE.mysite.com"
}
//-->
</script>
<title>Redirecting ...</title>
</head>
<body onLoad="setTimeout('delayer()', 1000)">



<script type="text/javascript">
var sc_project=71304545;
var sc_invisible=1;
var sc_security="9c433fretre";
</script>

<script type="text/javascript"
src="http://www.statcounter.com/counter/counter.js"></script><noscript>
<div
class="statcounter"><a title="vBulletin statistics"
href="http://statcounter.com/vbulletin/"
target="_blank"><img class="statcounter"
src="http://c.statcounter.com/71304545/0/9c433fretre/1/"
alt="vBulletin statistics" ></a></div></noscript>


</body>
</html>

Is a basic html webpage with a timer redirect script and a stascounter code.

I know a bit about html and javascript, but almost nothing about php.

My question is:

How a can convert this html code into a php file, in order to send a variable value using GET Method and display this variable value inside the javascript code where says VARIABLEVALUE.

Thanks in adavance for your help.

Hi, I need to insert some code into my current form code which will check to see if a username exist and if so will display an echo message. If it does not exist will post the form (assuming everything else is filled in correctly). I have tried some code in a few places but it doesn't work correctly as I get the username message exist no matter what. I think I am inserting the code into the wrong area, so need assistance as to how to incorporate the username check code.

$sql="select * from Profile where username = '$username';
$result = mysql_query( $sql, $conn )
      or die( "ERR: SQL 1" );
if(mysql_num_rows($result)!=0)
{
process form
}
else
{
echo "That username already exist!";
}


the current code of the form


<?PHP
//session_start();
require_once "formvalidator.php";
$show_form=true;

if (!isset($_POST['Submit'])) {



$human_number1 = rand(1, 12);



$human_number2 = rand(1, 38);



$human_answer = $human_number1 + $human_number2;



$_SESSION['check_answer'] = $human_answer;
}

if(isset($_POST['Submit']))
{





if (!isset($_SESSION['check_answer'])) {
echo "<p>Error: Answer session not set</p>";
}


if($_POST['math'] != $_SESSION['check_answer']) {
echo "<p>You did not pass the human check.</p>";
exit();
}


   $validator = new FormValidator();
    $validator->addValidation("FirstName","req","Please fill in FirstName");







$validator->addValidation("LastName","req","Please fill in LastName");
$validator->addValidation("UserName","req","Please fill in UserName");
$validator->addValidation("Password","req","Please fill in a Password");
$validator->addValidation("Password2","req","Please re-enter your password");
$validator->addValidation("Password2","eqelmnt=Password","Your passwords do not match!");
$validator->addValidation("email","email","The input for Email should be a valid email value");
$validator->addValidation("email","req","Please fill in Email");
$validator->addValidation("Zip","req","Please fill in your Zip Code");
$validator->addValidation("Security","req","Please fill in your Security Question");
$validator->addValidation("Security2","req","Please fill in your Security Answer");
    if($validator->ValidateForm())
    {
        $con = mysql_connect("localhost","uname","pw") or die('Could not connect: ' . mysql_error());
        mysql_select_db("beatthis_beatthis") or die(mysql_error());
$FirstName=mysql_real_escape_string($_POST['FirstName']); //This value has to be the same as in the HTML form file
$LastName=mysql_real_escape_string($_POST['LastName']); //This value has to be the same as in the HTML form file
$UserName=mysql_real_escape_string($_POST['UserName']); //This value has to be the same as in the HTML form file
$Password= md5($_POST['Password']); //This value has to be the same as in the HTML form file
$Password2= md5($_POST['Password2']); //This value has to be the same as in the HTML form file
$email=mysql_real_escape_string($_POST['email']); //This value has to be the same as in the HTML form file
$Zip=mysql_real_escape_string($_POST['Zip']); //This value has to be the same as in the HTML form file
$Birthday=mysql_real_escape_string($_POST['Birthday']); //This value has to be the same as in the HTML form file
$Security=mysql_real_escape_string($_POST['Security']); //This value has to be the same as in the HTML form file
$Security2=mysql_real_escape_string($_POST['Security2']); //This value has to be the same as in the HTML form file



$sql="INSERT INTO Profile (`FirstName`,`LastName`,`Username`,`Password`,`Password2`,`email`,`Zip`,`Birthday`,`Security`,`Security2`) VALUES ('$FirstName','$LastName','$UserName','$Password','$Password2','$email','$Zip','$Birthday','$Security','$Security2')"; 
//echo $sql;
if (!mysql_query($sql,$con)) {

 die('Error: ' . mysql_error());

} else{



mail('email@gmail.com','A profile has been submitted!',$FirstName.' has submitted their profile',$body);

echo "<h3>Your profile information has been submitted successfully.</h3>";
}

mysql_close($con);
        $show_form=false;
    }
    else
    {
        echo "<h3 class='ErrorTitle'>Validation Errors:</h3>";

        $error_hash = $validator->GetErrors();
        foreach($error_hash as $inpname => $inp_err)
        {
            echo "<p class='errors'>$inpname : $inp_err</p>\n";
        }        
    }
}

if(true == $show_form)
{
?>

Advance thank you.

Can you help please.

The error.....

Warning: mysql_fetch_assoc() expects parameter 1 to be resource, string given in C:\wamp\www\test_dabase.php on line 24

code.
Code: [Select]
<?php

//database connection.
$DB = mysql_connect("localhost","root") or die(mysql_error());

if($DB){

//database name.
$DB_NAME="mysql";

//select database and name.
$CON=mysql_select_db($DB_NAME,$DB)or die(mysql_error()."\nPlease change database name");


// if connection.
}if($CON){
    
    //show tables.
  $mysql_show="SHOW TABLES";
    
    //select show and show.
      $mysql_select2="mysql_query(".$mysql_show.") or die(mysql_error())";
    
    }
    
    //if allowed to show.
    if($mysql_select2){
        
        //while it and
    while($data=mysql_fetch_assoc($mysql_select2)){
        
        //show it.
        echo $data;
        
        }
    }    
    ?>

hey gurus, i am a newbie php coder.. i am learning by example.

what i am trying to do is write a piece of code which will alter 3 tables (user, bonus_credit, bonus_credit_usage)

----------------------------------------------------------------
the table structure that will be used is as follows:

user.bonus_credit
user.ID

bonus_credit.bonusCode
bonus_credit.qty
bonus_credit.value

bonus_credit_usage.bonusCode
bonus_credit_usage.usedBy

----------------------------------------------------------------
so lets say, in bonus_credit i have the following
bonusCode = 'facebook' (this is the code they have to type to redeem the bonus
qty = '10' ( number of times the bonusCode can be redeemed, but same person can't redeem it more than once)
value = '5' (this is the  amount of bonus_credit for each qty)

Now, I need to write a code that check to see if the code has been redeemed in the bonus_credit_usage table and if the user.ID exists in this table as bonus_code_usage.usedBy, then give an error that its already been used and if it hasn't been used, then subtract 1 from qty, add ID to usedBy and then add the value to the bonus_credit

-----------------------
i have started the steps just to create a simple textbox and entering a numeric value to bonus_credit, and that works.. but now i have to use JOIN and IF and ELSE.. which is a little too advanced for me.. so i'd appreciate a guide as i write the code.

if(isset($_REQUEST['btnBonus']))

{

$bonus_credit = addslashes($_REQUEST['bonusCode']);

$query = "update user set bonus_credit=bonus_credit+'".$bonus_credit."' where id='".$_SESSION['SESS_USERID']."'";

echo "<script>window.location='myreferrals.php?msgs=2';</script>";

mysql_query($query) or die(mysql_error());

}

I use this type of a code to send automatic emails from my website:

Code: [Select]
$headers = ;
$headers .= ;
$to = ;

Click here to go to Google.

", $headers);

I am having hard time figuring out how to do hyperlink on words (like here). If I do something like this:

Code: [Select]
<a href='http://www.google.com'>here</a>
it spits out that exact thing out.

Thanks you for your input