|
PHP - Security, Escape String And Moving My Connection Details To Adjacent Folder!
I think ive finished the piece of code below, after using escape string for the first time.
Ive also put my connection details in a different folder on my hosting account root (worried that this would of been displayed in the event of a parsing eror), is there anything else I can do to make my site secure? Code: [Select] <?php include('func.php'); include($_SERVER['DOCUMENT_ROOT'].'/include/db.php'); ?> <!--$INC_DIR = $_SERVER["DOCUMENT_ROOT"]. "/include/";--> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Chained Select Boxes using PHP, MySQL and jQuery</title> <script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1.3/jquery.min.js"></script> <script type="text/javascript"> $(document).ready(function() { $('#wait_1').hide(); $('#drop_1').change(function(){ $('#wait_1').show(); $('#result_1').hide(); $.get("func.php", { func: "drop_1", drop_var: $('#drop_1').val() }, function(response){ $('#result_1').fadeOut(); setTimeout("finishAjax('result_1', '"+escape(response)+"')", 400); }); return false; }); }); function finishAjax(id, response) { $('#wait_1').hide(); $('#'+id).html(unescape(response)); $('#'+id).fadeIn(); } </script> </head> <body> <p> <form action="" method="post"> Name: <input type="text" name="Name" /><br /> Phone: <input type="text" name="Phone" /><br /> Email: <input type="text" name="Email" /><br /> Postcode: <input type="text" name="Postcode" /><br /> Web Address: <input type="text" name="Website" /><br /><br /> <select name="drop_1" id="drop_1"> <option value="" selected="selected" disabled="disabled">Select a Category</option> <?php getTierOne(); ?> </select> <span id="wait_1" style="display: none;"> <img alt="Please Wait" src="ajax-loader.gif"/> </span> <span id="result_1" style="display: none;"></span> <br /> </form> </p> <p> <?php if(isset($_POST['submit'])){ $drop = mysql_real_escape_string($_POST['drop_1']); $tier_two = mysql_real_escape_string($_POST['Subtype']); echo "You selected "; echo $drop." & ".$tier_two; } $Name = mysql_real_escape_string($_POST["Name"]); $Phone = mysql_real_escape_string($_POST["Phone"]); $Email = mysql_real_escape_string($_POST["Email"]); $Postcode = mysql_real_escape_string($_POST["Postcode"]); $Website = mysql_real_escape_string($_POST["Website"]); echo "<br>"; echo $Name; echo "<br>"; echo $Website; $query = ("INSERT INTO business (`id`, `Name`, `Type`, `Subtype`, `Phone`, `Email`, `Postcode`, `Web Address`) VALUES ('NULL', '$Name', '$drop', '$tier_two' , '$Phone', '$Email', '$Postcode', '$Website')"); mysql_query($query) or die ( "<br>Query: $query<br>Error: " .mysql_error()); ?> </body> </html> Similar TutorialsPerhaps this is a rather lay question, but, is there a way to gather specific connection details about an open MySQL connection in php? Example: <?php $connect = mysql_connect('localhost', 'username', 'password'); ?> Using the $connect variable, could I run a command that dumps the host, and username to a log file?? Thanks in advance, I'm still searching. E Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems Code: [Select] <? if(isset($_POST['upload'])) { include 'dbconnection.php'; $ttitle = mysql_real_escape_string($_POST['ttitle']); $ttitle2 = mysql_real_escape_string($_POST['ttitle2']); $query = "INSERT INTO test ( ttitle, ttitle2) ". "VALUES ('$ttitle', '$ttitle2' )"; mysql_query($query) or die('Error, query failed : ' . mysql_error()); echo "<br>File uploaded<br>"; } ?> The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded. From the server: PHP.ini file: (ver 5.2.17) magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site. As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great.... thanks in advance I upload an image and put every information inside $_SESSION['tmp'] and $_SESSION['path'] then once user click on button then i use move_uploaded_file($_SESSION['tmp'],$_SESSION['path']) but file uploaded not appeared in my upload folder, and again i try to echo everything but all information still kept well in $_SESSION is there something missing here? thanks I have never used real escape string so want to make sure I did it correctly. Also, if I can place it anywhere else to make it even more secure please let me know. This is just the action of a just a simple POST html form. Here it is. Code: [Select] <?php require ('staffarea/sql.php'); $showform="false"; $mcid = mysql_real_escape_string($_POST['mcid']); $age = mysql_real_escape_string($_POST['age']); $description = mysql_real_escape_string($_POST['description']); if(!mysql_query("INSERT INTO `somedatabase`.`appsubmissions` (`id`, `username`, `age`, `description`, `status`) VALUES (NULL, '$mcid', '$age', '$description', 'Pending');")) { echo '<div class=blockrow><b><font size=4>Submission Error</font><br /><br />Something went wrong. Contact Staff in the Support Forums and give them this information:<br /><br /></b><font color=red>'; echo mysql_error(); echo "</font>"; echo '<br /><br /><a href="/forumdisplay.php?f=14">Support Forums</a></div>'; } else { $lastID=mysql_insert_id(); echo "<div class=blockrow><font size=3><b>$mcid, Thank You for your Building Application!</b></font><br /><br />"; echo "Your Unique Application ID: <b>", $lastID; echo "</b> (save this so you can check the application status later)<br /><br /> Your application was submitted successfully. Please allow Staff 24 hours to accept or deny your application. If after 48 hours you still do not have building rights, assume the application was denied and re-submit with different information. DO NOT submit an application more than every 48 hours, doing so will get your account banned for spamming.<br /><br /> While waiting, you might check out the <a href=/index.php?pageid=mcguide>Ultimate Guide</a>.</div>"; } mysql_close($con); ?> on the first column do I need to escape that? "pm_id" if so how do i do that with the right syntax is it like this? pm_id = '.mysql_real_escape_string.' Code: [Select] <?php $mail2 = "INSERT INTO pm SET pm_id = '', sendto = '".mysql_real_escape_string($to)."', sentfrom = '".mysql_real_escape_string($from)."' ?> Also when you create a new row with a id having auto increment. do i have to do id ="" so there isnt ever two rows matching the same id? i have made function of prepare or check the mysql real escapte string but when i run this code it gives two warnings msg Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'SYSTEM'@'localhost' (using password: NO) in C:\wamp\www\cart\include\db.php on line 42 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\cart\include\db.php on line 42 kindly tell me what is this msg about how to solve it my code is 37 public function mysql_prep($value){ 38 $magic_quotes_active=get_magic_quotes_gpc(); 39v$new_enough_php=function_exists("mysql_real_escape_string"); 40 if($new_enough_php){ 41if($magic_quotes_active){ $value=stripslashes($value);} 42 $value= mysql_real_escape_string($value);} 43 else { 44 if($magic_quotes_active){$value=addslashes($value);} 45} 46 return $value; 48 } Hi, I have successfully implemented a master details page with the results aligned in columns linking to a details page. I wish to maintain the recordID passed from the master details page and make the dynamic text, which reads Shade A tree that is capable of..... in the attached screen shot a link to another details page referencing the same recordID. The detailspage2.php would look the same as the screenshot except the Shade text and description below will be highlighted, which I can do, there will be a new image and a new image description. All other dynmaic elements on the page will remain the same. I tried to simply save as my detailspage.php to detailspage2.php and create a link to detailspage2.php. It linked to detailspage2.php but none of the record info showed up in their respective table cells. I have all the names desc's, images, etc setup in a table in my database. Please let me know what code and other info you need to help me out with this procedure. Thanks. I am pretty new to PHP and am trying to create a simple (so I assumed) page to takes data from one html page(works fine) and updates a MYSQL Database. I am getting no error message, but the connect string down to the end of the body section is showing up as plain text in my browser window. I do not know how to correct this. I have tried using two different types of connect strings and have verified my names from the HTML page are the same as listed within the php page. Suggestions on what I need to look for to correct would be great. I have looked online, but so far all I am getting is how to connect, or how to create a comment, so I thought I would try here. Thank you for any assistance I may get!! - Amy - Code: [Select] <body><font color="006600"> <div style="background-color:#f9f9dd;"> <fieldset> <h1>Asset Entry Results</h1> <?php // create short variable names $tag=$_POST['tag']; $serial=$_POST['serial']; $category=$_POST['category']; $status=$_POST['status']; $branch=$_POST['branch']; $comments=$_POST['comments']; if (!$tag || !$serial || !$category || !$status || !$branch) { echo "You have not entered all the required details.<br />" ."Please go back and try again."; exit; } if (!get_magic_quotes_gpc()) { $tag = addslashes($tag); $serial = addslashes($serial); $category = addslashes($category); $status = addslashes($status); $branch = addslashes($branch); $comments = addslashes($comments); } //@ $db = new mysqli('localhost', 'id', 'pw', 'inventory'); $db = DBI->connect("dbi:mysql:inventory:localhost","id","pw") or die("couldnt connect to database"); $query = "insert into assets values ('".$serial."', '".$tag."', '".$branch."', '".$status."', '".$category."', '".$comments."')"; $result = $db->query($query); if ($result) { echo $db->affected_rows." asset inserted into Inventory."; } else { echo "An error has occurred. The item was not added."; } $db->close(); ?> </fieldset> </div> </body> I got this script: But it give me error, file_get_contents cannot open stream. I need to add the FTP connection with user/pass paramaters. then look in set http url, to get the file contents(images) and transfer to ftp server location. Can Anyone take alook and tell me if I am going down the right path and how to get there. Please Code: [Select] function postToHost($host, $port, $path, $postdata = array(), $filedata = array()) { $data = ""; $boundary = "---------------------".substr(md5(rand(0,32000)),0,10); $fp = fsockopen($host, $port); fputs($fp, "POST $path HTTP/1.0\n"); fputs($fp, "Host: $host\n"); fputs($fp, "Content-type: multipart/form-data; boundary=".$boundary."\n"); // Ab dieser Stelle sammeln wir erstmal alle Daten in einem String // Sammeln der POST Daten foreach($postdata as $key => $val){ $data .= "--$boundary\n"; $data .= "Content-Disposition: form-data; name=\"".$key."\"\n\n".$val."\n"; } // Sammeln der FILE Daten if($filedata) { $data .= "--$boundary\n"; $data .= "Content-Disposition: form-data; name=\"".$filedata['name']."\"; filename=\"".$filedata['name']."\"\n"; $data .= "Content-Type: ".$filedata['type']."\n"; $data .= "Content-Transfer-Encoding: binary\n\n"; $data .= $filedata['data']."\n"; $data .= "--$boundary--\n"; } // Senden aller Informationen fputs($fp, "Content-length: ".strlen($data)."\n\n"); fputs($fp, $data); // Auslesen der Antwort while(!feof($fp)) { $res .= fread($fp, 1); } fclose($fp); return $res; } $postdata = array('var1'=>'today', 'var2'=>'yesterday'); $filedata = array( 'type' => 'image/png', 'data' => file_get_contents('http://xxx/tdr-images/images/mapping/dynamic/deals/spot_map') ); echo '<pre>'.postToHost ("localhost", 80, "/test3.php", $postdata, $filedata).'</pre>'; Hello; I would like to do the following operation; Count duplicate (adjacent) my code
<?php
$Array = array("test", "test", "hello", "test", "world", "world", "world", "hello", "test");
for( $i= 0 ; $i <= 6 ;$i++ ) {
$j=1;
if ($Array[$i] === $Array[$i+1]) {
$j+=$j;
echo $j;
}
?>
and showing something like 2,1,1,3,1,1 Thanks Hey! Code: [Select] echo "<ol type=\"a"\>";This gives an error, how am I supposed to escape the " " correctly? Hi guys, I think escaping is the correct term, apologies if its not. Could anyone show me how I can escape this so it works? Thanks Code: [Select] echo "[ - <a href="/$dir/game_play.php">Play</a> - ]"; I haven't coded HTML or PHP in several years and am trying to get back into it. Seems to me that there were some nifty tricks so that when you were conctenating HTML and PHP you didn't get a birds nest. Maybe it was using something like { } but I don;t recall. I also seem to recall that wisely choosing where to use single (') and double (") quote was key! For example, how could this code be cleaner?
echo '<table id="membershipPlans"> <!-- Column Groups --> <colgroup> <col id="feature">'."\r"; foreach ($plan_names as $p_id => $p_name): echo '<col id="option0'.$p_id.'">'."\r"; endforeach; echo '</colgroup>";
I have front page and page for news, and i wonna to set, on front page to show news but only 100 characters, and on news page to be all text, i done that with substr($news, 0, 100); but i have proble, when i have in $news text like this: Code: [Select] Hi everyone. <b>Bold</b>now, subsrt count <b> and </b> like characters, how can i escape that <b> </b>, <u> </u> and other? Hello, I was wondering if I need to escape all get values. I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc. I usually convert this to a variable to be used in a WHERE statement. Code: [Select] IF ($_GET['id']){ $id=$_GET['id']; } But what if someone tried to view all records Quote http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content page data being displayed somehow. Or better yet, if visiting Quote http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content being deleted. Is that even possible in the in the context of a MySQL WHERE statement? Seems like the MySQL statement wouldn't be structured correctly and wouldn't work. I use mysqli_real_escape_string" on posted content but should I also escape all GET input? I am having problems understanding how to sanitize my form data so it is safe to INSERT. If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = mysqli_real_escape_string($dbc, $trimmed['body']); And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O\'Reilly\'s book --------- If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = $trimmed['body']; And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O'Reilly's book Why the strange behavior?? Debbie Hi, I have a site where users can register etc. I was wondering should I use mysql_real_escape_string() for the elements on my registration form example email, name and so on or is it no necessary? One more question could some one tell is this the proper way to use it before inserting into the database. $name=$_POST['name']; mysql_real_escape_string($name) ? Hello. My client and I are trying to figure out a strange issue with exporting blobs. We are trying to sync a WAMP based databse and local MySQL database. The problem is with blob columns.
The issue: When exporting a blob, the local MySQL dump command inserts an escape character "\" before characters such as NUL, TAB and LF, and I am assuming a lot more. My PHP export function (opens a file, SELECT * FROM tbl, writes to the file) does not do this. The main issue is that my client cannot import my PHP dump files when there are blobs, which I suppose is because they are missing these escape characters. He can however re-import his own MySQL dumps. I know I could remedy by using PHP string replace functions to find each character and insert a '\' before it, but I don't know which characters will need to be escaped. I also feel like there is a more simple solution. For example this is what I have and it worked for a tiny 1 pixel image, but not for something complex:
$val = str_replace(chr('NUL'), '\0', $val);
$val = str_replace(chr(0x9), chr(0x5c).chr(0x9), $val);
$val = str_replace(chr(0xa), chr(0x5c).chr(0xa), $val);
Thanks
Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors: Code: [Select] Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors. What going on? I have used it like this befo ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems.. ~AJ <?php require_once('connect.php'); if(isset($_COOKIE['user'])){}else{ header( 'Location: members.php'); } if (isset($_POST['sendBtn'])){ $messageFrom = $_COOKIE['user']; $messageTo = $_POST['messageTo']; $hash = $messageTo.$messageFrom.time(); $hash = md5($hash); mysql_select_db("majik"); $sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')"; echo '<center>Your message was sent to: '.$messageTo.'</center>'; } ?> My hosts version of php just seems to automatically add the backslashes. Adding the escape string just seems to add like 3 of them rather than 1 Is this command out-of-date? |
|||||||