|
PHP - Comment Protection Against Sql Injection Help Need To Be Secure!
<?php
include ("database.php"); // show comments $result = mysql_query("SELECT * FROM gamecomments"); while($row = mysql_fetch_array($result)) { echo $row['username'] . ": <Br> " . $row['comment']; echo "<p>"; } ini_set ("display_errors", "1"); error_reporting(E_ALL); if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } Similar Tutorials'[$username]' is using a variable from a cookie varifying that you are logged in, this code works except i need to put real escape strings and protection from mysql injection and dont really know where to put them. Code: [Select] if (isset($_POST['submit'])) { // now we insert it into the database $insert = "INSERT INTO gamecomments (username, comment) VALUES ('[$username]', '$_POST[comment]')"; $add_comment = mysql_query($insert); { echo "<META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=games.php\">"; } } [CODE] How can you protect mysql injection? (from inserting different statements into the input field) Thanks im having some robots injecting gibberish i wnat to deny amy links in the requesttext of the form for some reason i tested it and it accepted a http link Code: [Select] if (preg_match("/http/i","$RequestText")){ exit();} thanks I haven't had a problem with sql injection yet, but I'm scarred to death. I didn't do any form data validation as I was building my site. I'm just now starting to learn how. Magic_quotes is turned on at my host. I know about htmlspecialchars and mysql_real_escape_string and stripslashes and htmlentities. In testing each of these, it seems they all miss one thing or another. so, I created an array of words and characters that I can't for the life of me imagine anyone would ever need on any form in my site, that I THINK addresses most if not all of the really bad things. But hey... I'm new to this. So here is my array and using print_r() it looks pretty good. Code: [Select] $badstuff = array('select','delete','update','insert','drop','=',';','"','\'','<','>','/'); Code: [Select] Array ( [0] => select [1] => delete [2] => update [3] => insert [4] => drop [5] => select [6] => delete [7] => update [8] => insert [9] => drop [10] => = [11] => ; [12] => " [13] => ' [14] => < [15] => > [16] => / ) My str_ireplace() function works fine within the code, but I'd like to create a function using str_ireplace(). I am failing miserably. Here is my function that doesn't work... Code: [Select] function strip($string){ return str_ireplace($badstuff,"",$string); } Here below..... the first line, that uses the function does NOT work. The second line that just uses str_replace() function works fine. Code: [Select] echo strip($string).'<br>'; echo str_ireplace($badstuff,"",$string) Can anyone tell me why my function does not work? I've read and watched 20 tutorials and just can't see the problem. Thanks for any input.
<?php
if(isset($_POST['submit'])){
$uname = $_POST['username'];
$pword = $_POST['password'];
/*** mysql hostname ***/
$hostname = 'localhost';
/*** mysql username ***/
$username = 'root';
/*** mysql password ***/
$password = 'anty90';
try {
$link = new PDO("mysql:host=$hostname;dbname=gambling", $username, $password);
/*** echo a message saying we have connected ***/
echo 'Connected to database<br />';
/*** INSERT data ***/
$stmt = $link->prepare("INSERT INTO gamb(username, password) VALUES (?, ?)");
try{
$stmt->execute(array("$uname", "$pword"));
} catch(PDOException $e){
echo "Exception caught: $e";
}
/*** echo the number of affected rows ***/
//echo $count;
/*** close the database connection ***/
$link = null;
}
catch(PDOException $e)
{
echo $e->getMessage();
}
}
?>
<html>
<form action='home.php' method='post'>
<input type="text" name="username" >
<input type="password" name="password" >
<input type="submit" name="submit" value="submit">
</form>
</html>
I'm new to databse programming so I was just wondering if this was vulnerable to sql injection or not.
I have a comment section that is secure against everything except spam.. Is there anyway to do like a 10second minimum wait time between posts? CREATE TABLE posts ( postId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, title VARCHAR(255) NOT NULL, author VARCHAR(24) NOT NULL, description TEXT NOT NULL, createdAt TIMESTAMP, PRIMARY KEY (postId) ); CREATE TABLE comments( commentId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, comment TEXT NOT NULL, postId INT(11), userId INT(11), createdAt TIMESTAMP, PRIMARY KEY (commentId), FOREIGN KEY (userId) REFERENCES users(userId), FOREIGN KEY (postId) REFERENCES posts(postId) ); CREATE TABLE replies ( repId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, reply TEXT NOT NULL, userId INT(11), commentId INT(11), createdAt TIMESTAMP, PRIMARY KEY (repId), FOREIGN KEY (userId) REFERENCES users(userId), FOREIGN KEY (commentId) REFERENCES comments(commentId) ); CREATE TABLE users ( userId INT(11) NOT NULL UNIQUE AUTO_INCREMENT, userName VARCHAR(100) NOT NULL,, email VARCHAR(100) NOT NULL, PRIMARY KEY (userId) ); how to retrive userName,comment, and createdAt from users and comments table while I have used userId as a Foreign key on the comment table if it isn't correct, correct me please This topic has been moved to Ajax Help. http://www.phpfreaks.com/forums/index.php?topic=322815.0 how would this code work? Code: [Select] if ($_POST['username'] == "[, ., ,, _, -" ){ die('Invalid characters.'); i want it to mean if there are any characters like ", [ . - _ ' " or anything in the username then die('invalid characters.'); for extra safety I want to password protect my entire website. How would I go on to doing this. There is a website that has this already (www.printerdev.co.uk). I want to do the exact same thing but not sure how to. Can someone please help me I need to know, what i need to care about while im coding, how someone can hack my php code. Some tricks for protection pls? I have been getting a lot more client requests to protect files. What is the easiest way to do this. So, basically I have tried doing it outside the public directory. There are too many things that cause issues with this. I haven't been able to get a successfull implementation of this since I started working with this. So I was thinking instead about password protecting a directory that is inside public view, but still get files via PHP. Is there a way to setup a password protected directory, then retreive stuff from that directory using PHP. Or, a good way to put them outside the public folder. Everything I have tried to do to get a file to save outside of public view, has not worked. It always says uploaded but the file is never there. Also, I have verified correct permission for this as well. hello.
im trying to password protect my pages in a simple way like this:
http://www.scottconn...ord_protection/
but for some reason it doesnt chek the login file, so it doesnt work:
<?php require_once 'login.php'; ?>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
<style type="text/css">
#form1 table tr td label {
}
#form1 table {
text-align: left;
}
#wrapper {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
#wrapper2 {
margin: 20px auto;
text-align: center;
font-size: 20px;
}
</style>
</head>
<body>
<div id="wrapper">
--<a href="tilfojer.html">Tilføj Aktivitet</a>--<br>
--<a href="tilfojtilvalg.html">Tilføj Tilvalg</a>--<br>
--<a href="tilfojrestaurant.html">Tilføj Restaurant</a>--<br>
--<a href="tilfojmenu.html">Tilføj Menu</a>--
</div>
<div id="wrapper2">
--<a href="seaktivitet.php">Se Aktiviteter</a>--<br>
--<a href="setilvalg.php">Se Tilvalg</a>--<br>
--<a href="serestaurant.php">Se Restauranter</a>--<br>
--<a href="semenu.php">Se Menuer</a>--
</div>
</body>
<a href="?logout=1">Logout</a>
</html>
that is how i implemented it. made the file an php file
can somone tell me why it doesnt work. and maybe how to make it work, and why that works
many thanks
I have a contact form, and I want to make sure it doesn't send a bunch of duplicates if the page is refreshed after being submitted. Simple way is to make sure this record isn't identical to the one before it: select * from `contacts` where `Name`='$name' and `Phone`='$phone' and `Message`='$message' and `Subject`='$subject' and `Email`='$email' But, that checks against all records. While not likely, this could cause problems, if the same customer came back a month later and put in the same exact contact. Any way I can check it only against the very last record in the database? Something like: and `id`=XX , where XX is one less than the current auto inc id? Code: [Select] <form name="commentbox" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <table border="0"> <textarea name="comment" cols="20" rows="2" onclick="document.commentbox.comment.value='';" onfocus="this.style.borderColor='yellow';" onblur="this.style.borderColor='blue';" />Comment...</textarea> </td></tr> $commentcheck = $_POST['comment']; if ($commentcheck == "Comment...") { die(' <META HTTP-EQUIV=\"Refresh\" CONTENT=\"1; URL=index.php\"> '); }else why does this not refresh if i comment "Comment..." it just dies and doesnt echo anything Hey, Wondering if this would work, it is based on the idea that everyone who is a real visitor will be using a browser, is that correct? Do robots use browsers too? if so, it wont work! haha. <? $browser = mb_substr($_SERVER['HTTP_USER_AGENT'], 0, 31); if (!empty($browser)){echo '<form action="send.php" method="post">';} ?> Just thought it was nice and simple, and couldnt see anywhere if it would work or not... I have never looked into sanitizing before, Is using htmlentities() good enough to protect against sql injection ? Thanks. I'm confused, can this result in css/sql injection? Code: [Select] if(isset($_GET['action'])){ if($_GET['action'] == 'details'){ $cupID = $_GET['cupID']; $ergebnis = safe_query("SELECT gameaccID, name, start, ende, typ, game, `desc`, status, checkin, maxclan, gewinn1, gewinn2, gewinn3 FROM ".PREFIX."cups WHERE ID = '".$cupID."'"); $ds=mysql_fetch_array($ergebnis); ... Some german fellow was explaining, translate to English briefly: "$ CupID is not escaped. NEN here I could just "; DROP TABLE` cups `Paste and your table is no longer available eez. Or I could inject javascript, your current session read out, accept it and act as an admin ... " I am trying to understand what he means by this... is this query vulnerable to an injection and why/how? |
|||||||