PHP - Safest & Secure Way For Handling Post Variables

I have sort of an odd request. I wish make a POST to roblox.com with the Xsrf token, let me give you what code might help then ill explain more.   So, I need to parse the page http://www.roblox.co...spx?gid=1039951 to get the token, which is between the (' ') below (this is taken from the site, as an example and the token changes each time the page refreshes/changes.

 <script type="text/javascript">Roblox.XsrfToken.setToken('IVzHt8XOUJpy');</script>

After you get the token, I need to make a post with that token to http://www.roblox.co...nge-member-rank with the variables: groupId= newRoleSetId= , targetUserId= , X-CSRF-TOKEN: IVzHt8XOUJpy, X-Requested-With: XMLHttpRequest   I also might need to log in?   which I think is done like so:

POST https://m.roblox.com/Login HTTP/1.1
Host: m.roblox.com
Content-Length: 29
Content-Type: application/json

{"username":"","password":""}

but I am not sure, that is just something I found during my research. I know this is possible, I have seen it done multiple times in the past, and I think I have something going... Just not sure how to put it all together...   

Good day all

Busy working on some code to allow users to upload images.

Now, I know not to trust anything sent from a user (and to specifically check image type, etc.)
And it's never a good idea to allow anyone, or anything to upload something to a directory below your web root.

But, how bad would it be to check for the correct file size, and type, and then use PHP to FTP that file to a directory that happens to be below your web root?

This would be on a shared hosting platform, where temp_upload is not set, and is running Apache and PHP 5.2

Just checking some additional options, and haven't seen that much regarding how secure the FTP method would be.

Thanks in advance

This works:
$result = mysql_query("SELECT * FROM mydatabase WHERE username = 'billybob'");

This does not:
$user = "billybob"
$result = mysql_query("SELECT * FROM mydatabase WHERE username = $user");

Shouldn't these be identical?  If I echo $user, I get, of course, "billybob", so does anyone know why the variable isn't working in the query itself?

Code: [Select]
<?php

if(isset($_POST['submit']))
{
$drop = mysql_real_escape_string($_POST['drop_1']);
$tier_two = mysql_real_escape_string($_POST['Subtype']);
$Name = mysql_real_escape_string($_POST["Name"]);
$Phone = mysql_real_escape_string($_POST["Phone"]);
$Email = mysql_real_escape_string($_POST["Email"]);
$Postcode = mysql_real_escape_string($_POST["Postcode"]);
$Website = mysql_real_escape_string($_POST["Website"]);
if($Name == '')
{ 
                 .......

?>
Could I remove this code and use the below code and still have the same effect?
      
Code: [Select]

<?php 
if(isset($_POST['submit']))
{
foreach ($_POST as $key => $value) { 
    $_POST[$key] = mysql_real_escape_string($value); 
  } 
?>

what I am trying to accomplish is for the user to select the state they wish, hit submit. At this point another form should show asking which county based on the state they picked, then hit search.

At this point, I'm having an issue having the state variable being passed to the 2nd form also having the state they selected stay selected.


<?php
$default = "Step 1. Pick Your State";
$select = "<option name='statebox'>$default</option>";
  echo "<br/><form method='POST' action=".$_SERVER['PHP_SELF']." >";
   echo "<select name='search'>";
echo "$select";
///////////////////////////////////////////////////////////////
//Connect to the database
include_once 'phpforms/connect.php';

$sql = mysql_query("SELECT * FROM states");
while($row = mysql_fetch_array($sql)){
$state = $row['states'];
echo "<option name='statebox'>$state</option>";
}//End While
///////////////////////////////////////////////////////////////
        echo "</select>";
        echo "<input align='left' type='submit' name='stateboxbutton' value='Ok'> ";
  echo "</form>";
  
echo "</td>";
     echo "<td>";

if(isset($_POST['stateboxbutton'])){
$statesearch = $_POST['statebox'];
$selected = $_POST['statebox'];
$select = "<option name='statebox'>$selected</option>";

  echo "<br/><form action='../search-results.php' method='POST'>";
   echo "<select name='search'>";
echo "<option name='default'>Step 2. Pick Your County</option>";

///////////////////////////////////////////////////////////////
//Connect to the database
include_once 'phpforms/connect.php';
$sql = mysql_query("SELECT * FROM counties WHERE state LIKE '$statesearch'");
while($row = mysql_fetch_array($sql)){
$co = $row['counties'];
            echo "<option name='county'>$co</option>";
}//End While
///////////////////////////////////////////////////////////////

        echo "</select>";
        echo "<input align='left' type='submit' name='button' value='Search'> ";
  echo "</form>";

}else{
}//End Else
  
?>

Hello,
I need to do the following:

I have 2 forms on two different pages:
Form 1: Name, Email, Phone
Form 2: Name, Email, Phone, Address, etc.

1. User fills out Form 1, presses submit
2. Form 1 gets processed and I receive an email with the visitors Name, Email, Phone
3. After the Form has been processed I need to redirect the visitor to a new page (Form 2)
4. When Form 2 loads, fill in the form with the posted variables (Name, Email, Phone) from the previous process

Here is my code:

Form 1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
</head>
<body>
<form method="post" action="process_form.php">
<input type="text" name="name" />
<input type="text" name="email" />
<input type="text" name="phone" />
<input type="submit" name="submit" value="submit" />
</form>
</div>
</body>
</html>


process_form.php
<?php
$name = $_POST['name'];
$email = $_POST['email'];
$phone = $_POST['phone'];

$to = 'email@provider.com';
$subject = "Contact Form";

$message = 
"Contact Information\r\n"
."$name\r\n"
."$email\r\n"
."$phone\r\n\";

$headers = "From: $email\r\n";

mail($to, $subject, $message, $headers);

// Redirect
header("Location: http://www.domain.com/form2/");
?>


Form 2

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
</head>
<body>
<form method="post" action="process_form_2.php">
<input type="text" name="name" />
<input type="text" name="email" />
<input type="text" name="phone" />
<input type="text" name="address" />
<input type="text" name="city" />
<input type="text" name="state" />
.
.
.
<input type="submit" name="submit" value="submit" />
</form>
</div>
</body>
</html>


The form does get processed and I do get an email with the visitor's info. But I'm not able to pass on the variables from From1 to Form2.

Thank you in advance.

I'm stuck at trying to figure out out to complete the 3 Step scripts to accomplish passing $variables between 2 different servers.  Since there will actually be 12 Non-POST $variables involved in the SERVER #1 to SERVER #2 transfer , it doesn't appear that trying to put these all in a URL string and going the 'GET' route is practical.    I'm just using 3 short test variables in the examples.  My eyeballs started rolling within I ran across something about 'CURL' that might be a necessary part of the solution?   The code I have been able to hammer out so far is below as STEP 1, STEP 2 and STEP 3.    STEP 1

<?php

// submit.php 

// STEP 1

// On (LOCAL) SERVER #1 TO relay $variables to 'process.php' on (REMOTE) SERVER #2

// To submit $variables to directly another destination server script
// NOTE: The $variable are NOT the result of Form Input !!!

// For login Authenticaion ALL 3 must match db entries on SERVER #2 
// NOTE: (Again) The $variables are NOT the result of Form Input !!! 

$userid = "adam";
$passwd = "eve";
$pscode = "peterpan";

// NOTE: (Again) The $variable are NOT the result of Form Input !!! 
// These $variables are needed for MySQL db INSERT on the destination URL server
// For testing simplicity (actual data will be 12 $variables)

$a = "apple";
$b = "banana";
$u = "1234567;

//
// Not sure if something called 'CURL' is needed here ???
//

$submit_to_url = http://www.blahblah.com/process.php";

?>

STEP 2

<?php

// processor.php

// STEP 2

// ON SERVER #2 TO RECEIVE DATA DIRECTLY FROM SERVER #1 'submit.php'

// To receive and process the $variables into a MySQL db on SERVER #2
// NOTE: The $variables are NOT the result of Form Input !!!

// First validate $userid, $passwd & $pscode against `verify` table MySQL records

require '/SERVER_2_securelocation_for_database_connection/secret_mysqli.php';

if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

//
// Not sure if something called 'CURL' is needed here ???
//

// These login $variables are from submit.php on SERVER #1

$userid 
$passwd 
$pscode

$sql="SELECT `userid`, `passwd`, `pscode` FROM `verify` 
WHERE `userid` = '$userid'" AND `passwd` = '$passwd` AND `pscode` = '$pscode';

$result = mysqli_query($con,$sql);

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}

//
// Then some Authentication code if ALL 3 components match
//

// If Authentication = true then $passed = "YES" must sent
// be sent back to the 'finalstep.php' script on SERVER #1
// If Authentication (or connection) = false ... $passed = "NO" 

$return_to_url = http://www.blahblah.com/finalstep.php";

// These $variables are from submit.php on SERVER #1

$a = "apple";
$b = "banana";
$u = "1234567";

$sql="INSERT INTO `data` (`a`, `b`, `u`) 
VALUES ('$a', '$b', '$u')"; 

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}

// If $SQL INSERT into `data` on SERVER #2 works ...
// $status = "Pending" must be sent back to the 'finalstep.php' 
// script on SERVER #1 for MySQL db Table insertion
// If $SQL INSERT into `data` = false, then $status = "Error"
// NOTE: The '$u' $variable also needs send back to finalstep.php !!!

$return_to_url = http://www.blahblah.com/finalstep.php";

mysqli_close($con);

?>

STEP 3

<?php

// finalstep.php 

// STEP 3

// ON SERVER #1 TO RECEIVE DATA DIRECTLY BACK FROM SERVER #2 process.php

// To receive the $passed, $status and $u $variables for final step action
// NOTE: The $variable are NOT the result of Form Input !!!

require '/SERVER_1_securelocation_for_database_connection/secret_mysqli.php';

if (mysqli_connect_errno()) {
  echo "Failed to connect to MySQL: " . mysqli_connect_error();
}

// These $variables are from process.php on SERVER #2

$passed
$status
$u

$sql="UPDATE `tracking` 
SET `passed` = '$passed',
    `status` = '$status' 
WHERE `uniqueid` = '$u' ";

$result = mysqli_query($con,$sql);

if (!mysqli_query($con,$sql)) {
  die('Error: ' . mysqli_error($con));
}

mysqli_close($con);

?>

Thanks very much for any assistance and guidance.   -freakingOUT  

This topic has been moved to Third Party PHP Scripts.

http://www.phpfreaks.com/forums/index.php?topic=315683.0

This topic has been moved to JavaScript Help.

http://www.phpfreaks.com/forums/index.php?topic=347360.0

Hey Guys. I am working with a form that shows the grand total on the checkout page. The value of the grand total is inside a hidden field. When click on  submit, the _POST array doesn't get back the last value of the grand total. I need to hit the button twice to get the last value. The weird thing is when I  echo the value of the grand total it display the latest value, but not with the POST array   For example. If the grand total is $10.00 and I click on submit. It will show the POST['grand_total'] as empty. If I click on submit again it will show the grand total of $10.00. Below is my code that I am working with. Any help would be really appreciated.

if(isset($_POST['submit'])) {
/* Doesn't show if i put it after if($_POST['submit'] */
if(isset($_POST['grand_total'])) {
echo $_POST['grand_total'];
}

}

//A bunch of other html/php code. Another class calculates the subtotal assigns it the variable $subtotal



$cart_totals = new cartTotals($subtotal, $discounted_amount,$post_values->tip); // Cart class is shown below

/* Doesn't show if i put it before if($_POST['submit'] */
if(isset($_POST['grand_total'])) {
echo $_POST['grand_total'];
}
echo  "<input name='grand_total' type='hidden' value='$cart_totals->grand_total'  />"; // Shows the grand total after second from submission
echo "$cart_totals->grand_total"; // Shows grand total after the first submission

Cart Totals Class

class cartTotals  {

	public $subtotal;
	public $sales_tax;
        public $tip;
	public $grand_total;
        public $discount_amount;
	public $href_page;
	public $invalidCouponMessage;
	const  TEST_ENVIORMENT = FALSE;


	/**
	 * [ Function gets constructed in the order summary where the [$discount_amount= ""]  arg does need to be passed.
     * But does get passed in when called on the checkout.php page. Therefore we set the default value to an empty string.]
	 * @param [float] $subtotal   [subtotal get passed in from the parent class coreCartFunction]
	 * @param string $discount_amount [The class checkCouponCode calculates this discount amount based on the
     * subtotal and the discount amount. It gets instantiated on the clients side and passed is this construction function.
     * This is all done on the checkout page.]
	 */

    /*The way the construct function works is by invoking all the methods the passed arguments
    When the methods get invoked the do all the work and set the properties its values. The properties then get echoed out
    on the client side.  */
	
    function __construct($subtotal="", $discount_amount= "", $tip=""){
    
    $this->subTotal($subtotal, $discount_amount);//SubTotal method takes the discount amount and subtracts it from the subtotal.
    $this->salesTax($subtotal, $discount_amount);
    $this->tip = $tip;
    $this->grandTotal();
	}

    private function subTotal($subtotal,$discount_amount) {

            $rounded_subtotal = round($subtotal-$discount_amount,2);
            $money_format_subtotal =  money_format('%i',$rounded_subtotal);
            $this->subtotal = $money_format_subtotal;
    }


    private function salesTax($subtotal, $discount_amount =""){
	$sales_tax = (STORE_SALES_TAX)?(float)STORE_SALES_TAX:8.875;
	$sales_tax =(($this->subtotal)*$sales_tax)/100;
	$sales_tax = round($sales_tax,2);
	$this->sales_tax = $sales_tax;
	}


	public function Tip() {
    //global $post_values;
    //$last_tip_selected = $post_values->tip > 0 ? $post_values->tip : "" ;
	$tip_output = "<select id='tip' name='tip'>";
 	for($tip=0.00; $tip<=11.75; $tip+=0.25){
 	if( $tip == "2") {$selected = " selected";} else {$selected ="";}
       $formatted_tip =  money_format('%i',$tip);

	$tip_output .= "<option {$selected} id='selected_tip' value='$formatted_tip'>"."$".$formatted_tip ."</option>".PHP_EOL;
		}

		$tip_output .= "</select>";
		return $tip_output;

    }

    private function grandTotal(){
        $grand_total = round($this->sales_tax+$this->subtotal+$this->tip,2);
        $grand_total_formatted =  money_format('%i',$grand_total);
        $this->grand_total = $grand_total_formatted;

    }

The code below allows me to insert articles into my website without having to hard-code them in the home page.

Is this code secure?  (Someone told me I should use a switch statement instead?!)

Code: [Select]
<?php
if (isset($_GET['article'])) {
$articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php';

if(file_exists($articleFile)) {
include($articleFile);
}else{
$title = 'Article Not Found';
$content = '';
}
}else{
include('default.php');
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>
<title>Dynamic Content Example</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link type="text/css" rel="stylesheet" href="css/pagelayout.css">
<link type="text/css" rel="stylesheet" href="css/dropdown.css">
</head>

<body>
<div id="wrapper" class="clearfix">
<div id="inner">
<div id="header">
<!-- DROP-DOWN MENU -->
<ul id="topMenu">
<li class="current"><a href="?article=article1">Article 1</a></li>
<li><a href="?article=article2">Article 2</a></li>
<li><a href="?article=article3">Article 3</a></li>
<!-- and so on... -->
</ul><!-- End of TOPMENU -->

</div>
<div id="left">
<p>
Other content goes here : Other content goes here : Other content goes here :
</p>
</div>
<div id="middle">
<div id="content">
<h2>MAIN CONTENT</h2>
<p>
<!-- Dynamically insert Article here using PHP include!! -->
<?php echo $content; ?>
</p>
</div>
</div>
<div id="right">
<p>
Adverting goes here : Adverting goes here : Adverting goes here :
</p>
</div>
</div>
<div id="l"></div>
<div id="r"></div>
</div>
<div id="footer">
<p>footer</p>
</div>
</body>

</html>

If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it.   

Thanks,



Debbie

OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this?

I wrote an update script, how secure do you think it is?
By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in.

function update_file($url, $file)
{
        //Get URL content
$ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
            $data = curl_exec($ch);
            curl_close($ch);
            $new_content = $data;

//Replace with content from URL
file_put_contents($file, $new_content);
echo $new_content;
}

function get_url($file)
{

$domain = 'http://www.mysite.com/';
$folder = 'update/'; 
$ver = '2.0.1';
$full_url = ''.$domain.''.$folder.'/'.$ver.'/';
$fileu = array
(
"functions/update.php" => "".$full_url."functions/update.txt"
);

return $fileu[$file];
}

$files = array
(
'functions/update.php'
);

foreach($files as $file)
{
update_file(get_url($file),$file);
}

I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?

<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data"> 
Upload:<br><br> 
<input type="file" name="image"><br><br>
Image Title:<br><br> 
<input type="text" name="image_title"><br><br> 
<input type="submit" name="submit" value="Upload"> 
</form>
	
	
<?php
include("upload_file.php");

function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
		 
			 
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}

$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}

if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
			 
			 
			 			 
if (!empty($_FILES["image"]["name"])) {

$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];

		
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES 
('".$target_path."','".date("Y-m-d")."','".$title."')";

mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error()); 
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
} 
}
?>