|
PHP - Sanitizing Input
What is the best way to santize a user input
What covers it all without leaving the text with slashes Do i just need to escape my variables, or no i need to sanitize my queries as well? Whats the whole kitten kaboodle, anyone? Similar TutorialsI'm researching ways that my server can be vulnerable. So far, I've strongly relied on regex to sanitize anything susceptible to user input/manipulation. Should I be trying other methods? Should I be changing input to html entities, even though they're bypassed w/ regex? Any recommendations on other methods to secure my server besides securing user input? I have been reading this: http://www.phpro.org/tutorials/Filtering-Data-with-PHP.html#11 I am curious, how does one actually sanitize a php script? I know the site shows how to do it, but it really doesn't show in real world how to do it. Let me give you an example: Code: [Select] <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>PDI NCMR Admin Panel</title> <!--[if IE]><link rel="stylesheet" type="text/css" href="../CSS/ie.css" /><![endif]--> <!--[if !IE]> <--><link rel="stylesheet" type="text/css" href="../CSS/pdi.css" /><!--> <![endif]--></head> <body> <?php echo '<div id="admin">'; //Show the navagation menu require_once('../hf/nav.php'); echo '<hr id="line">'; echo '<h2 id="title">Latest NCMRs </h2>'; // Connect to the database require_once('../connectvars.php'); $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // Retrieve the data from MySQL $query = "SELECT * FROM ncmr"; $data = mysqli_query($dbc, $query); echo '<table>'; echo '<tr><th>NCMR ID  </th><th>Part  </th><th>Date  </th><th>Actions  </th></tr>'; while ($row = mysqli_fetch_array($data)) { // Display the data echo '<tr class="ncmrdata">'; echo '<td>' . $row['NCMR_ID'] .'    </td>'; echo '<td>' . $row['Nexx_Part_Description'] .'  </td>'; echo '<td>' . date("M d,Y",strtotime($row['Added_By_Date'])) . '&  </td>'; echo '<td><a href="viewncmr.php?id=' . $row['id'] . '">Comment</a></strong>  <strong><a href="editncmr.php?id=' . $row['id'] . '">Edit</a>  <a href="printncmr.php?id=' . $row['id'] . '">Print</a>'; echo '</td></tr>'; } echo '</table>'; mysqli_close($dbc); require_once('../hf/footer.php') ?> </body> </html> How do I sanitize this? Or is it for inputs only? In lieu of prepared statements, will this work effectively? Is it overkill? $username = mysqli_real_escape_string($conn,$_POST["username"]); $username = strip_tags(trim($username)); Can I write it this way: $username = mysqli_real_escape_string($conn,strip_tags(trim($_POST["username"]))); Are prepared statements a guarantee for defeating an injection attack? Or should they be used in conjunction with the above (or other) coding to bolster a database's defenses? I'm attempting to thoroughly sanitize my PHP app to avoid common exploits, and am working on guarding from SQL injections and such. I'm using mysql_real_escape_string for data that comes from the user. I have a number of instances of the following: $ip = $_SERVER['REMOTE_ADDR']; $page = $_SERVER['PHP_SELF']; And then using those values to query or update SQL. Is it a best practice to also sanitize this sort of data? I hope I can explain what is happening. I have created two forms in PHP. The first 'almost' works, i.e. it shows the data. But I have two problems - 1) the second pulldown menu is always empty and 2) $value from the first pulldown menu ALWAYS equals the last entry thus the last 'if' in the function subdomains ($domains) is always called (but still empty). The code may explain this better than me:
<!DOCTYPE html>
<html>
<body>
<!-- processDomains.php is this file - it calls itself (for testing purposes so I can see what is happening) -->
<form action="processDomains.php" method="post">
<?php
// create the domains array (there are actually several entries in the array but I cut it down for testing)
$domains = array (1 => 'Decommission', 'Migration');
echo "Select Domain:";
echo "<br>";
// Make the domain pull-down menu - this displays correctly
echo '<select name="domain">';
foreach ($domains as $key => $value) {
echo "<option value=\"$key\">$value</option>\n";
}
echo '</select>';
// input doesn't matter what is 'submitted', always goes to last $value
echo '<input type="submit" name="submit" value="Submit">';
// call function subdomains
subdomains ($value);
function subdomains ($domains) {
// define values for each array - each array contains available choices for the subdomain pulldown menu
$migration = array (1 => 'Application Migration', 'Application Patch', 'Application Upgrade');
$decommission = array (1 => 'Applications', 'Servers', 'Storage');
if ($domains === 'Migration') {
echo "Select subdomain:";
echo "<br>";
// Make the Migration pull-down menu
echo '<select name="migration">';
foreach ($migration as $key => $value) {
echo "<option value=\"$key\">$value</option>\n";
}
echo '</select>';
} else if ($domains === 'Decommission') {
/* ===
* since 'Decommission' is the last entry in the 'Domains' pulldown list, $value ALWAYS equals
* 'Decommission' and $domains equals $value. So this menu SHOULD work but is always
* empty. Thus, two problems - the pulldown menu is always empty and $value isn't based
* upon user input.
*/
echo "Select subdomain:"; // this prints so I know I'm in 'Decommission (I eliminated the echo "$domain" to show I'm always coming here)'
echo "<br>";
// Make the 'Decommission' pull-down menu
echo '<select name="decommission">';
foreach ($decommission as $key => $value) {
echo "<option value=\"$key\">$value</option>\n";
}
echo '</select>';
echo '<input type="submit" name="submit" value="Submit">'
) // end of 'if-else'
} // end of function 'subdomain'
?>
</form>
</body>
</html>
Let me say thank you in advance and I appreciate the help! I know I'm doing something (or more than one thing) wrong and I hope someone can tell me what it is.
Best Regards!
Edited by mac_gyver, 19 January 2015 - 09:37 PM. code tags around posted code please I am writing a script that will parse my PHP classes and check for things like coupling, visualize my objects and connections, dependencies, check for convention usage, etc.
So, I have a simple file upload. I'm never saving the files, just get contents and dump the file and work with the string version.
I'm writing it for me, but I figure I might want to open it for others to use in the future, so I may as well write it that way to begin with -- so I need to validate user input. Problem is, the user input is supposed to be valid PHP code. I'm thinking that, as long as I'm careful, I shouldn't be executing any code contained in strings, but I'm no security expert and I want a warm fuzzy that my thought on this is correct. What kinds of things do I need to look out for? Is it possible to inject when working with strings?
My initial thought is to regex the entire file and replace key portions with known replacements. So ( and ) would become !* and !^ or $ would become @~ (combinations that -- I think -- don't make sense to php?) But that may be completely unnecessary processing time if I'm not in any danger, here. Thanks ahead of time for any help.
PS - as a side question -- what's the best way to verify a file is a php file? I know of getimagesize for images, but should I just check for <? to verify it's php? That seems like it would be too easy to fool -- then again, it might not matter much.
-Adam
I have a calendar select date function for my form that returns the date in the calendar format for USA: 02/16/2012. I need to have this appear as is for the form and in the db for the 'record_date' column, but I need to format this date in mysql DATE format (2012-02-16) and submit it at the same time with another column name 'new_date' in the database in a hidden input field. Is there a way to do this possibly with a temporary table or something? Any ideas would be welcome. Doug Hi people, I really hope you guys can help me out today. I'm just a newbe at php and i'm having real trouble. Bassically all I want to do is have a user type in a company name in a html form. If what the user types in the form matches the company name in my php script i want the user to be sent to another page on my site. If what the user types in the form doesnt match the company name in my php script i want the user to be sent to a differnt page like an error page for example. this is my html form: Code: [Select] <form id="form1" name="form1" method="post" action="form_test.php"> <p>company name: <input type="text" name="company_name" id="company_name" /> </p> <p> <input type="submit" name="button" id="button" value="Submit" /> </p> </form> And this is the php code I'm trying to process the information on: Code: [Select] <?php $comp_name = abc; if(isset ($_POST["company_name"])){ if($_POST["company_name"] == $comp_name){ header("Location: http://www.hotmail.com"); exit(); } else{ header("Location: http://www.yahoo.com"); exit(); } } ?> The thing is i'm getting this error when i test it: Warning: Cannot modify header information - headers already sent by (output started at D:\Sites\killerphp.com\form_test.php:10) in D:\Sites\killerphp.com\form_test.php on line 17 Please can some one help me out, i'm sure this is just basic stuff but i just cant get it to work Cheers. i'm not sure how to ask this question on google, so i'm going to ask for your help. here's the code that i have the question about <form action='findMovie.php' method='post'> <table> <?php $result = mysql_query ("SELECT genre FROM genres ORDER BY genre"); while ($row = mysql_fetch_array($result)) { $genre = $row['genre']; echo "<tr><td>" .$genre ."</td><td><input type='hidden' name='" .$genre ."' value='" .$genre ."'><input type='submit' name='listMovies'></td></tr>"; } ?> </table> </form> so i have this form that creates a list of submits from a table that i have created. the form works perfectly fine (i realize the design is not that great... i'm just going for functionality now) what i need is to turn the value of the hidden field (which is dynamically created by a variable) into a variable in the handler so that I can search my movie table and get the movies by genre. does this make sense? and any help is greatly appreciated. i'm not a great programmer, but i do it in my spare time as a hobby. so go easy on my coding, it works and that's the most i'm concerned with at the moment. thanks ahead of time Ok, I am trying to make it so that the field itself shows a N/A in it instead of being blank. So that a field does not remain blank. The original code is: Code: [Select] echo '<div id="ncmrsr"><tr><td><span class="b">NCMR Supplier Response:<br /></span></td><textarea name="ncmrsr" rows="6" cols="85"></textarea></tr></div><br />'; I figured this would show the "N/A" in the field. Code: [Select] echo '<div id="ncmrsr"><tr><td><span class="b">NCMR Supplier Response:<br /></span></td><textarea name="ncmrsr" rows="6" cols="85" value="N/A"></textarea></tr></div><br />'; Since this doesn't seem to work, is there a way to make it so that if a field is left empty that "N/A" is the response in said field? So basically I have a site, and on that site, I have a page that submits a form and updates a database. I have it set up so that someone can enter in Multiple values into a textarea, one on each line, and it will submit each of those values as a new row in the database, but for the life of me, I cannot figure out how to check those values against the actual users. It is basically a point system, where the staff can award points users of the site. But at the moment, a Staff member could enter in Jibberish, and it would insert that into the database, but I want it to check my users table to make sure the user exists before it inserts it into the database. here is my code: <?php include 'global.php'; echo $headersidebar; if ($_COOKIE['access'] == $accessstaff) { if(count($_POST)) { $array = preg_split('/(\r?\n)+/', $_POST['studentname']); foreach($array as $students) { $statusmsg = '<center><span style="background: #A6FF9E;">You have successfully submitted points to the database.</span></center>'; mysql_query("INSERT INTO points (giver, receiver, points, category, reason, date, status) VALUES ('{$_COOKIE['username']}', '{$students}', '{$_POST['pointamt']}', '{$_POST['pointcat']}', '{$_POST['pointreason']}', '{$date}', 'Validating')"); } } $addpointspage = $statusmsg . ' <form action="submit_points.php" method="post"> <table class="table" > <tr> <td colspan="10"> <h1><strong><center>Submit Points</center></strong></h1> </td> </tr> <tr> <td colspan="10" rowspan="100"> <center>Please remember to follow the house point limits when submitting house points.</center> </td> </tr> </table> <table class="table"> <tr> <td style="width: 15%;" valign="top"> Student Name:<br> <span style="font-size: 60%;">(List as many as you want; One per Line)</span> </td> <td colspan="10"> <center><textarea name="studentname" cols="60" rows="10"></textarea></center> </td> </tr> <tr> <td style="width: 15%;" valign="top"> Amount of Points: </td> <td> <input style="position: relative; left: 16px;" type="text" size="15" name="pointamt" /> </td> <td> Do not put anything that is not a number into this box. </td> </tr> <tr> <td style="width: 15%;" valign="top"> Point Category: </td> <td colspan="10"> <select name="pointcat" style="position: relative; left: 16px;"> <option SELECTED value="">-------</option> <option>Class Work</option> <option>Class Exam</option> <option>Extra Work</option> <option>Contests</option> <option>Teacher\'s Assistant</option> <option>Negative Points</option> </select> </td> </tr> <tr> <td style="width: 15%;" valign="top"> Reason: </td> <td colspan="10"> <input style="position: relative; left: 16px;" name="pointreason" type="text" size="80" /> </td> </tr> <tr> <td> </td> <td colspan="10"> <input style="position: relative; left: 16px;" type="submit" value="Submit Points" /> </td> </tr> </table </form> '; } elseif (1==1) { $addpointspage = $accessdenied; } echo ' <!-- start content --> <div id="content"> <div class="post"> <div class="entry"> <p><strong>' . $addpointspage . '</p> <p class="links">' . $addpointslink . '</p> </div> </div> </div> <!-- end content --> <div style="clear: both;"> </div> </div> <!-- end page --> </div>'; echo $footer; ?> I am fairly new to PHP, so I would appreciate any help someone could give me; I am not too good with arrays and such, so this one has got me stumped. Hi, everyone. I need help with a PHP project on which I'm currently working. I need to create a form which does the following: 1) When you insert a negative number, it echoes: "Please insert a positive number." 2) When you insert a number greater than 1000, it echoes: "Please insert a number less than 1000." 3) When you insert anything else that's not a number (ie: a letter), it echoes: "Please insert a valid number." 4) If it doesn't do any of the above, it'll take the number that you entered and loop "Hello World" as many times as that number. The code that I have so far looks something like below. (I had to type it from the top of my head.) <?php <form action="hwpositive.php" method="post"> Enter number: <input type="text" name="number" /> </form> $input = $_POST["number"]; if ($input<0) { echo "Please insert a positive number."; } else if ($input>1000) { echo "Please insert a number less than 1000."; } else if ($input!=is_numeric) { echo "Please insert a valid number."; } else { for {$i; $i<=$_POST["number"]; $i++;} } ?> I can get this code to do the first three tasks listed above, but not the last. I'm a high school Programming 12 student, and this is my first year of learning PHP coding. Please help me out. Would it be better to use the case-switch option? I'm not too familiar on how to use it. Thank you in advance! I appreciate your help greatly. need to add Code: [Select] $ibforums->input['[u'] != "") something like that i need to add $_GET['']; but it's not working when i use &= do ineed to use html entities? I have something like this on one of my pages: $name = 'Bob'; Code: [Select] if ((isset($_POST['name'])) || ($_POST['name'] == '')) { $name = $_POST['name']; //update database } echo '<form action='' method='POST'>'; echo '<table><tr><td width="125">Name: </td><td><input type="text" name="signature" style="width: 270px;" value="' . $name . '" /></td></tr></table>'; echo '</form>'; Here's the problem: Initially, because the form data has not been sent the input box says: 'Bob'. If I remove the name Bob from the input box by manually clicking in it and deleting the name, and I submit the form, it keeps showing 'Bob', whereas I would like it to be empty. What am I doing wrong? am I missing anymore input attacks to pass not having 2 of the same balls? Code: [Select] $numbers = "19|20|19"; $numArray = explode("|", $numbers); if ($numArray['0'] == $numArray['1'] OR $numArray['0'] == $numArray['2'] ){ $std->Error2("You cannot pick 2 numbers with the same ticket"); } The if function will see if 19 = 20, or 19 = 20 then I would it need to do $numArray['1'] == $numArray['2'] and so on right to get all possible ways? If so, is there a easier way instead of just using all OR Statements and not manually thinking about what possible way, isn't there just a way to check if 2 arrays are the same? (or 3) Whit my code it only appear a list of 1 or 0 and the id but I don't know how to get to show only the id Like so: submit 0 60/ 0 59/ 0 58/ 0 57/ 0 56/ 0 45/ 0 38/ 1 37/ on my first page: Code: [Select] <table border="2"> <tr> <th>Id</th> <th>User</th> <th>Comment</th> <th>Yes</th> <th>No</th> </tr> <form method="post" action="admincommentdelete.php" id="formc"> <?php $vv = array(); $st = Comment::test($result['article']->id,0,999); $vv['comment'] = $st['comment']; $i = 0; foreach($vv['comment'] as $p) { $i++; echo "<tr>"; echo "<td>".$p->id."</td>"; echo "<td>".$p->usern."</td>"; echo "<td>".$p->com."</td>"; echo "<td><input name=$i type=radio value='1'/></td>"; echo "<td><input name=$i type=radio value='0'/></td>"; echo "<input type=hidden name=h".$i." value=$p->id/>"; echo "</tr>"; } ?> <input type="submit" value="submit" name="submit"> </form> </table> second: Code: [Select] <?php $id = array(); if(isset($_POST['submit'])) { $data = array(); $data = $_POST; foreach($data as $key) { echo $key."</br>"; } } ?> Good day, I have 2 questions about that. Here is the context. I have a list of items that i query from a database and insert in a table. The last field of the table is a input box to typpe in the quantity ("qty"). My first question, how can I associate the inputbox to product_id from the database for that item. Code: [Select] //database connecting is working <? while($row = mysql_fetch_array($result)) { echo "<tr><td>" . $row['product_code'] . "</td><td>" . $row['product_name'] . "</td><td><input type='text' maxlength = '3' value='0'></td></tr>"; } And my second question (any tutorial reference) about how to select only the items that the qty is not = 0 and pass it to another page either by sessions or other means. Thank you Hey guys! I'm pretty new to php and starting work on a project, the first part I'm working on is a html page with text fields like this: Quote URL: Dropdown box: Submit when the submit happens I want it to post to a php page, parse whatever is inside a set of <h2> tags and print it to to the php page, also the user selects four options from the dropdown box and I need to print the string contained in the selection to the next page as well, As I said I'm pretty new but here's what i threw together so far based on references I found, but it doesn't work correctly: parse.html: Code: [Select] <html> <body> <form action="parse.php" method="post"> URL: <input type="text" name="turl" /> <br> Option: <select name="selectskill"> <option value="1">Low</option> <option value="2">Mid</option> <option value="3">High</option> <option value="4">Known</option> </select> <br> <br> <input type="submit" /> </form> </body> </html> parse.php: Code: [Select] <html> <head></head> <body> <?php $lol = $_POST["turl"]; $str = file_get_contents($lol); $DOM = new DOMDocument; $DOM->loadHTML($str); // Grab text inside the heading 2 tags $items = $DOM->getElementsByTagName('h2'); echo "option: " . $lol; // Display the content inside the second set of H2 tags echo $items->item(1)->nodeValue . "<br/>"; ?> </body> </head> </html> Thanks for all the help in advance! Hi, I'm inserting data into database. which is going fine. but i want to make sure how to insert secure data into database to avoid sql injection. what function should i use to insert secure data into database. can any one guide me please??? Thanks Hello
I have a PHP page that sends text entered by a user to our database which we use to display news. This system supports various languages but occasionally we get issues with odd characters being entered...
For example, the premade glyph for ellipsis which is normally represented by 3 .'s broke our system today
How can I check that each character is valid and within range?
These are our character ranges
ExtendedLatin_c_iLowerAlphaChar = 0x00C0;
ExtendedLatin_c_iUpperAlphaChar = 0x01FF;
Arabic_c_iLowerChar = 0x600;
Arabic_c_iUpperChar = 0x6FF;
Arabic_c_iLowerAlphaChar = 0x621;
Arabic_c_iUpperAlphaChar = 0x64A;
Arabic_c_iLowerNumericChar = 0x660;
Arabic_c_iUpperNumericChar = 0x669;
So each character must fall within one of these ranges... but I have no idea how to get the hex value of a character in PHP
Thanks
|
|||||||