|
PHP - Prevent Other People From Making Php Pages That Post To Your Forms?
Let's say I have an HTML page with a form that submits data via POST. A user can click on "View source" and see the variables used.
What's to stop them from making their own page that POSTs to the same destination using the same variables? Any way to prevent this? Similar TutorialsHi All, not sure if this is a php Q but maybe someone has experience with this. I use a form for people to add an item to the bulletin board. Sometimes the loading of the page takes very long and people think it didn't work so they click reload and post the item twice. I thought of adding a loading.gif so people know they have to wait. Anyone know how and where to put that in? Code: [Select] <?PHP if(isset($_POST['submit'])) { if ($_POST['type']<>"") { $poster_id = $_SESSION['id']; $ID=$_GET['ID']; $short=$_POST['short']; $location=$_POST['location']; if(isset($_POST['type'])) { $type=$_POST['type']; } $starthour=$_POST['starthour']; $startmin=$_POST['startmin']; $endhour=$_POST['endhour']; $endmin=$_POST['endmin']; $reminders=$_POST['reminders']; $reminders=addslashes($reminders); if(isset($_POST['view'])) { $view=$_POST['view']; } if(isset($_POST['val'])) { $val=$_POST['val']; } $sql = mysql_query("SELECT * from bl_calender where dateclass='$ID' AND viewable='1'"); $numrows = mysql_num_rows($sql); // if the event exists then we want to edit it if ($numrows > 0){ // only the owner can edit an event while($row = mysql_fetch_array($sql)){ if($row['poster_id'] == $logOptions_id || $account_type == 'c' ){ $editcal="update bl_calender set datecotent='$reminders', location='$location', type='$type', starthour='$starthour', startmin='$startmin', endhour='$endhour', endmin='$endmin', short='$short', viewable='$view' where dateclass='$ID'"; mysql_query($editcal) or die("Could not edit calendar"); $msgToUser = '<br /><br /><font color="#FF0000">Your event has been updated. Close this window.</font><p></p>'; include_once 'msgToUser2.php'; } else { // you are not the owner $msgToUser = '<br /><br /><font color="#FF0000">Sorry but only the owner can change the event details.<br> Close this window.</font><p></p>'; include_once 'msgToUser2.php'; } } } else { // it's a new event we want to add $createevent="Insert into bl_calender (poster_id, dateclass, starthour, startmin, endhour, endmin, location, type, short, datecotent, viewable ) values ('$poster_id', '$ID', '$starthour', '$startmin', '$endhour', '$endmin', '$location', '$type', '$short', '$reminders', '1')"; mysql_query($createevent) or die(mysql_error()); $sql2 = mysql_query("SELECT * FROM myMembers WHERE notification_calendar='1'"); // query the members who want an email $numrows = mysql_num_rows($sql2); if ($numrows > 0){ while($row = mysql_fetch_array($sql2)){ if($row['email'] =="") { $to = $row['email_work']; } else { $to = $row['email']; } $your_firstname = $row['firstname']; $your_lastname = $row['lastname']; // send an email to everyone who wants it $webmaster = "KAI-DEFAT@minbuza.nl"; $headers = "From: MAAC Webmaster<$webmaster>"; $subject = "A new message has been posted in the MAAC Calendar."; $message = "Hello $your_firstname $your_lastname, a new event has been posted in the MAAC Calendar.\n"; $message .= "Goto the MAAC website to get the details.\n"; $message .= "Click here to view the Calendar $dyn_www/Web_Intersect/calen.php\n"; // send email mail($to, $subject, $message, $headers); } } } $msgToUser = '<br /><br /><font color="#FF0000">Your event has been created, Close this window.</font><p></p>'; include_once 'msgToUser2.php'; } ?> Hi All, I was wondering if someone maybe knows a nice way to prevent double posting or posting within a certain time without using javascript. Or maybe even echoing an error if someone posts the exact same ase the previous post. I found this little snippet: Code: [Select] onClick="disabled=true;this.form.submit();return true;" Which prevents double clicking. But its javascript and I rather have something besides that to cover all situations. Would love to hear what you guys use or reccomend. Thanks! Hi, Im trying to make pages switch. Read data from database and but every 10 data in 1 pages. I got my way on making pages by using PHP, but my way is not efficient. Please teach me and tell me the correct way or concept to do it. Or is there any website teaching this? Appreciate for the help thanks. Iv tried asking a lot of people and have had no luck resolving this issue, so I will try here. I have created a Form which gathers its information from a Database. The first form is a Dropdown Option, which when submitted takes you to another page. The new page is Supposed to use the value from the Dropdown to search the database and return the proper rows to populate a few text areas to edit the values. This is where I am stuck. Compared to what most of you create this is probably sloppy and not too well structured, but I am new to this. Anyways, I will provide more information below now. The following is the initial page with the first form. This is where you would select what page you wish to edit. (I believe this may be where the issue resides) - (I included the 'num' value before the 'name' value so that I could see it is getting the value from the database, which it is) <form method="post" action="pageedit.php"><br /> <?php include "config.php"; echo "<select name=\"page\">\n"; $conn = mysql_connect("localhost", "$username", "$password"); if (!$conn) { echo "Unable to connect to DB: " . mysql_error(); exit; } if (!mysql_select_db("$database")) { echo "Unable to select $database: " . mysql_error(); exit; } $sql = "SELECT * FROM sitePages"; $result = mysql_query($sql); if (!$result) { echo "Could not successfully run query ($sql) from DB: " . mysql_error(); exit; } if (mysql_num_rows($result) == 0) { echo "No rows found, nothing to print so am exiting"; exit; } while ($row = mysql_fetch_assoc($result)) { echo "<option value='"; echo $row['num']; echo "'>"; echo $row['num']; echo " - "; echo $row['name']; echo "</option>"; } echo "</select>"; ?> <br /> <input type="submit" /> </form> And then the following is the page that the form is sent to when submitted: (I have attempted to Echo the 'num' value sent so that I could verify that it is indeed sent, but it is not. I will post the message I receive after the PHP snippet <form method="post" action="pageeditinsert.php"><br /> <?php include "config.php"; echo $_POST['num']; $num=$_POST['num']; $conn = mysql_connect("localhost", "$username", "$password"); if (!$conn) { echo "Unable to connect to DB: " . mysql_error(); exit; } if (!mysql_select_db("$database")) { echo "Unable to select $database: " . mysql_error(); exit; } $sql = "SELECT * FROM sitepages WHERE num = '$num'"; $result = mysql_query($sql); if (!$result) { echo "Could not successfully run query ($sql) from DB: " . mysql_error(); exit; } if (mysql_num_rows($result) == 0) { echo "No rows found, nothing to print so am exiting"; exit; } while ($row = mysql_fetch_assoc($result)) { echo "<input name'num' type='hidden' class='form1' value='"; echo $num; echo "' maxlength='10' id='cat' /><br /><br /><br />"; echo "<input name='name' type='text' class='form1' value='"; echo $row['name']; echo "' maxlength='20' id='name' /><br /><br />"; echo "<input name='desc' type='text' class='form1' value='"; echo $row['desc']; echo "' maxlength='100' id='desc' /><br /><br /><br />"; echo "<input name='title' type='text' class='form1' value='"; echo $row['title']; echo "' maxlength='100' id='title' /><br /><br /><br />"; echo "<input name'cat' type='hidden' class='form1' value='cat' maxlength='3' id='cat' /><br /><br /><br />"; } ?> <br /><br /><br /> <center><input type="submit" /><input type="reset" /></center> </form> Below is the message I receive when attempting to echo the POSTed 'num' value: Quote Notice: Undefined index: num in C:\wamp\www\gondieCOM\editor\edit\pageedit.php on line 16 Call Stack # Time Memory Function Location 1 0.0025 687600 {main}( ) ..\pageedit.php:0 (I am running the latest WAMP release on my personal PC for testing purposes until I have finished this and upload it to my hosting server) Anyways thanks for your time. Hopefully someone has an idea for me. Any help would br GREAT! This Post is about Sticky Forms and How to get them working. I would like to record the users input after processing it. I have the processing page redirecting back to the form page. I have been trying and trying and trying some more to re-display the users input, so they don't hav eto keep entering the same crap ova & ova. I would imagine this must be done using sessions given I am not using PHP Self fuction.. Here's what I have that does not work at all :-) This first code is on the process page. Code: [Select] <?php ob_start(); session_start(); $itemDescription=$_POST['itemDescription']; $itemPrice=$_POST['itemPrice']; $itemQty=$_POST['itemQty']; $bidderId=$_POST['bidderId']; $totalPrice=$_POST['totalPrice']; mysql_connect("$host", "$db_user", "$db_password")or die("cannot connect to server"); mysql_select_db("$db_name")or die("cannot select DB"); if (isset($bidderId)) { $totalPrice=$itemQty * $itemPrice; mysql_query("INSERT INTO transactions (itemDescription, itemPrice, itemQty, bidderId, totalPrice) VALUES('$itemDescription', '$itemPrice', '$itemQty', '$bidderId', '$totalPrice')") or die(mysql_error()); $_SESSION['itemDescription']='$itemDescription'; header("Location: attendance.php"); exit(); } else echo "<font face= \"calibri\" size= \"3\" color= \"red\">You have left a field blank, please press your browsers back button. </font>"; exit(); ob_end_flush(); ?> Now How do I display the users input back to the form? Code: [Select] <?php session_start(); $itemDescription = ""; //item description, default as blank ?> <form action="record_trans.php" method="post"> <font face= "calibri" size= "4"> <table> <tr> <td><b>Item Description:</b></td> <td><input type= "text" name= "itemDescription" size= "30" value="<?php echo $itemDescription;?>"></td> </tr> <tr> <td><b>Item Price:</b></td> <td><input type= "text" name= "itemPrice" size= "5" value="<?php echo $itemPrice;?>"> </td> </tr> </tr> <td><b>Winning Bidders:</b></td> <td><input type="text" name= "bidderId" size= "5" /> </td> </tr> <tr> <td><b>How many deals?:</b></td> <td><input type="text" name= "itemQty" size= "3" value= "1" /></td> </tr> </table> <br/> <center><input type="submit" name="submit" value= "Save & Cont." " /></center> <center><input type="reset" value="Reset Form"></center> </form></font> [code] ALL SUGGESTIONS WELCOME- Before you leave give me ur take(if you have even a faint idea:-) Thanks Guys! I have multiple PHP forms set up. Most of them have few fields that if not filled up the form will not be submitted. And one question that if you answer wrong you will not get through either. With this I have eliminated most "hgdgfgdhsj" style forms submissions by spam bots. But every now and then I get ghost or empty form submission. In database I get records (only one at a time) that are fully blank (every now and then). This confuses me. How and why does it happen, and mainly how do I prevent it? Thanks I am having problems being able to find the data that needs to be posted in various translation websites. I think this is because the translation tools they have are using some kind of flash script to translate? So the new page isn't being loaded using the post data string?? I am not completely sure, anyways... I am using live http headers on firefox to try and get the content for the post data string. The sites I have tried to get the post data from are these: http://www.freetranslation.com/ http://www.free-translator.com/ I can get cURL to visit the page and do everything, I just cant find the post data string. or maybe I am way off here.. Thanks for any help Hello everyone!
I'm a web design student who's trying to learn some PHP, JavaScript and stuff! You'll probably find me asking more questions than helping people, apologies in advance!
I'm a developer, I don t know how to think like the consumer? What do they know? What do they want? It s hard in a way to explain something complex in layman s terms, I mean yes it is easy, you take files, put them on the internet, others can view them. Fine. But when they want a website, what should I expect? I mean, it seems like I can t ask them to even "draw a design on paper" for me to translate into a website which I prefer. Wireframes are nice, like drag and drop, I m looking to build one of those with automatic database creation/ pointing with injection protection. Anyway, it does depend on what their business is about, I think their mission statement or goal as a business is what determines the functionality and presentation of the website. If you want a website, what do you want? What are you looking for? I have a script where you add an entry into a DB. I want to take everyone from another table in this DB and send the newly added content to them. My problem is displaying all of the contacts into the $to= location. This is what I currently have:
<?php
error_reporting(-1);
//-------------email section----------------//
$title = $_POST['title'];
$story = $_POST['story'];
$date = $_POST['date'];
//do {
//$to = $row_Fake['fake_email'];
//}
//while($row_Fake = mysql_fetch_assoc($Fake));
while ($row_Fake = mysql_fetch_assoc($Fake)) {
$to = $row_Fake['fake_email'];
}
//$to = "colinrblambert@gmail.com";
$subject = "New Halnor Update!";
$message = "
<html>
<head>
<title>New Update!</title>
</head>
<body>
<div align='center'>";
//do{ echo $row_Fake['fake_email'].", "; } while($row_Fake = mysql_fetch_assoc($Fake));
//$row['fake_email'];
"We have a new update from ".$date." to share with you !<br /><br />
<table border='0'>
<tr>
<td valign='top' width='200'><b>".$title."</b></td>
<td>".nl2br($story)."</td>
</tr>
</table>
</div>
</body>
</html>
";
$x = 1;
$str = "test";
do{
$str .= $x;
$x++;
}while($x<10);
// Always set content-type when sending HTML email
$headers = "MIME-Version: 1.0" . "\r\n";
$headers .= "Content-type:text/html;charset=iso-8859-1" . "\r\n";
// More headers
$headers .= 'From: <admin@website.com>'. "\r\n";
//$headers .= 'Cc: myboss@example.com' . "\r\n";
mail($to,$subject,$message,$headers);
}
header(sprintf("Location: %s", $insertGoTo));
}
?>
Kind of lost right now. Can someone help?
and doing sql injections i have enabled mysql logging and i can find where they did the query, but it only shows the query, it doesn't show what location or what url or how they did it so how can i fix it? thanks also lighttpd logs doesn't show... this sucks Hey all, I've been coding a thing for my website which allows Users to apply for a crew via the Crew Profile Page. The code all works just when the User applys I want the Crew Staff to get a message just to let them know. I've tryed things of which I though could work but none of them did. I also tryed with a function, witch didn't work but I'm not to sure on Functions at the moment. My Code so far: <?php session_start(); include "includes/config.php"; include "includes/functions.php"; include "includes/bb-codes.php"; logincheck(); $username= $_SESSION['username']; $viewcrew= $_GET['viewcrew']; $fetch=mysql_fetch_object(mysql_query("SELECT * FROM crews WHERE name='$viewcrew'")); $mysql1 = mysql_query("SELECT * FROM `users` WHERE username = '$username'") or die ("Error, Line 13 " . mysql_error()); // Doing User Query $userfetch = mysql_fetch_object($mysql1); // Getting User Object $needcrewstaff = mysql_query("SELECT * FROM crews WHERE name='$viewcrew'"); $pleasework = mysql_fetch_object($needcrewstaff); // Start Send Staff Message Function function sendstaffmessage(){ $message = "You have an Crew Application. Click <a href='crewapp.php' target='mainFrame'>here</a> to Accept or Decline it!"; if ($pleasework->owner == $username){ mysql_query("INSERT INTO `inbox` ( `id` , `to` , `from` , `message` , `date` , `read` , `saved` , `event_id` ) VALUES ( '', '$pleasework->owner', '$username', '$message', '$date', '0', '0', '0' )"); } if ($pleasework->coowner == $username){ mysql_query("INSERT INTO `inbox` ( `id` , `to` , `from` , `message` , `date` , `read` , `saved` , `event_id` ) VALUES ( '', '$pleasework->owner', '$username', '$message', '$date', '0', '0', '0' )"); } if ($pleasework->underboss == $username){ mysql_query("INSERT INTO `inbox` ( `id` , `to` , `from` , `message` , `date` , `read` , `saved` , `event_id` ) VALUES ( '', '$pleasework->underboss', '$username', '$message', '$date', '0', '0', '0' )"); } if ($pleasework->recruiter == $username){ mysql_query("INSERT INTO `inbox` ( `id` , `to` , `from` , `message` , `date` , `read` , `saved` , `event_id` ) VALUES ( '', '$pleasework->recruiter', '$username', '$message', '$date', '0', '0', '0' )"); } if ($pleasework->recruiterone == $username){ mysql_query("INSERT INTO `inbox` ( `id` , `to` , `from` , `message` , `date` , `read` , `saved` , `event_id` ) VALUES ( '', '$pleasework->recruiterone', '$username', '$message', '$date', '0', '0', '0' )"); } } // End the Function! if (strip_tags($_POST['apply'])){ if ($userfetch->crew != "0"){ echo ("You can not Apply for <strong>$viewcrew</strong> when already being in <strong>$get->crew</strong>!"); }else{ sendstaffmessage(); mysql_query("UPDATE users SET crewapp='$viewcrew' WHERE username='$username'"); echo ("$viewcrew Applied for! - Note: If you Apply for a different Crew this App will be Deleted."); } } ?> Is there any way to change my code which will send the Crew Boss etc.. a Message when somebody has applyed? Thanks for any help. I don't even know if this is physically possible due to latency, mechanical, etc...
But, the way my website is planned at the moment, a person submits basic info, hits "Create account" and then is taken to a new page with that basic information and an incremented unique id, based on last unique id entry read from database.
My concern is that if two people or more were making accounts within the same time frame and one person hits "Create account" before another person does, what if the wrong data is pulled? The unique ID I guess is the only thing being pulled, if 0, start at 1, whatever But I wonder if I can temporarily hold data between two webpages before it is stored in the database finally when all fields have been filled. Thanks for any help / ideas Hi, guys. I want to present different ads to visitors in different countries. For example, if a visitor is in Australia, I want him/her to see a different ad from, say, a visitor from the UK. Can this kind of thing be done with PHP? If so, will installing such a code slow down my site? Any help will be appreciated very much. My apologize if this should be here since this involves SQL. My user can register himself ( just an email ) to a mail list. He will get a mail after that, but the message in the mail should differ: If there are under 100 people in the DB he should get something like " you are one of the 100 first people ", if there are more then 100 people it should say " sorry, to late ". I can seem to get it to work so help would be awesome ( ps, I kinda need an anwser fast :s ) Code: [Select] $sqlInsert = "INSERT INTO j5_maillist (email) VALUES('$email')"; $sql = "SELECT COUNT(email) FROM j5_maillist AS aantalEmails"; $result = mysql_query($sql); if( mysql_num_rows($result) <= "3" ){ $message = 'you are one of the 100 first people '; } else { $message = 'sorry, to late '; } $to = $email; $subject = 'Nihonto Appreciation Day'; $headers = 'MIME-Version: 1.0' . "\r\n"; $headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n"; // Additional headers $headers .= 'To: '.$email.'' . "\r\n"; $headers .= 'From: Nihonto Appreciation Day' . "\r\n"; mail($to, $subject, $message, $headers); return mysql_query($sql); Code: [Select] if ($indovina!=$indovinata) { if ($tentativi>=6) { echo ("\n<p>Sorry, you hanged yourself. The word you had to guess was: ".$indovina."</p>\n"); } else { $scelt = preg_split('//', $scelte, -1, PREG_SPLIT_NO_EMPTY); echo ("\n<p>\n"); foreach ($alfabeto as $lettalf) { $contrl = false; foreach ($scelt as $lett) { if (!strcasecmp ($lettalf, $lett)) { $contrl = true; } } if ($contrl) { print (' <img src="images/lr_'.$lettalf.'.gif" style="border:0;width:20px;height:20px" alt="'.$lettalf.'" />'); } else { print (' <a href="'.$_SERVER['PHP_SELF'].'?letter='.$lettalf.'"><img src="images/lb_'.$lettalf.'.gif" style="border:0;width:20px;height:20px" alt="'.$lettalf.'" /></a>'); } if ($lettalf=='m') echo ("\n <br />"); echo ("\n"); } echo ("</p>\n"); } } else if ($indovinata){ echo ("\n<p>Congratulations! You guessed the word.</p>\n"); $DB->query("UPDATE ibf_members set gold=gold+5 WHERE id = {$ibforums->member['id']}"); } Look at the bottom, ok so if the person wins the hangman game, it will show "Congrats" but then people will just beable to refresh the page, and that query will run again and again and that person will gain +5 gold each time....we need to fix this!! any help? I've had this concept for something I've been wanting to do for awhile, but I need to know if it's even possible in PHP. I've been seriously playing with PHP for a few months now and here's what I was wanting to do. On this website there is a list of players currently online http://www.tibia.com/community/?subtopic=worlds&world=Solera Is there anyway I could grab those list of players and store their names into a .txt file? This is just for fun. My actual goal is to create something that's grabbing that list of players every 5 minutes and showing me who has logged off and who has logged on. Hi, how much bandwidth is used for 1000 downloads per day or for each download? Is it safe to have no download limits? Thanks
My data input form is not working with the first few people who have tried to use it. I think it is because they are putting ' or " or some other character that is not allowed into the database. Any ideas how I can fix it? |
|||||||