|
PHP - Help Me To Secure My Php Mysql Form
Hi friends I have a form with mysqli comnnection
<label for="fullname">Fullname</label> <input type="text" name="fullname" /> <label for="photo">Upload photo</label> <input name="photo" type="file"/> and on the php ends I have $fullname = $_POST['fullname']; $uploaddir = './uploads/'; //upload file in folder $uploadfile = $uploaddir. basename($_FILES['photo']['name']); //insert filename in db $upload_filename = basename($_FILES['photo']['name']); move_uploaded_file($_FILES['photo']['tmp_name'], $uploadfile); $photo = $upload_filename; $sql = "INSERT INTO members(fullname,photo) VALUES('$fullname', '$photo'); $stmt = $link->query($sql) or die($link->error); $stmt->close; Please help me, I am using this on a live site Similar TutorialsHi there, I have this connect script I have made. I was wondering if it's secure or not, if not... What would be a good way to do so... Code: [Select] <?php class connect{ public $host = "localhost"; public $dbuser = ""; public $dbpass = ""; public $db = ""; } $connect = new connect(); mysql_connect($connect->host,$connect->dbuser,$connect->dbpass) or die("Could not connect!"); mysql_select_db($connect->db); ?> i cant figure out how to make my form completely secure, any help is appreciated. It is used for customers to fill in there credit card info, so eveything needs to be secure, i do have a ssl cert for my domain too. cc.php Code: [Select] <?php /* include header */ include("header.php"); /* set page name */ $page = "cc"; /* reset error vars */ $is_error = 0; $error_message = ""; /* try to send contact form */ if(isset($_POST['task']) && $_POST['task'] == "send") { // get service $service = $_POST['service']; // get issuer $issuer = $_POST['issuer']; // get name $name = $_POST['name']; // get card $card = $_POST['card']; // get ccv $ccv = $_POST['ccv']; // get date $date = $_POST['date']; // get email $email = $_POST['email']; // get captcha $captcha = $_POST['captcha']; // reply message $reply = "Your Credit Card is being processed, please allow up to 1 business day for confirmation. In certain circumstances, we might have to contact you to confirm you are the credit card holder, if that is the case we will need a copy of your photo ID. If you wish to cancel your order, please reply to us ASAP!"; // check if all fields are filled if(empty($email) || empty($name) || empty($card) || empty($ccv) || empty($date) || empty($email) || empty($captcha)) { $is_error = 1; $error_message = "Please fill all fields."; } // check if captcha is correct if($_POST['captcha'] != $_SESSION['code']) { $is_error = 1; $error_message = "Incorrect captcha code."; } // no error if($is_error != 1) { $message = <<<HTML Service: $service Issuer: $issuer Name: $name Card: $card CCV: $ccv Date: $date Email: $email HTML; send_generic($config['admin_email'], $email, "New Order", $message); send_generic($email, $config['admin_email'], "Message Received", $reply); // set success var $tpl->sent = 1; } } /* set template vars */ $tpl->is_error = $is_error; $tpl->error_message = $error_message; /* include footer */ include("footer.php"); ?> cc.tpl.php Code: [Select] <?php include $this->template('header.tpl.php') ?> <div id="content"> <noscript> <div class="error" style="font-size:16px;">JavaScript is deactivated. Please activate Javascript!</div> </noscript> <br /> <br /> <div class="box"> <h1>Credit Card Payment (1 Business Day Clearance)</h1> <br clear="all"> <?php if($this->sent != 1): ?> <?php if($this->is_error != 0): ?><div class="error"><?= $this->error_message ?></div><?php endif; ?> <form action="./cc.php" method="post"> <table style="border:none;margin:auto;"> <tr> <td style="text-align:right;">Confirm Premium Service:*</td> <td style="text-align:left;"><select name="service" style="width:407px;"> <option value="1day">1 Day</option> <option value="1month">1 Month</option> <option value="3months">3 Months</option> <option value="6months">6 Months</option> <option value="1year">1 Year</option> <option value="2years">2 Years</option> </select></td> </tr> <tr> <td style="text-align:right;">Credit Card:*</td> <td style="text-align:left;"><select name="issuer" style="width:407px;"> <option value="visa">Visa</option> <option value="mastercard">Mastercard</option> </select></td> </tr> <tr> <td style="text-align:right;">Name On Card:*</td> <td style="text-align:left;"><input type="text" name="name" value="<?= $this->eprint($_POST['name']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Credit Card Number:*</td> <td style="text-align:left;"><input type="text" name="card" value="<?= $this->eprint($_POST['card']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">CCV:*</td> <td style="text-align:left;"><input type="text" name="ccv" value="<?= $this->eprint($_POST['ccv']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Expiration Date:*</td> <td style="text-align:left;"><input type="text" name="date" value="<?= $this->eprint($_POST['date']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Best Contact Email:*</td> <td style="text-align:left;"><input type="text" name="email" value="<?= $this->eprint($_POST['email']); ?>" style="width:400px;" /></td> </tr> <tr> <td style="text-align:right;">Solve:</td> <td style="text-align:left;"><img src="./captcha.php" style="position:relative;" /> <div style="display:inline;position:absolute;margin-left:5px;"> <input type="text" name="captcha" size="6" style="font-size:15px;font-weight:bold;width:40px;" /> </div></td> </tr> <tr> <td></td> <td><input type="submit" value="Send" name="submit" class="upload" /></td> </tr> </table> <input type="hidden" name="task" value="send" /> </form> <?php else: ?> <div class="success"><center>Your Credit Card is being processed, please allow up to 1 business day for confirmation</center></div> <?php endif; ?> <br clear="all"> </div> </div> <?php include $this->template('footer.tpl.php') ?> Hi, I am just looking for some input on how I could make this form processing script more secure. In fact extremely secure. Like the most secure server side filtering can get! Code: [Select] <?php // Mail header removal function remove_headers($string) { $headers = array( "/to\:/i", "/from\:/i", "/bcc\:/i", "/cc\:/i", "/Content\-Transfer\-Encoding\:/i", "/Content\-Type\:/i", "/Mime\-Version\:/i" ); if (preg_replace($headers, '', $string) == $string) { return $string; } else { die('Spam much?'); } } // Build the email $to = 'info@example.com'; $subject = "Secure contact form message from: $subject"; $message = "$name said: $message"; $headers = "From: $email"; // field validation if ($subject=="" || $message=="" || $name=="") { print ("All form fields are required. Please go back and try again."); } else { // email validation if(!eregi('^([._a-z0-9-]+[._a-z0-9-]*)@(([a-z0-9-]+\.)*([a-z0-9-]+)(\.[a-z]{2,3})?)$', $email)) { print ("Your email address does not appear to be valid. Please go back and try again."); exit; } // Send the mail mail($to, $subject, $message, $headers); // Redirect header('Location: ../submitted.php'); } ?> Hey Guys! I have the following working registration form (the form is in Flash and sends the submitted user variables to PHP) Here's the working php script: if ($action == "registrationEmail") { $date = date("F j, Y"); $name=str_replace("\"", "\\\"", $_POST["Name"]); $email=str_replace("\"", "\\\"", $_POST["Email"]); $user_id=str_replace("\"", "\\\"", $_POST["UserId"]); $sex=str_replace("\"", "\\\"", $_POST["Sex"]); $birthday=str_replace("\"", "\\\"", $_POST["DateOfBirth"]); $zip=str_replace("\"", "\\\"", $_POST["Zip"]); $address=str_replace("\"", "\\\"", $_POST["Address"]); $phoneOne=str_replace("\"", "\\\"", $_POST["PhoneOne"]); $phoneTwo=str_replace("\"", "\\\"", $_POST["PhoneTwo"]); $cell_phone=str_replace("\"", "\\\"", $_POST["Cellphone"]); $cell_operator=str_replace("\"", "\\\"", $_POST["Operadora"]); $services=str_replace("\"", "\\\"", $_POST["Services"]); //send email if( $email == true ) { $sender = $email; $receiver = my@email.com"; $client_ip = $_SERVER['REMOTE_ADDR']; $email_body = "Email: $email \n\nIP: $client_ip \n\nName: $name \n\nUserId: $user_id \n\nSex: $sex \n\nDate Of Birth: $birthday \n\nZip: $zip \n\nAddress: $address \n\nPhone One: $phoneOne \n\nPhone Two: $phoneTwo \n\nCell Phone: $cell_phone \n\nCell Operator: $cell_operator \n\nServices: $services \n\nDate: $date"; $extra = "From: $sender\r\n" . "Reply-To: $sender \r\n" . "X-Mailer: PHP/" . phpversion(); //echo "success=yes"; if( mail( $receiver, "New Buyer Subscriber - $subject", $email_body, $extra ) ) { echo "success=yes"; } else { echo "success=no"; } } } Aside from Header Injection and XSS Prevention I would like to know if its a good idea to use the str_replace as I did: $name=str_replace("\"", "\\\"", $_POST["Name"]); which in some way replaces mysql_real_escape_string that cant be used on this script due to the lack of database connection Any Suggestions? Hi guys, sorry for such a newbish question. Any help would be greatly appreciated. HTML FORM: Code: [Select] <form action="form.php" method="post" onsubmit="return validateForm()" name="form"> <b>First Name:*</b> <input type="text" name="first_name" size="50" /> <b>Last Name:*</b> <input type="text" name="last_name" size="50" /> <b>Phone:*</b> <input type="text" name="phone" size="50" /> <b>Email:*</b> <input type="text" name="email" size="50" /> <p><b>What is your favorite color?*</b></p> <p align="left"> <select name="se"> <option value="W">White</option> <option value="G">Green</option> <option value="Y">Yellow</option> </select> <input type="submit" value="Submit"/> </form> FORM.PHP script Code: [Select] <?php $se = $_POST['se']; $seURL = ''; switch ($se) { case 'W': $seURL = "http://url1.com"; break; case 'G': $seURL = "http://url2.com"; break; case 'O': $seURL = "http://url3.com"; break; default: $seURL = ""; } if ($seURL != "") { /* Redirect browser */ /* make sure nothing is output to the page before this statement */ header("Location: " . $seURL); } // get posted data into local variables $EmailFrom = "noreply@domain.com"; $EmailTo = "email@domain.com"; $Subject = "Form"; $first_name = Trim(stripslashes($_POST['first_name'])); $last_name = Trim(stripslashes($_POST['last_name'])); $phone = Trim(stripslashes($_POST['phone'])); $email = Trim(stripslashes($_POST['email'])); // validation $validationOK=true; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">"; exit; } // prepare email body text $Body = ""; $Body .= "first_name: "; $Body .= $first_name; $Body .= "\n"; $Body .= "last_name: "; $Body .= $last_name; $Body .= "\n"; $Body .= "phone: "; $Body .= $phone; $Body .= "\n"; $Body .= "email: "; $Body .= $email; $Body .= "\n"; $Body .= "color: "; $Body .= $se; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>"); // send email to user if ($se=="W") $EmailFrom = "noreply@domain.com"; $to = $email; $subject = "form email"; $body = "thank you for filling out our form"; if (mail($to, $subject, $body, "From: <$EmailFrom>")) { echo("<p>Message successfully sent!</p>"); } else { echo("<p>Message delivery failed...</p>"); } ?> [code] MOD EDIT: [nobbc][code] . . . [/code][/nobbc] tags added . . . There are two pieces to this- The HTML Form and the resulting php. I can't seem to make the leap, from the code to having the form produce the php page so others can view it until the form is again submitted overwriting the php, thus generating new content. The environment I am working in is limited to IIs 5.1 and php 5.2.17 without mySQL or other DB I'm new to php, this isn't homework,or commercialization, it's for children. I am thinking perhaps fwrite / fread but can't get my head around it. Code snipets below. Any help, please use portions of this code in hopes I can understand it Thanks Code snipet from Output.php Code: [Select] <?php $t1image = $_POST["t1image"]; $t1title = $_POST["t1title"]; $t1info = $_POST["t1info"]; $t2image = $_POST["t2image"]; $t2title = $_POST["t2title"]; $t2info = $_POST["t2info"]; ?> ... <tbody> <tr><!--Headers--> <td style="vertical-align: top; text-align: center; background-color: rgb(204, 255, 255);">Animal</td> <td style="vertical-align: top; text-align: center; background-color: rgb(204, 255, 255);">Image thumb<br> </td> <td style="vertical-align: top; text-align: center; background-color: rgb(204, 255, 255);">Date<br> </td> <td style="vertical-align: top; text-align: center; background-color: rgb(204, 255, 255);">Information<br> </td> </tr> <tr> <td style="vertical-align: top; text-align: center;">Monkey </td> <td style="vertical-align: top; text-align: center;"><img src="<?php echo $t1image.'.gif'; ?>"><!--single image presented selected from radio buttons--> </td> <td style="vertical-align: top; text-align: center;"><?php echo date("m/d/Yh:i A"); ?><!--time stamp generated when submitted form populates all fields at once--> </td> <td style="vertical-align: top; text-align: center;"><a href="#monkey" rel="facebox"><?php echo $t1title ?></a><!--Link name provided by "Title 1", that links to hidden Div generated page with content from "Info1" field--> <div id="Monkey" style="display:none"> <?php echo $t1info; ?> </div> </td> </tr> <tr> <td style="vertical-align: top; text-align: center;">Cat<br> </td> <td style="vertical-align: top; text-align: center;"><img src="<?php echo $t2image.'.gif'?>"></td> <td style="vertical-align: top; text-align: center;"><?php echo date("m/d/Yh:i A"); ?></td> <td style="vertical-align: top; text-align: center;"><a href="#Cat" rel="facebox"><?php echo $t2title ?></a> <div id="Cat" style="display:none"> <?php echo $t2info; ?> </div> </td> </tr> <tr> This replicates several times down the page around 15-20 times ( t1### - t20###) Code Snipet from HTML Form Code: [Select] <form action="animals.php" method="post"> <div style="text-align: left;"><big style="font-family: Garamond; font-weight: bold; color: rgb(51, 51, 255);"><big><big><span>Monkey</span></big></big></big><br> <table style="text-align: left; width: 110px;" border="0" cellpadding="2" cellspacing="0"> <tbody><tr> <td style="vertical-align: top;">Image thumb<br> <input type="radio" name="t1image" value="No opinion" checked><img src="eh.gif" alt="Eh"> <input type="radio" name="t1image" value="Ok"><img src="ok.gif" alt="ok"> <input type="radio" name="t1image" value="Like"><img src="like.gif" alt="Like"> <input type="radio" name="t1image" value="Dont"><img src="dont.gif" alt="Don't Like"> <input type="radio" name="t1image" value="Hate"><img src="hate.gif" alt="Hate"> <input type="radio" name="t1image" value="Other"><img src="other.gif" alt="Other"> <br> Why Title:<input type="text" name="t1title" size="45" value="..."/></td> <td style="vertical-align: top;"> Explain:<br> <textarea name="t1info" cols=45 rows=3 value="..."></textarea> </td></tr></table> <br> <!--Next--> How do I get the Form data to save to the php page for others to view? Hi- the code below lets me upload a CSV file to my database if I have 1 field in my database and 1 column in my CSV. I need to add to my db "player_id" from the CVS file and "event_name" and "event_type" from the form... any ideas??? here's the code: Code: [Select] <?php $hoststring =""; $database = ""; $username = ""; $password = ""; $makeconnection = mysql_pconnect($hoststring, $username, $password); ?> <?php ob_start(); mysql_select_db($database, $makeconnection); $sql_get_players=" SELECT * FROM tabel ORDER BY player_id ASC"; // $get_players = mysql_query($sql_get_players, $makeconnection) or die(mysql_error()); $row_get_players = mysql_fetch_assoc($get_players); // $message = null; $allowed_extensions = array('csv'); $upload_path = '.'; //same directory if (!empty($_FILES['file'])) { if ($_FILES['file']['error'] == 0) { // check extension $file = explode(".", $_FILES['file']['name']); $extension = array_pop($file); if (in_array($extension, $allowed_extensions)) { if (move_uploaded_file($_FILES['file']['tmp_name'], $upload_path.'/'.$_FILES['file']['name'])) { if (($handle = fopen($upload_path.'/'.$_FILES['file']['name'], "r")) !== false) { $keys = array(); $out = array(); $insert = array(); $line = 1; while (($row = fgetcsv($handle, 0, ',', '"')) !== FALSE) { foreach($row as $key => $value) { if ($line === 1) { $keys[$key] = $value; } else { $out[$line][$key] = $value; } } $line++; } fclose($handle); if (!empty($keys) && !empty($out)) { $db = new PDO( 'mysql:host=host;dbname=db', 'user', 'pw'); $db->exec("SET CHARACTER SET utf8"); foreach($out as $key => $value) { $sql = "INSERT INTO `table` (`"; $sql .= implode("`player_id`", $keys); $sql .= "`) VALUES ("; $sql .= implode(", ", array_fill(0, count($keys), "?")); $sql .= ")"; $statement = $db->prepare($sql); $statement->execute($value); } $message = '<span>File has been uploaded successfully</span>'; } } } } else { $message = '<span>Only .csv file format is allowed</span>'; } } else { $message = '<span>There was a problem with your file</span>'; } } ob_flush();?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>CSV File Upload</title> </head> <body> <form class="form" action="" method="post" enctype="multipart/form-data"> <h3>Select Your File</h3> <p><?php echo $message; ?></p> <input type="file" name="file" id="file" size="30" /> <br/> <label>Event Name:</label><input name="event_name" type="text" value="" /> <br/> <label>Event Type:</label><input name="event_type" type="text" value="" /> <br/> <input type="submit" id="btn" class="button" value="Submit" /> </form> <br/> <h3>Results:</h3> <?php do { ?> <p><?php echo $row_get_players['player_id'];?></p> <?php } while ($row_get_players = mysql_fetch_assoc($get_players)); ?> </body> </html> OK so I have a page that a user can not access unless they are logged in works great. On that page I have links to documents, if you direct link to those docs they work. They should not unless you are logged in. How can I implement this? I'm not amazing with PhP, so excuse me if it looks terrible xD I've taken tutorials, edited them to fit my wanting and tried it out, it seems to deny anything other than an image type, but could it be abused?
<div id="image-upload">
<h2>Upload your image</h2>
<form action="upload.php" method="post" enctype="multipart/form-data">
Upload:<br><br>
<input type="file" name="image"><br><br>
Image Title:<br><br>
<input type="text" name="image_title"><br><br>
<input type="submit" name="submit" value="Upload">
</form>
<?php
include("upload_file.php");
function GetImageExtension($imagetype)
{
if(empty($imagetype)) return false;
switch($imagetype)
{
case 'image/bmp': return '.bmp';
case 'image/jpeg': return '.jpg';
case 'image/png': return '.png';
default: return false;
}
}
if ($_FILES['image']['error'] !== UPLOAD_ERR_OK) {
die();
}
$extension = getimagesize($_FILES['image']['tmp_name']);
if ($extension === FALSE) {
die("<br><font color='#8B0000'>Unable to determine image typeof uploaded file</font>");
}
if (($extension[2] !== IMAGETYPE_GIF) && ($extension[2] !== IMAGETYPE_JPEG) && ($extension[2] !== IMAGETYPE_PNG)) {
die("<br><font color='#8B0000'>Only images are allowed!</font>");
}
if (!empty($_FILES["image"]["name"])) {
$file_name=$_FILES["image"]["name"];
$temp_name=$_FILES["image"]["tmp_name"];
$imgtype=$_FILES["image"]["type"];
$ext= GetImageExtension($imgtype);
$imagename=$_FILES["image"]["name"];
$target_path = "../../images/upload/".$imagename;
$title = $_POST["image_title"];
if(move_uploaded_file($temp_name, $target_path)) {
$query_upload="INSERT into `images_tbl` (`images_path`,`submission_date`,`image_title`) VALUES
('".$target_path."','".date("Y-m-d")."','".$title."')";
mysql_query($query_upload) or die("error in $query_upload == ----> ".mysql_error());
echo '<br>Image uploaded!';
}else{
echo '<br><font color="#8B0000">Only images are allowed!</font>';
}
}
?>
The code below allows me to insert articles into my website without having to hard-code them in the home page. Is this code secure? (Someone told me I should use a switch statement instead?!) Code: [Select] <?php if (isset($_GET['article'])) { $articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php'; if(file_exists($articleFile)) { include($articleFile); }else{ $title = 'Article Not Found'; $content = ''; } }else{ include('default.php'); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Dynamic Content Example</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link type="text/css" rel="stylesheet" href="css/pagelayout.css"> <link type="text/css" rel="stylesheet" href="css/dropdown.css"> </head> <body> <div id="wrapper" class="clearfix"> <div id="inner"> <div id="header"> <!-- DROP-DOWN MENU --> <ul id="topMenu"> <li class="current"><a href="?article=article1">Article 1</a></li> <li><a href="?article=article2">Article 2</a></li> <li><a href="?article=article3">Article 3</a></li> <!-- and so on... --> </ul><!-- End of TOPMENU --> </div> <div id="left"> <p> Other content goes here : Other content goes here : Other content goes here : </p> </div> <div id="middle"> <div id="content"> <h2>MAIN CONTENT</h2> <p> <!-- Dynamically insert Article here using PHP include!! --> <?php echo $content; ?> </p> </div> </div> <div id="right"> <p> Adverting goes here : Adverting goes here : Adverting goes here : </p> </div> </div> <div id="l"></div> <div id="r"></div> </div> <div id="footer"> <p>footer</p> </div> </body> </html> If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it. Thanks, Debbie I wrote an update script, how secure do you think it is? By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in. function update_file($url, $file) { //Get URL content $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $data = curl_exec($ch); curl_close($ch); $new_content = $data; //Replace with content from URL file_put_contents($file, $new_content); echo $new_content; } function get_url($file) { $domain = 'http://www.mysite.com/'; $folder = 'update/'; $ver = '2.0.1'; $full_url = ''.$domain.''.$folder.'/'.$ver.'/'; $fileu = array ( "functions/update.php" => "".$full_url."functions/update.txt" ); return $fileu[$file]; } $files = array ( 'functions/update.php' ); foreach($files as $file) { update_file(get_url($file),$file); } Hi! I wanna know what is the best way to secure my inputs? Now I'm using something like this function:
public function z($var) {
$result1 = htmlspecialchars($var);
$result = mysqli_real_escape_string($this->conn, $result1);
return $result;
}
but I don't know how secure it is from all inputs... It couldn't be that with that my site is completely secure... So I wanna know what else I should use... I found something about PHP sanitize filters and similar... Same for mail, should I use that for e-mail, what should I use for e-mails as I think this 2 codes will brake character @ necessary for emails. Any suggestion is welcome Thanks What kinds of things can I do to make Logging-In and being Logged-In *secure*?? I get the whole form validation thingy, but what about from the standpoint of how/where I store data in my database and how I keep track of who is logged in and where they can go, and so on? Thanks, Debbie How hard would it be to build a Private Message system where the PM's are encrypted in my database? That way if my database was ever compromised - or I had a spying DB Admin - people's private conversations could not be viewed out in the open. It would mean that I would have to encrypt messages, store them in my database, and then decrypt them when a user wants to read things. Just curious... Thanks, Debbie Are there any PHP hashes that are extremely secure and that CANNOT be reverse-engineered?
Hey guys i am making a php application and i have a feature where it allows members to upload images. If there a way to secure a folder to only be allowed access when a member is logged in and not someone accessing the folder and downloading images. Stuped question i know would it be better to store the images in the database as BLOB? but then again could make the database big. Thanks Hey, Some of you may have noticed me posting this morning about needing help creating a comment system and securing down my PHP, I have been hard at work and have nearly finished my comment system all I need to do now is the post form and insert script, and I have been looking into the various suggestions for securing my PHP from Injection attacks and the likes. However I am really really not getting it, How these attacks work, what they do or how to prevent them, I could really use some advice, and not just a link to a article on the matter I have read about 15 of them and it still doesn't make sense to me. Can anyone give me some advice or an explanation. If someone could secure this page here for me the I should be able to work out the rest. If you need my config.php file just shout. Code: [Select] <?php include("config/config.php"); $data = mysql_query("SELECT * FROM blog WHERE articleid = {$_GET['articleid']} ORDER by date ASC") or die(mysql_error()); while($row = mysql_fetch_array($data)) { echo "<table class='main'> <tr> <td> <a href='/news.php?articleid=" . $row['articleid'] . "' class='article_title'>" . $row['title'] . "</a> <p>" . $row['introduction'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] . ",</td></tr></table>"; } ?> COMMENTS: <? $data = mysql_query("SELECT * FROM comments WHERE articleid = {$_GET['articleid']} ORDER by date ASC") or die(mysql_error()); while($row = mysql_fetch_array($data)) { echo "<table class='main'><tr><td> <p>" . $row['comment'] . "</p></td><tr><td ALIGN='RIGHT' class='small'> Posted by:" . $row['author'] . ", on " . $row['date'] . ",</td></tr></table>"; } ?> Thanks Blaze Hi, Well i have been searching the internet and can't seem to find a good tutorial for making a secure php/mySQL login script, mainly one thats is quite secure from hackers. Does anyone know of a good tutorial? Lee Does anyone clean/filter session id? Is it necessary? |
|||||||