|
PHP - Concerns About Handling Social Security Numbers With Html Forms
My employer asked if I could change an existing contact form on their website to allow clients to enter their Social Security Number along with the normal contact information if the client decide to do so, instead of going through the motion of physically send in the form via snail mail, fax, or in person (like it is currently handled).
But since this piece of information is of such delicate nature, I wonder how I should approach this from both a legal standpoint and from a programming standpoint. The form currently sends the information entered by the user to an inbox with mail(), so my initial thought was to somehow encrypt the information, limiting the risk of someone getting a hold of this information once the use user clicks "Send". But is full blown SSL really necessary for this? Are there easier options? And what should I think about before enabling this? Similar TutorialsHi friends,
Another security issue but this time its regarding outputting data from a DB to a browser. Please have a look at the code below which displays some output fetched from a DB and sends it to a browser.
1. If I just wish to display this output on a screen and not provide the user with any buttons or hyperlinks to interact with the information, would I still need to sanitize the output before echoing it to the screen ?
2. If I was to make at least one of the fields a hyperlink, so that I could then display some related information on another webpage, what security concerns would I need to address in my code?
3. If I was to add a button against each of these records, on each row, and then select some related information on another webpage after processing the button handler, what would be the security concerns that I should address for the code below.
Thanks very much.
<table>
<tr>
<th> S.No. </th>
<th> Name </th>
<th> Age </th>
<th> City </th>
<th> Cell </th>
<th> Email</th>
</tr>
<?php
$cnt = 1;
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
{
echo "<tr>";
echo "<td>".$cnt++."</td>";
echo "<td>".$row['Name']. "</td>";
echo "<td>".$row['Age']. "</td>";
echo "<td>".$row['City']. "</td>";
echo "<td>".$row['Cell']. "</td>";
echo "<td>".$row['Email']. "</td>";
echo "</tr>";
}
?>
</table>
Hi ..am new to PHP and am using it to solve some mathematical problems which require extensive computation. Following is a code to solve a problem: Code: [Select] <?php $num =1; $n =0; $temp = 0; $count =0; $Final =0; While( $num < [color=orange]1000000)[/color] { $n = $num; while($n >1) { if(( $n % 2) == 0) { $n = $n/2; $temp++; } else { $n =3*$n +1; $temp++; } } If($temp > $count) { $count =$temp; $Final =$num; } $num++; $temp =0; } echo $Final; echo "<BR>"; echo $count; ?> I am running into "Maximum execution time of 30 seconds exceeded" error...its happening coz of the number 1 million...the code wrks fine for 100,1000,10000 and 100000...but breaks down @ 1000000.....is there any way to solve this situation...or PHP is not capable of handling huge numbers? please help...am stuck with this even though am so close to solving the prob. Thanks Abhijeet Hello, On my site I am allowing users to post HTML and I'm in the planning phase. I'm already written REGEX to get rid of <script> and <frame> tags, but I have ran into a problem regarding <embed> it seems as though in browsers such as chrome <embed> acts like an <iframe> tag. The problem is that with this sort of behavior users may link to potentially harmful sites like infinite alert boxes ect. How will I bee able to make sure users don't embed websites instead of flash? Alternate Question: Also if I do allow users to include websites, how could I disable alert boxes? Hi, I have an HTML form created using Dreamweaver and now I need a script to handle the form processing. Basically what I need is for the form data received from the webpage to be organized in an email and then sent to me. I would also like to display a thank you message in the browser so the user knows it was received. I was planning to do this using CGI but a colleague suggested that CGI is old school and nowadays a developer would use PHP for this task. Is PHP the right solution for this project? The examples I have found so far always include the HTML for the form and the script needed to handle it in one file. In my case, I have an HTML form already in place and need it to work with a script to perform the email function. I know I need to set "Action=" on my webpage to point to the PHP script but what would the code look like if no HTML is needed? I hope this makes sense... Thanks for your help! Rob Hey all, This question is coming forth of another topic, but since that topic is not really about this issue, I posted this new topic. Okay, so I made a table, and each row is generated with a WHILE loop. In this while loop, there's also a form generated for each row/record, for updating them seperately. I'm having trouble with naming those forms to process them seperately. I could name them like name="form20110001", with the number being the record's id. But since there can be gaps between id's, how can I retreive them efficiently? And I want them to process all on a single process page, obviously. How can I do this easily? Can someone give me a concise example? Would appreciate it a lot. Thanks I have a form that after is filled out and submitted the user is redirected to another page where the form is displayed. The way I'm doing this is by inserting the values to the database first and then pulling them out from the database to display the array in the redirected page. So that no one else sees other user's information, I am using a unique and encrypted token and storing it in both a SESSION value and in the database; I create this token and assign it to the session variable only if there are no errors in the form. In addition, I'm picking up the insert ID and also storing it as a session value as well. Before displaying anything on the next page, where the user is redirected to, it checks for the SESSION token, else the user is redirected to the previous page. On the next page, when I need to select the values from the database I include in my select query something such as "SELECT * FROM table WHERE (token='_SESSION['token'] TOKEN AND form_id='$_SESSION['form_id']) LIMIT 1" (Please note that this might not be the right syntax for the query it is just the gist of it). Now, my questions! Is this secure enough to prevent anyone from trying to see someone else's information? I'm afraid that with the current method it might be vulnerable to an SQL injection, even though i'm using a prepared mysql statement, which sanitizes all the input. Or should I use method 2, Which is to store all the information of the user from the form into the SESSION array and display the values of the session, instead of fetching the values from the database. Or is there a different way of doing this? Any comments, will be greatly appreciated. Thank you in advance for your time and help. I have a php page that processes a form. How do I prevent someone from making their own form on their own domain and then saying <form metod=post action = "www.hackerdomain.com/bad.php"> and then passing their own variables? Do I set up a $session variable on my form page and assign it to $_SERVER["PHP_SELF"]? Hey again guys! I'm back already today. XD Okay, so... I'm building a script, right. I have a form that is a simple text field. I do NOT want to use javascript. I want to be able to use PHP to be able to do this. Here is the form exactly as it is now: Code: [Select] <form action="<?php echo "$PHP_SELF"; ?>" method="POST"> <input type="text" name="price"> How would I only allow a number, and up to 5 digits long, like, for example, a zip code. I know I can always limit the char space, but they might be able to "inject" it? On another note for forms, what would I have to do to get rid of people being able to run a script through a form; is it the strip_tags(); function? Thanks for your help in advance guys! Not sure why the PHP variables in the code below aren't interpreting the values that they should be receiving from the HTML form. HTML form Code: [Select] <form action="handle_form.php" method="post"> <fieldset><legend>Enter your information in the form below</legend> <p><b>Name:</b> <input type="text" name="name" size="20" maxlength="40" /></p> <p><b>Email Address:</b> <input type="text" name="email" size="40" maxlength="60" /></p> <p><b>Gender:</b> <input type="radio" name="gender" value="M" /> Male <input type="radio" name="gender" value="F" /> Female</p> <p><b>Age:</b> <select name="age"> <option value="0-29">Under 30</option> <option value="30-60">Between 30 and 60</option> <option value="60+">Over 60</option> </select> </p> <p><b>Comments:</b> <textarea name="comments" rows="3" cols="40"></textarea></p> </fieldset> <div align="center"><input type="submit" name="submit" value="Sumbit My Information" /></div> </form> PHP handle_form <?php #Script 2.2 handle_form.php $name = $_REQUEST['name']; $email = $_REQUEST['email']; $comments = $_REQUEST['comments']; echo "<p>Thank you, <b>$name</b>, for the following comments:<br /> <tt>$comments</tt></p> <p> We will reply to you at <i>$email</i>.</p>"; ?> I am learning how to use PHP to handle input in a Contact Form on my website. Using PHP I can send the form data to my email client. However I cannot achieve the outcome of sending a copy to the email address of the submitter. I have searched the Internet particularly Stack Overflow and have found code that I am told will achieve this outcome Here is the code:
<?php
if(isset($_POST['submit'])){
$to = "email@example.com"; // this is your Email address
$from = $_POST['email']; // this is the sender's Email address
$first_name = $_POST['first_name'];
$last_name = $_POST['last_name'];
$subject = "Form submission";
$subject2 = "Copy of your form submission";
$message = $first_name . " " . $last_name . " wrote the following:" . "\n\n" . $_POST['message'];
$message2 = "Here is a copy of your message " . $first_name . "\n\n" . $_POST['message'];
$headers = "From:" . $from;
$headers2 = "From:" . $to;
mail($to,$subject,$message,$headers);
mail($from,$subject2,$message2,$headers2); // sends a copy of the message to the sender
// echo "Mail Sent. Thank you " . $first_name . ", we will contact you shortly."; OR
// You can also use header('Location: thank_you.php'); to redirect to another page.
}
?>
Adjusting it for my own circumstances and settings it will still send the information in the form to me but will not send the information to the submitter's email address. What is particularly confusing is, if I modify the code by taking out this line of code mail($to,$subject,$message,$headers); Which includes my email address ($to), it still works and the information including ($subject) is still sent to my email address. I would appreciate any assistance that anyone would offer I have a file on my server that I will stream to the browser: header( "Content-Description: File Transfer" ); header( "Content-Type: application/force-download"); header( "Content-Length: " . filesize( $filename ) ); header( "Content-Disposition: attachment; filename=$filename"); readfile( $filename ); $filename is going to be in a location that's not publicly available (there's no URL to it, as it's on the server, and not within public_html or subdirectories). Any safety concerns here? Basically, I'm just curious if a user has any way to steal the file or otherwise access the directory. I don't think so, but I'm just tossing this out here as a general discussion. Thanks! This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=318062.0 Is it worthwhile to create an object to generate my HTML forms? Starting out it would appear to be worthwhile but I'm not sure how things might change later down the line when I'm doing more with my forms and introducing javascript to it. It's a bunch of coding to change all my forms now so I wanted to hear some input before I started. Would this be just a complete waste of server side processing? TIA! Hi, I am very new to PHP and am having trouble understanding how HTML, PHP and JavaScript work together. What I have to do is, I have a 'Choose File' option, where I select the file. Then I transfer this file to server and read the contents in an array. This is done in one form. In the other form I send the contents read from the to a different *.php for some database querying. Following is what I have. I don't know how to transfer data between different files. Code: [Select] <form name ="INPUT" method="POST" enctype="multipart/form-data" action="readInput.php"> <p id="upload_text"><br/> <textarea name="queryList" id="queryList" cols="35" rows="10" wrap="physical" value='' onclick ="document.INPUT.queryList.value='';"> Enter input here... </textarea><br/> </p> <p> <!-- <input name=INPUTS type=hidden value=$entries[]/>--> </p> <p id="upload_button"><br/> File: <input name="uploadedfile" type="file" size="30" onchange='fillTextArea(<?php echo $entries; ?>)'/><br/> </p> <iframe id="upload_target" name="upload_target" src="#" style="width:0;height:0;border:0px solid #fff;"></iframe> <a href="javascript: submitReadForm()"></a> </form> <script type="text/javascript"> function submitReadForm() { document.INPUT.submit(); } </script> <script language="javascript" type="text/javascript"> //var inData = new Array(); function fillTextArea(inData){ if (inData == "") { document.getElementById('queryList').textContent = "No Input" alert("No Input Data Returned"); } else { document.getElementById('queryList').textContent = inData; } } </script> <form name ="GETPDB" action ="viewPDBs.php" method="POST" enctype="multipart/form-data" > <p id="submit_upload"> <input type="submit" name="submit" value="Submit" /><br/> </p> <p> <!-- #<#?php echo $entries; ?> #<#php foreach ($entries as $k => $e) : ?> <input type="hidden" name="entries[<#?php echo $k ?>]" value="<#?php echo addslashes($e) ?>"> #<#?php endforeach; ?> --> <input name=IDS type=hidden value="<?php echo $input; ?>"/> </p> <a href="javascript: submitPDBForm()"></a> </form> Please help me with this. Thanks. Hi, I have found myself in a bit of a cul-de-sac. Hope you can help as it is driving me crazy. The scenario: I have an html form (_post) which I would like to write the contents of to a one XML file using php. The problem is: The html page has three/four forms in it. Form a = (submit a writes/updates only to section a) Form b = (submit b writes/updates only to section b) Form c = (submit c writes/updates only to section c) Form d= (submit a, b, c writes/updates all sections) The XML page has three sections a, b & c To conclude, I want to be able to update the XML file in sections or update them all as a whole. How can I go about achieving this? Thanks Hi I am having a major problem with trying to get the HTML value attribute to display the a value stored in a array from SQL Query. So i have done an SQL query then outputted it all to the screen, but i cant set the value attribute on my HTML form to the variable $Name. Can anyone please tell me where i am going wrong? Thanks Nick while($nt=mysql_fetch_array($result)){ echo "$nt[photo_url] $nt[Name] $nt[Education] $nt[Skills] $nt[Aboutme] <br>"; // name class and mark will be printed with one line break at the end } $Photo_url = $_POST["photo_url"]; $Name = $_POST["Name"]; $Education = $_POST["Education"]; $Skills= $_POST["Skills"]; $Aboutme = $_POST["Aboutme"]; ?> <form method="post" action="updateaboutme.php"> Photo Url:<input type="text" size="12" maxlength="12" name="Photo_url" value="<?php echo $nt['Name'] ?>" <br /> <input type="submit" value="submit" name="submit"> </form> Hi There, Is there any way that when a user submits a form, but places a link inside - for example: It is located at this location: http://mylink.com Is there any way that PHP can pick up the fact that there is a link there and tag it correctly so it is clickable? Cheers Matt Hello friends, if i've textarea form or even input how to prevent visitors to write html codes inside it ? thanks Hi, I need to sort variables in groups of up to 15 and put it in an array. For example: $exstract['center_tabOpBody_0'] =5 $exstract['center_tabOpBody_1'] =6 $exstract['center_tabOpBody_2'] =8 $exstract['center_tabOpBody_3'] =1 Should yield: ARRAY( = center_tabOpBody_1,center_tabOpBody_2,center_tabOpBody_3 // <-----15 [1] = center_tabOpBody_0 //<----5 ) Is there some simple function do do the "efficiency" sort? Thanks, Vadim I make a php application , it has a lot of forms. I want to avoid someones post like ?> or </html> . How can i make it. |
|||||||