|
PHP - How To Make A Secure E-commerce Website?
Hey guys I had created a while ago a script for my friend where you can buy points and then redeem stuff with those points, i'm looking for ways to keep my site secu currently what i have done-
- protected all mysql queries with mysql_real_escape_string, strip_tags, and addslashes - have a valid SSL certificate on my website - checked if emails are valid for account creation what else can I do? Thank you. Similar TutorialsHi, I got problems on my website http://www.tranceprofile.com/ When I want to go to my Storeadmin page (http://www.tranceprofile.com/storeadmin/) I get this: Warning: session_start() [function.session-start]: open(/public/tmp/sess_64fb1b28e78195d89731106458023ab4, O_RDWR) failed: No such file or directory (2) in /public/sites/www.tranceprofile.com/storeadmin/index.php on line 5 Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /public/sites/www.tranceprofile.com/storeadmin/index.php:5) in /public/sites/www.tranceprofile.com/storeadmin/index.php on line 5 Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /public/sites/www.tranceprofile.com/storeadmin/index.php:5) in /public/sites/www.tranceprofile.com/storeadmin/index.php on line 5 Warning: Cannot modify header information - headers already sent by (output started at /public/sites/www.tranceprofile.com/storeadmin/index.php:5) in /public/sites/www.tranceprofile.com/storeadmin/index.php on line 7 Warning: Unknown: open(/public/tmp/sess_64fb1b28e78195d89731106458023ab4, O_RDWR) failed: No such file or directory (2) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/public/tmp) in Unknown on line 0 Can someone help me? Here is my code Code: [Select] <?php session_start(); if (!isset($_SESSION["manager"])) { header("location: admin_login.php"); exit(); } // Be sure to check that this manager SESSION value is in fact in the database $managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); // filter everything but numbers and letters $manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]); // filter everything but numbers and letters $password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); // filter everything but numbers and letters // Run mySQL query to be sure that this person is an admin and that their password session var equals the database information // Connect to the MySQL database include "../storescripts/connect_to_mysql.php"; $sql = mysql_query("SELECT * FROM admin WHERE id='$managerID' AND username='$manager' AND password='$password' LIMIT 1"); // query the person // ------- MAKE SURE PERSON EXISTS IN DATABASE --------- $existCount = mysql_num_rows($sql); // count the row nums if ($existCount == 0) { // evaluate the count echo "Your login session data is not on record in the database."; exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Store Admin Area</title> <link rel="stylesheet" href="../style/style.css" type="text/css" media="screen" /> </head> <body> <div align="center" id="mainWrapper"> <?php include_once("../template_header.php");?> <div id="pageContent"><br /> <div align="left" style="margin-left:24px;"> <h2>Hello store manager, what would you like to do today?</h2> <p><a href="inventory_list.php">Manage Inventory</a><br /> <a href="#">Manage Blah Blah </a></p> </div> <br /> <br /> <br /> </div> <?php include_once("../template_footer.php");?> </div> </body> </html> The more I look at this code the more i think to myself that there is some kind of security hole in it, but at other times I say that it'll do.
Here's the code in question:
part of my jquery script:
if ( proceed ) {
//console.log('All the conditions have been met.');
var data = $('#registerForm input').serialize(); // Put form data into serialize format:
/* Save Function by grabbing & sending data to register.php */
$.post($('#registerForm').attr('action'), data , function(info) {
console.log(info);
//$('#result').text(info); // Display the result back when saved:
}); // End of Save:
} else {
console.log('There is a problem somewhere.');
}
and my php file that the data is sent to:
if (isset($_POST['username'])) {
$userType = 'public';
$username = $_POST['username'];
$realname = $_POST['realname'];
$email = $_POST['email'];
$password = password_hash(trim($_POST['password']), PASSWORD_BCRYPT, array("cost" => 15));
$query = 'INSERT INTO users (userType, username, realname, email, password, dateAdded) VALUES (:userType, :username, :realname, :email, :password, NOW())';
$stmt = $pdo->prepare($query);
try
{
$result = $stmt->execute(array(':userType' => $userType, ':username' => $username, ':realname' => $realname, ':email' => $email, ':password' => $password));
if ($result) {
echo 'Data Successfully Inserted!';
}
}
catch(PDOException $error)
{
if (substr($error->getCode(), 0, 2) == SQL_CONSTRAINT_VIOLATION) {
$errorMsg = 'The username already exists.';
} else {
throw $error; // some other error happened; just pass it on.
}
}
}
Basically it takes the data from the registration form, validates it and then sends it to the register.php file to insert the data in the database table. I will be a long time before I go live with this, but I want to make this as secure as I can. An suggestions or help will be greatly appreciated.
Best Regards,
John
Hiya, What's the best and most secure way of structuring a website? I have looked at various forum packages (.e.g phpBB, myBB, and smf), and they each seem to use a switch statement in the index.php file. When you go to a section of the website, a "GET" variable is passed, and the relevant area of the website is loaded through the switch statement. Is this the best and only way? I would appreciate any body's thoughts on this topic. Thanks, FishSword Hi guys, It's my first post here, not looking to leech, I'm simply here to learn and develop my skills and any contributes will be greatly appreciated! Anyways I have made a simple login script, however I would like to make it more secure. However before that, can you please explain to me as to why it is not secure in the first place? A basic explanation so I can understand would be great. Then after that, could you please give help as to how I would make this login code more secure? Thank you very much Code: [Select] <?php $rowsfound=false; if (isset($_GET['frmStudentId'])) { // functions to make performQuery() work correctly require_once("dbfunctions.inc.php"); $query = "SELECT dbStudentId, dbStudentName " . " FROM student " . " WHERE dbStudentId = '".$_GET['frmStudentId']."'" . " AND dbPassword = '".$_GET['frmPassword']."'"; $result = performQuery($query); if(count($result) > 0) { $rowsfound=true; // allow login } } // code continues by generating appropriate response ... Hi Little Help Needed I have created a new website In the index.php file i want to show records from database Now, here is how the problem arise I want to import codes from github intead of hosting those files on my server because i want to keep it opensource Below is the code I am using <?php // connect to the database include('connect-db.php'); // get results from database $sql = "SELECT id, upadhi, name FROM munishri"; $result = $conn->query($sql); if ($result->num_rows > 0) { // output data of each row while($row = $result->fetch_assoc()) { echo "id: " . $row["id"]. " - Name: " . $row["upadhi"]. " " . $row["name"]. "<br>"; } } else { echo "0 results"; } // close connection $conn->close(); ?> Can i host the code to show result in another file and use something like <?php // connect to the database include('connect-db.php'); // get results from database include('http://rawgit.com/th...database.php'); ?> Hello everyone. This is my first post, so be nice! I am building a website that will have a lot of content, similar to a newspaper. I have some pretty good HTML/CSS pages written, but the problem is that I need a way to make things more dynamic. One of my templates has a Header, Left Column, Middle Column, Right Column, and Footer. Everything stays the same from page to page except for the Middle Column (which holds each article). As it stands now, if I had 12 articles, I would have to have 12 nearly duplicate HTML pages which isn't good! I started studying PHP a while ago, but put that on hold to learn HTML/CSS, so I've kinda forgotten how PHP can help me out! Can someone help me figure out how to use PHP to my benefit? Thanks, Debbie How can i make/add facebook like on my website or blog? Can anyone post sample example code? Hi all, I'm a bit of a newbie to this type of website and would be extremely grateful for any help on this as it's causing considerable headaches! I've been working on an e-commerce (Online Shop) website based on the site found he http://www.phpwebcommerce.com/ I have been building it into a template from the original shop that was essentially a static website with links to paypal for the cart etc. Now I am trying to add an extra function to the site but cant get my head around the logic to making this work and I know it can be done! The shop is to sell mainly shoes with some accessories. So I understand that shoes obviously come in a variety of sizes, and each size needs to have its own product ID in the MySQL DB so I can show whether it is in stock etc. What I cant figure out is how to firstly make an easy way of adding the shoes different sizes (for eg 10 shoes of the same type in sizes 40-49) to the DB in one hit instead of filling in the same form 10 times but with different sizes. I have the simple form already made and working successfully. My thoughts are to add check box in the form to say I'm adding multiple shoes that tells the process to look for values in text areas for starting shoe size and last shoe size. The process then takes the start size from the end size giving the number of times to loop the process. It then loops the process for each size using the same information... Logically this works but I'm not sure how to code this on what I have. I have attached the files used directly in this. Secondly how do I group the shoes on the front end. Now each product on the front end currently will display a simple message instead of add to cart when the stock = 0, or the product has been made as available on request. I would like to group the shoes of the same type to have a drop down menu showing the available sizes. When a size is selected it needs to query the DB for available stock and either show the 'Add to cart' or 'Call to order' options. Anything else you might need to help with this let me know. I'm keen to get this bit done so I can get the site live! Thanks in advance Hey everyone. I am making a site for my brother's band and having some trouble with the checkout to paypal. Unfortunately in layout I missed a pretty important variable, the size on shirts. I am trying to add it in as a drop down option just before submitting to paypal but I can't get it to show up on paypal and thus will have no idea what size they are ordering. The site is pretty basic and primitive but I really need this info on the checkout. Here is a link to the temporary site where i'm trying to get this to work: http://www.theblack44s.com/t/index3.php and this is what is up and running now: http://www.theblack44s.com/Merchant%20pages/apparel/index3.php this is the code i'm working on in cart.php: Code: [Select] <?php require "dbconcart.php"; session_start(); //session_destroy(); $page = 'index.php'; $value2 = $_POST['size']; //add to cart function if (isset($_GET['add'])) { $quantity = mysql_query('SELECT id, quantity, imageurl FROM apparel WHERE id='.mysql_real_escape_string((int)$_GET['add'])); while ($quantity_row = mysql_fetch_assoc($quantity)) { if ($quantity_row['quantity']!=$_SESSION['cart_'.(int)$_GET['add']]) { $_SESSION['cart_'.(int)$_GET['add']]+='1'; } } header('Location: '.$page); } //remove from cart if (isset($_GET['remove'])) { $_SESSION['cart_'.(int)$_GET['remove']]--; header('Location: '.$page); } //delete from cart if (isset($_GET['delete'])) { $_SESSION['cart_'.(int)$_GET['delete']]='0'; header('Location: '.$page); } // products function products() { $get = mysql_query('SELECT id, name, item_number, description, price, shipping FROM apparel WHERE quantity > 0 ORDER BY id DESC'); if (mysql_num_rows($get)==0) { echo "There are no products to display!"; } else { while ($get_row = mysql_fetch_assoc($get)) { echo $get_row['name'].'<br />'; echo $get_row['item_number'].'<br />'; echo $get_row['description'].'<br />'; echo 'Price: '.number_format($get_row['price'], 2).'<br />'; echo 'Shipping: '.number_format($get_row['shipping'], 2); echo '<a href="cart.php?add='.$get_row['id'].'">Add to cart</a></p>'; } } } //paypal function function paypal_items() { $num = 0; foreach($_SESSION as $name => $value) { if ($value!=0) { if (substr($name, 0, 5)=='cart_') { $id = substr($name, 5, strlen($name)-5); $get = mysql_query('SELECT id, name, item_number, price, shipping FROM apparel WHERE id='.mysql_real_escape_string((int)$id)); while ($get_row = mysql_fetch_assoc($get)) { $num++; echo '<input type="hidden" name="item_number_'.$num.'" value="'.$get_row['item_number'].'">'; echo '<input type="hidden" name="item_name_'.$num.'" value="'.$get_row['name'].'">'; echo '<input type="hidden" name="size_" value="$_POST'.$value2.']">'; echo '<input type="hidden" name="amount_'.$num.'" value="'.$get_row['price'].'">'; echo '<input type="hidden" name="shipping_'.$num.'" value="'.$get_row['shipping'].'">'; echo '<input type="hidden" name="shipping2_'.$num.'" value="'.$get_row['shipping'].'">'; echo '<input type="hidden" name="quantity_'.$num.'" value="'.$value.'">'; } } } } } //cart function function cart() { foreach($_SESSION as $name => $value) { if ($value>0) { if (substr($name, 0, 5)=='cart_') { $id = substr($name, 5, (strlen($name)-5)); $get = mysql_query('SELECT id, name, price, imageurl FROM apparel WHERE id='.mysql_real_escape_string((int)$id)); while ($get_row = mysql_fetch_assoc($get)) { $sub = $get_row['price']*$value; echo $get_row['name'].' x '.$value.' @ $'.number_format($get_row['price'], 2).' = $'.number_format($sub, 2).'<br />'; ?> <html> <body> <form action="size.php" method="post" name="size"> <label>Size <select name="size"> <option selected="selected">Select</option> <option value="youth">Youth (for the brats)</option> <option value="small">Small (petite)</option> <option value="medium">Medium (average)</option> <option value="large">Large (healthy)</option> <option value="xlarge">X Large (large)</option> <option value="xxlarge">XX Large (full figured</option> <option value="xxxlarge">XXX Large (huge)</option> <option value="xxxxlarge">XXXXLarge (DAMN!!)</option> </select> <input type="hidden" name="size" value="selected" /> <input type="hidden" name="size" value="submit()" /> </label> </form> </body> </html> <?php echo '<a href="cart.php?remove='.$id.'">[-]</a> <a href="cart.php?add='.$id.'">[+]</a> <a href="cart.php?delete='.$id.'">[delete]</a><br />'; } } $total += $sub; } } //cart totals and paypal function if ($total==0) { echo "Your cart is empty."; } else { echo '<p><b>Total: $ '.number_format($total, 2).'</b></p>'; ?> <p> <form action="https://www.paypal.com/cgi-bin/webscr" target="_blank" method="post"> <input type="hidden" name="cmd" value="_cart"> <input type="hidden" name="upload" value="1"> <input type="hidden" name="business" value="webmaster@theblack44s.com"> <?php paypal_items(); ?> <input type="hidden" name="currency_code" value="USD"> <input type="hidden" name="amount" value="<?php echo $total; ?>"> <input type="hidden" name="size" value="<?php echo $value2; ?>"> <input type="image" src="http://www.paypal.com/en_US/i/btn/x-click-but03.gif" target="_blank" name="submit" alt="Make payments with PayPal - it's fast, free and secure!"> </form> </p> <?php } } ?> Hello !
How I can make a script of my PHP code to work even if my website is not running
Can I make this with php ?
I am relatively new to php but I have been learning since the end of 2011. At the moment, I am currently developing an E-Commerce website for a customer, using the Larry Ullman book "Effortless E-Commerce' as a guide. I am hitting many brick walls at the moment though. But before I state my long winded problem, I have attached all my work done thus far to this message. HERES THE PROBLEM... I have created a series of includes such as config.inc.php, form_functions.inc.php, login.inc.php and login_form.inc.php. They are included/required with most of my other files. However I have some major issues; 1. This is the code for my logout.php file; Code: [Select] <?php require ('./includes/config.inc.php'); // If the user isn't logged in, redirect them: redirect_invalid_user(); // Destroy the session: $_SESSION = array(); // Destroy the variables. session_destroy(); // Destroy the session itself. setcookie (session_name(), '', time()-300); // Destroy the cookie. // Include the header file: $page_title = 'Logout'; include ('includes/header.html'); // Print a customized message: include ('includes/main.html'); echo '<h3>Logged Out</h3><p>Thank you for visiting. You are now logged out. Please come back soon!</p>'; // Footer file needs the database connection: require (MYSQL); // Include the HTML footer: include ('includes/footer.html'); ?> At the moment, I cannot determine if a user is logged in/when they logout, I cannot determine if there is an active session and also, when I log into the site, I have a database with values yet it seems to let any Tom, Dick and Harry onto the site to log in even though they are not stored in the database. I apologise if this sounds confusing but I really need some major league help. Help would be greatly appreciated This topic has been moved to JavaScript Help. http://www.phpfreaks.com/forums/index.php?topic=349726.0 This topic has been Ctrl+X/Ctrl+V'd to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=347400.0 Hey guys, I got a tough one. I've been researching for days, weeks even, to try and solve this. And I'm sure I'm going to kick myself if/when I get a solution. I've set up an ecommerce website from scratch (no prestashop, oscommerce, none of that), and I need to figure out how to decrease price on quantity. Ex; Umbrellas are $12.00 a piece. If you order 2 dozen (24) Umbrellas, they are only $10.00 a piece. I can't seem to figure out a way to make it work.. I have set up in my database the following columns. p - base price ($12) p1 - price after first increment ($10) q1 - quantity of first break (24) p2 q2 p3 q3 Hit me with your best shot. I have an array that needs to display all titles and allow for a user to view titles based on the category, title, etc . I tried using the print_r() function but it didn't display the titles in a clean list. The only tutorials I've found utilize sql and i need to complete this without using SQL. Code: [Select] $books = array(); array_push($books,array("category" => "Nonfiction","title" => "The Innocent Man","author" => "Grisham","publisher" => "McGraw-Hill","price" => "34.99","isbn" => "5985420166")); array_push($books,array("category" => "Business","title" => "How to Make Money","author" => "Richy","publisher" => "Prentice-Hall","price" => "49.99","isbn" => "8754739342")); array_push($books,array("category" => "Romance","title" => "Twice Kissed","author" => "Jackson","publisher" => "McGraw-Hill","price" => "14.99","isbn" => "5671230987")); I am building an e-commerce site and I am aiming to create a front end displaying my products with an option for customers to buy them, and have a content management system as a back end for an admin to edit product information.
Currently I am storing information about my products on a mysql database. I access and display the product info using a while loop. Below is a simplified version of what I am doing without any html to style it. This code will go through the database and each iteration will go the to the next row and display the info about the next product.
$query = mysql_query("SELECT * FROM truffleProducts");
while ($row = mysql_fetch_array($query)) {
$id = $row['id'];
$name = $row{'Name'};
$price = $row{'Price'};
$desc = $row{'Description'};
echo $id;
echo $name;
echo $price;
echo $desc;
}
I have began to implement a 'buy' button so that customers are able to click on a button next to the product info and purchase it. However I have come across a problem which is where my program won't be able to tell which product you have selected as the number stored in the $id variable will just be the last product it has fetched from the database. I can't differentiate between all the product's buy buttons, so it will impossible to place an order for a customer with the current system I have.
Can any one tell me how to get the id number of the specific product that a user has selected?
I only started learning PHP a month or two ago so assume I know nothing
This topic has been moved to PHP Applications. http://www.phpfreaks.com/forums/index.php?topic=276607.0 This topic has been moved to PHP Applications. http://www.phpfreaks.com/forums/index.php?topic=321270.0 I wrote an update script, how secure do you think it is? By the way, this is an include. The page it is included on stop attacks by making sure the user is logged in. function update_file($url, $file) { //Get URL content $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); $data = curl_exec($ch); curl_close($ch); $new_content = $data; //Replace with content from URL file_put_contents($file, $new_content); echo $new_content; } function get_url($file) { $domain = 'http://www.mysite.com/'; $folder = 'update/'; $ver = '2.0.1'; $full_url = ''.$domain.''.$folder.'/'.$ver.'/'; $fileu = array ( "functions/update.php" => "".$full_url."functions/update.txt" ); return $fileu[$file]; } $files = array ( 'functions/update.php' ); foreach($files as $file) { update_file(get_url($file),$file); } The code below allows me to insert articles into my website without having to hard-code them in the home page. Is this code secure? (Someone told me I should use a switch statement instead?!) Code: [Select] <?php if (isset($_GET['article'])) { $articleFile = preg_replace('#[^A-z0-9_\-]#', '', $_GET['article']).'.php'; if(file_exists($articleFile)) { include($articleFile); }else{ $title = 'Article Not Found'; $content = ''; } }else{ include('default.php'); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Dynamic Content Example</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <link type="text/css" rel="stylesheet" href="css/pagelayout.css"> <link type="text/css" rel="stylesheet" href="css/dropdown.css"> </head> <body> <div id="wrapper" class="clearfix"> <div id="inner"> <div id="header"> <!-- DROP-DOWN MENU --> <ul id="topMenu"> <li class="current"><a href="?article=article1">Article 1</a></li> <li><a href="?article=article2">Article 2</a></li> <li><a href="?article=article3">Article 3</a></li> <!-- and so on... --> </ul><!-- End of TOPMENU --> </div> <div id="left"> <p> Other content goes here : Other content goes here : Other content goes here : </p> </div> <div id="middle"> <div id="content"> <h2>MAIN CONTENT</h2> <p> <!-- Dynamically insert Article here using PHP include!! --> <?php echo $content; ?> </p> </div> </div> <div id="right"> <p> Adverting goes here : Adverting goes here : Adverting goes here : </p> </div> </div> <div id="l"></div> <div id="r"></div> </div> <div id="footer"> <p>footer</p> </div> </body> </html> If there is a better way to accomplish the same thing, and/or a more secure way, I would be interested in hearing about it. Thanks, Debbie |
|||||||