|
PHP - Using Escape On A Registering Form?
Hi, I have a site where users can register etc. I was wondering should I use mysql_real_escape_string() for the elements on my registration form example email, name and so on or is it no necessary?
One more question could some one tell is this the proper way to use it before inserting into the database. $name=$_POST['name']; mysql_real_escape_string($name) ? Similar Tutorialshey guys just wondering what u think the best way to do this.....on my form registration for users....I have a drop down for countrys....but I dont want to have 2 drop downs 1 for state and 1 for province if they choose canada/usa....I have seen alot of java scrit on such sites where if you choose Canada for country, then it switches to a drop down for just provinces, not states. Same for zip code/postal code...american zip code would be like 90210 where as a postal code would be like n5j2S1. Is there a script or something already I can use with all the countrys/provinces/states etc already entered so im not re-inventing the wheel here? If someone can point me in right directon id appreciate it. Thanks Well I heard that registering $GLOBALS is a bad practice in general since their values can be changed by anyone at anytime. However, the usage of $GLOBALS does simplify the script considerably at times when a certain column in a table needs to be retrieved repeatedly. A good example is user's money data stored in table prefix_users as shown below: Code: [Select] $result = mysql_query( "SELECT * FROM {$prefix}users WHERE uid = '$uid'"); $GLOBALS['usersettings'] = mysql_fetch_array($result); $GLOBALS['money'] = $GLOBALS['usersettings']['money']; If the above code is included in a function file, it will be possible to simply use $GLOBALS['money'] to retrieve user's money data without having to write lines of mysql commands everytime. So I was wondering, is there another way to retrieve database info from a certain column easily but not to register $GLOBALS? Just curious. I have a form where members on my site can update their display name among other things. However, my script is returning the error for if nothing was inputted in the display name input box (members must provide a display name, can't leave that box blank) even though my text input box definitely has a value. The section of my form with the input box: Code: [Select] <tr> <td class='sidebardark' width=40%><b>Display Name</td> <td class='D' width=60%><input type=text name=newdisplayname class='inputtext' value="<? echo $currentname;?>"></td> </tr> And the section in my form-submitted script that has the error that's displaying: Code: [Select] $newdisplay = strip_tags(mysql_real_escape_string($POST['newdisplayname'])); if ($newdisplay == "" || !isset($POST['newdisplayname'])){ errorbox("You must set a display name!"); } Normally I'd think it was a typo on my part but I honestly can't see anything wrong with it. The current display name is showing up just fine in the input box. I asked it to echo $newdisplay above the error box and it echoed nothing so I have to assume it's not passing the variable correctly for some reason. Edit: If it matters, I haven't had any issues with text input boxes on this particular site before. Only this specific one. Hi there I would be most grateful is someone could tell me why my data is not being entered into my database and not responding with an email confirmation link. Thanks in advance. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <? include('config.php'); // table name $tbl_name="temp_members_db"; // Random confirmation code $confirm_code=md5(uniqid(rand())); // values sent from form $name=$_POST['name']; $email=$_POST['email']; $country=$_POST['country']; // Insert data into database $sql="INSERT INTO $tbl_name(confirm_code,name,email,password,country) VALUES('$confirm_code','$name','$email','$password','$country')"; $result=mysql_query($sql); // if suceesfully inserted data into database, send confirmation link to email if($result){ // ---------------- SEND MAIL FORM ---------------- // send e-mail to ... $to=$email; // Your subject $subject="Your confirmation link here"; // From $header="from: your name <your email>"; // Your message $message="Your Comfirmation link \r\n"; $message.="Click on this link to activate your account \r\n"; $message.="http://www.yourweb.com/confirmation.php?passkey=$confirm_code"; // send email $sentmail = mail($to,$subject,$message,$header); } // if not found else { echo "Not found your email in our database"; } // if your email succesfully sent if($sentmail){ echo "Your Confirmation link Has Been Sent To Your Email Address."; } else { echo "Cannot send Confirmation link to your e-mail address"; } ?> </body> </html> Please help with my register page: http://www.retroandvintage.co.uk/register.php after someone has registered they are stuck on reg_script.php and don't get redirected back to main.php being already logged in?! here is my code: Code: [Select] <?php session_start(); include_once("config.php"); //include_once("functions.php"); require_once('captcha/recaptchalib.php'); $privatekey = "6Ldhhr4SAAAAAKFoL2INOZV0_VuF6_z3OwDjVFNn"; $resp = recaptcha_check_answer ($privatekey, $_SERVER["REMOTE_ADDR"], $_POST["recaptcha_challenge_field"], $_POST["recaptcha_response_field"]); if (!$resp->is_valid) { // What happens when the CAPTCHA was entered incorrectly die ("The reCAPTCHA wasn't entered correctly. Go back and try it again." . "(reCAPTCHA said: " . $resp->error . ")"); } else { // Your code here to handle a successful verification $rsPostCode = $_POST['rsPostCode']; $rsGender = $_POST['rsGender']; $rsUser = $_POST['rsUser']; $rsPass = $_POST['rsPass']; $rsEmail = $_POST['rsEmail']; $rsMobile = $_POST['rsMobile']; $rsAge = $_POST['rsAge']; $sql = "INSERT INTO members_copy (RSPOSTCODE, RSGENDER, RSUSER, RSPASS, RSEMAIL, RSMOBILE, RSAGE) VALUES ('$rsPostCode', '$rsGender', '$rsUser', '$rsPass', '$rsEmail', '$rsMobile', '$rsAge');"; //echo $sql; mysql_query($sql); $ebits = ini_get('error_reporting'); error_reporting($ebits ^ E_NOTICE); /* Login script: This script does the following: Checks that the user is NOT already logged in - if they are they are redirected to the members page by the 'checkLoggedIn()' function. Checks if the login form has been submitted - if so, the 'login' and 'password' fields are checked to ensure they are of the correct format and length. If there are any problems here an error is added to the $messages array and then the script executes the 'doIndex()' function - this function basically outputs the main 'index' page for this script - ie the login form. If there are no problems with the previous step, the 'login' and 'password' field data is passed to the 'checkPass' function to check that an entry exists in the 'users' table for that login/password pair. If nothing is returned from the 'checkPass()' function, an error is added to the $messages array and the 'doIndex()' function is called as above. If a row of data is returned from the 'users' table, the data is passed to the 'cleanMemberSession()' function - which initializes session variables and logs the user in. The user is then forwarded to the members page. If the form hasn't yet been submitted, then the 'doIndex()' function is called and the login page is displayed. */ // Check user not logged in already: checkLoggedIn("no"); // Page title: $title="Member Login Page"; // if $submit variable set, login info submitted: if(isset($_POST["Register"])) { // // Check fields were filled in // // login must be between 4 and 15 chars containing alphanumeric chars only: field_validator("rsUser", $_POST["rsUser"], "alphanumeric", 4, 15); // password must be between 4 and 15 chars - any characters can be used: field_validator("rsPass", $_POST["rsPass"], "string", 4, 15); // if there are $messages, errors were found in validating form data // show the index page (where the messages will be displayed): if($messages){ doIndex(); // note we have to explicity 'exit' from the script, otherwise // the lines below will be processed: exit; } // OK if we got this far the form field data was of the right format; // now check the user/pass pair match those stored in the db: /* If checkPass() is successful (ie the login and password are ok), then $row contains an array of data containing the login name and password of the user. If checkPass() is unsuccessful however, $row will simply contain the value 'false' - and so in that case an error message is stored in the $messages array which will be displayed to the user. */ if( !($row = checkPass($_POST["rsUser"], $_POST["rsPass"])) ) { // login/passwd string not correct, create an error message: $messages[]="Incorrect login/password, try again"; } /* If there are error $messages, errors were found in validating form data above. Call the 'doIndex()' function (which displays the login form) and exit. */ if($messages){ doIndex(); exit; } /* If we got to this point, there were no errors - start a session using the info returned from the db: */ cleanMemberSession($row["rsUser"], $row["rsPass"]); // and finally forward user to members page (populating the session id in the URL): header("Location: main.php"); /* This function displays the default 'index' page for this script. This consists of just a simple login form for the user to submit their username and password. */ } } ?> Hey guys, Just lately I have been trying to start a specific project for myself. I started off by designing the pages etc on HTML, and then a friend of mine helped me convert them to PHP.
At the moment, when a user registers to the site, they only require to enter a Username and Password. I would like to add their email to it too, due to adding slightly extra security. It would also be used for future reasons such as sending emails out etc.
I'm not sure about adding this, I know that most likely it is going to be VERY similar to how it already is, but I couldn't seem to get it to work when I tried.
Ill give the coding which I am using for this below (the documents which I believe would need editing) :
Register.php
<?php
require($_SERVER['DOCUMENT_ROOT'] . '/TruckWorld/includes/config.php');
$sOutput .= '<div id="register-body">';
if (isset($_GET['action'])) {
switch (strtolower($_GET['action'])) {
case 'register':
// If the form was submitted lets try to create the account.
if (isset($_POST['username']) && isset($_POST['password'])) {
if (createAccount($_POST['username'], $_POST['password'])) {
$sOutput .= '<h1>Account Created</h1><br />Your account has been created.
You can now login <a href="login.php">here</a>.';
}else {
// unset the action to display the registration form.
unset($_GET['action']);
}
}else {
$_SESSION['error'] = "Username and or Password was not supplied.";
unset($_GET['action']);
}
break;
}
}
// If the user is logged in display them a message.
if (loggedIn()) {
$sOutput .= '<h2>Already Registered</h2>
You have already registered and are currently logged in as: ' . $_SESSION['username'] . '.
<h4>Would you like to <a href="login.php?action=logout">logout</a>?</h4>
<h4>Would you like to go to <a href="index.php">site index</a>?</h4>';
// If the action is not set, we want to display the registration form
}elseif (!isset($_GET['action'])) {
// incase there was an error
// see if we have a previous username
$sUsername = "";
if (isset($_POST['username'])) {
$sUsername = $_POST['username'];
}
$sError = "";
if (isset($_SESSION['error'])) {
$sError = '<span id="error">' . $_SESSION['error'] . '</span><br />';
}
$sOutput .= '<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Truck World - Register</title>
<!-- Core CSS - Include with every page -->
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="font-awesome/css/font-awesome.css" rel="stylesheet">
<!-- SB Admin CSS - Include with every page -->
<link href="css/sb-admin.css" rel="stylesheet">
</head>
<body>
<div align=center><img src="images/logintitle.png" alt="LoginTitle" /></div>
<div class="container">
<div class="row">
<div class="col-md-4 col-md-offset-4">
<div class="login-panel panel panel-default">
<div class="panel-heading">
<h3 class="panel-title">Register To Join Truck World!</h3>
</div>
<div class="panel-body">
' . $sError . '
<form name="register" method="post" action="' . $_SERVER['PHP_SELF'] . '?action=register">
<fieldset>
<div class="form-group">
<input class="form-control" placeholder="Username" name="username" type="username" autofocus="">
</div>
<div class="form-group">
<input class="form-control" placeholder="Password" name="password" type="password" value="">
</div>
<div class="form-group">
<input class="form-control" placeholder="Email" name="email" type="email" value="">
</div>
<!-- Change this to a button or input when using this as a form -->
<input type="submit" class="btn btn-lg btn-success btn-block" name="submit" value="Register" />
<a href="login.php"class="btn btn-lg btn-success btn-block">Login</a>
</fieldset>';
}
$sOutput .= '</div>
</div>
</div>
</div>
</div>
<div align=center><h5><small>Copyright - Lewis Pickles 2014 - All Rights Reserved</small></h5></div>
<!-- Core Scripts - Include with every page -->
<script src="js/jquery-1.10.2.js"></script>
<script src="js/bootstrap.min.js"></script>
<script src="js/plugins/metisMenu/jquery.metisMenu.js"></script>
<!-- SB Admin Scripts - Include with every page -->
<script src="js/sb-admin.js"></script>
</body>
</html>
';
// display our output.
echo $sOutput;
?>
Functions.php (Not sure if this would need editing, I think it might, Correct me if I'm wrong)
<?php
function createAccount($pUsername, $pPassword) {
// First check we have data passed in.
if (!empty($pUsername) && !empty($pPassword)) {
$uLen = strlen($pUsername);
$pLen = strlen($pPassword);
// escape the $pUsername to avoid SQL Injections
$eUsername = mysql_real_escape_string($pUsername);
$sql = "SELECT username FROM users WHERE username = '" . $eUsername . "' LIMIT 1";
// Note the use of trigger_error instead of or die.
$query = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error());
// Error checks (Should be explained with the error)
if ($uLen <= 4 || $uLen >= 11) {
$_SESSION['error'] = "Username must be between 4 and 11 characters.";
}elseif ($pLen < 6) {
$_SESSION['error'] = "Password must be longer then 6 characters.";
}elseif (mysql_num_rows($query) == 1) {
$_SESSION['error'] = "Username already exists.";
}else {
// All errors passed lets
// Create our insert SQL by hashing the password and using the escaped Username.
$sql = "INSERT INTO users (`username`, `password`) VALUES ('" . $eUsername . "', '" . hashPassword($pPassword, SALT1, SALT2) . "');";
$query = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error());
if ($query) {
return true;
}
}
}
return false;
}
/***********
string hashPassword (string $pPassword, string $pSalt1, string $pSalt2)
This will create a SHA1 hash of the password
using 2 salts that the user specifies.
************/
function hashPassword($pPassword, $pSalt1="2345#$%@3e", $pSalt2="taesa%#@2%^#") {
return sha1(md5($pSalt2 . $pPassword . $pSalt1));
}
/***********
bool loggedIn
verifies that session data is in tack
and the user is valid for this session.
************/
function loggedIn() {
// check both loggedin and username to verify user.
if (isset($_SESSION['loggedin']) && isset($_SESSION['username'])) {
return true;
}
return false;
}
/***********
bool logoutUser
Log out a user by unsetting the session variable.
************/
function logoutUser() {
// using unset will remove the variable
// and thus logging off the user.
unset($_SESSION['username']);
unset($_SESSION['loggedin']);
return true;
}
/***********
bool validateUser
Attempt to verify that a username / password
combination are valid. If they are it will set
cookies and session data then return true.
If they are not valid it simply returns false.
************/
function validateUser($pUsername, $pPassword) {
// See if the username and password are valid.
$sql = "SELECT username FROM users
WHERE username = '" . mysql_real_escape_string($pUsername) . "' AND password = '" . hashPassword($pPassword, SALT1, SALT2) . "' LIMIT 1";
$query = mysql_query($sql) or trigger_error("Query Failed: " . mysql_error());
// If one row was returned, the user was logged in!
if (mysql_num_rows($query) == 1) {
$row = mysql_fetch_assoc($query);
$_SESSION['username'] = $row['username'];
$_SESSION['loggedin'] = true;
return true;
}
return false;
}
?>
The Database for the email is as follows:
Edited by Lewis2212, 06 August 2014 - 10:20 AM. Hey! Code: [Select] echo "<ol type=\"a"\>";This gives an error, how am I supposed to escape the " " correctly? Hi guys, I think escaping is the correct term, apologies if its not. Could anyone show me how I can escape this so it works? Thanks Code: [Select] echo "[ - <a href="/$dir/game_play.php">Play</a> - ]"; Hello, I was wondering if I need to escape all get values. I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc. I usually convert this to a variable to be used in a WHERE statement. Code: [Select] IF ($_GET['id']){ $id=$_GET['id']; } But what if someone tried to view all records Quote http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content page data being displayed somehow. Or better yet, if visiting Quote http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content being deleted. Is that even possible in the in the context of a MySQL WHERE statement? Seems like the MySQL statement wouldn't be structured correctly and wouldn't work. I use mysqli_real_escape_string" on posted content but should I also escape all GET input? I have front page and page for news, and i wonna to set, on front page to show news but only 100 characters, and on news page to be all text, i done that with substr($news, 0, 100); but i have proble, when i have in $news text like this: Code: [Select] Hi everyone. <b>Bold</b>now, subsrt count <b> and </b> like characters, how can i escape that <b> </b>, <u> </u> and other? Hi Chaps, this is really getting my back up as its never happened before...im doing a site on a server im not familiar with and its causing me problems Code: [Select] <? if(isset($_POST['upload'])) { include 'dbconnection.php'; $ttitle = mysql_real_escape_string($_POST['ttitle']); $ttitle2 = mysql_real_escape_string($_POST['ttitle2']); $query = "INSERT INTO test ( ttitle, ttitle2) ". "VALUES ('$ttitle', '$ttitle2' )"; mysql_query($query) or die('Error, query failed : ' . mysql_error()); echo "<br>File uploaded<br>"; } ?> The database table is showing that it includes the backslash in the record, whereas i understood mysql_real_escape_string was oinly used to carry the data, and the backslash wouldn't be uncluded. From the server: PHP.ini file: (ver 5.2.17) magic_quotes_gpc Off Off magic_quotes_runtime Off Off magic_quotes_sybase Off Off Is there something i can do to get this sorted, as i dont want to add stripslashes() throught the site. As with the above, i have some forms with loads of fields, so if there is someway of adding a function that would be great.... thanks in advance I haven't coded HTML or PHP in several years and am trying to get back into it. Seems to me that there were some nifty tricks so that when you were conctenating HTML and PHP you didn't get a birds nest. Maybe it was using something like { } but I don;t recall. I also seem to recall that wisely choosing where to use single (') and double (") quote was key! For example, how could this code be cleaner?
echo '<table id="membershipPlans"> <!-- Column Groups --> <colgroup> <col id="feature">'."\r"; foreach ($plan_names as $p_id => $p_name): echo '<col id="option0'.$p_id.'">'."\r"; endforeach; echo '</colgroup>";
I am having problems understanding how to sanitize my form data so it is safe to INSERT. If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = mysqli_real_escape_string($dbc, $trimmed['body']); And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O\'Reilly\'s book --------- If I use this code... Quote $trimmed = array_map('trim', $_POST); $body = $trimmed['body']; And I enter into my form... Quote O'Reilly's book Then I see this in phpMyAdmin... Quote O'Reilly's book Why the strange behavior?? Debbie I've got a basic text input area within a form for users to add a brief bio about themselves. I made sure to use mysql_real_escape_string to avoid problems with special characters. However, when I want to display the content within the text area when a user chooses to update or change their bio, the text displays the escape characters. How do I display data from my db without the user having to deal with the escape characters? Hi, when i submit the form using the following text... -1 OR 1=1) AND 1=(SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@VERSION),1,1)),0)>25),1,2)) that was sent by the hacker in my website i am trying to escape the above and filter it ... am using the mysql_Real_escape_string and trim function.. but nothing escaped... can u give me a suggestion , pls help me My hosts version of php just seems to automatically add the backslashes. Adding the escape string just seems to add like 3 of them rather than 1 Is this command out-of-date? Hello. My client and I are trying to figure out a strange issue with exporting blobs. We are trying to sync a WAMP based databse and local MySQL database. The problem is with blob columns.
The issue: When exporting a blob, the local MySQL dump command inserts an escape character "\" before characters such as NUL, TAB and LF, and I am assuming a lot more. My PHP export function (opens a file, SELECT * FROM tbl, writes to the file) does not do this. The main issue is that my client cannot import my PHP dump files when there are blobs, which I suppose is because they are missing these escape characters. He can however re-import his own MySQL dumps. I know I could remedy by using PHP string replace functions to find each character and insert a '\' before it, but I don't know which characters will need to be escaped. I also feel like there is a more simple solution. For example this is what I have and it worked for a tiny 1 pixel image, but not for something complex:
$val = str_replace(chr('NUL'), '\0', $val);
$val = str_replace(chr(0x9), chr(0x5c).chr(0x9), $val);
$val = str_replace(chr(0xa), chr(0x5c).chr(0xa), $val);
Thanks
I'm using a PHP foreach loop to set Javascript array values from PHP array values The problem is that some of the array values contain double quotes(") so it compromises the JS script. Is there a PHP function that automatically escapes each double quote in a given string? Hello I am having a problem trying to write to a database using mysql real escape so there wont be any injection attacks. I trying using myrealescape and it returns errors: Code: [Select] Notice: Use of undefined constant messageTo - assumed 'messageTo' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageSubject - assumed 'messageSubject' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 Notice: Use of undefined constant messageBody - assumed 'messageBody' in D:\wamp\www\Legit Gaming Upload\LGU\includes\mailCompose.php on line 17 I add in the single quotes and it doesn't write either. Dreamweaver says that either single quotes or not there is no syntax errors. What going on? I have used it like this befo ('$ID','" . mysql_real_escape_string($_POST[post_content]) . "') and no problems.. ~AJ <?php require_once('connect.php'); if(isset($_COOKIE['user'])){}else{ header( 'Location: members.php'); } if (isset($_POST['sendBtn'])){ $messageFrom = $_COOKIE['user']; $messageTo = $_POST['messageTo']; $hash = $messageTo.$messageFrom.time(); $hash = md5($hash); mysql_select_db("majik"); $sql="INSERT INTO messagesystem(ID, hash, messageTo, messageFrom, messageSubject, messageBody, messageDate, messageRead, messageDelete) VALUES ('','$hash','" . mysql_real_escape_string($_POST['messageTo']) . "','$messageFrom','" . mysql_real_escape_string($_POST['messageSubject']) . "','" . mysql_real_escape_string($_POST['messageBody']) . "','0','0')"; echo '<center>Your message was sent to: '.$messageTo.'</center>'; } ?> I have never used real escape string so want to make sure I did it correctly. Also, if I can place it anywhere else to make it even more secure please let me know. This is just the action of a just a simple POST html form. Here it is. Code: [Select] <?php require ('staffarea/sql.php'); $showform="false"; $mcid = mysql_real_escape_string($_POST['mcid']); $age = mysql_real_escape_string($_POST['age']); $description = mysql_real_escape_string($_POST['description']); if(!mysql_query("INSERT INTO `somedatabase`.`appsubmissions` (`id`, `username`, `age`, `description`, `status`) VALUES (NULL, '$mcid', '$age', '$description', 'Pending');")) { echo '<div class=blockrow><b><font size=4>Submission Error</font><br /><br />Something went wrong. Contact Staff in the Support Forums and give them this information:<br /><br /></b><font color=red>'; echo mysql_error(); echo "</font>"; echo '<br /><br /><a href="/forumdisplay.php?f=14">Support Forums</a></div>'; } else { $lastID=mysql_insert_id(); echo "<div class=blockrow><font size=3><b>$mcid, Thank You for your Building Application!</b></font><br /><br />"; echo "Your Unique Application ID: <b>", $lastID; echo "</b> (save this so you can check the application status later)<br /><br /> Your application was submitted successfully. Please allow Staff 24 hours to accept or deny your application. If after 48 hours you still do not have building rights, assume the application was denied and re-submit with different information. DO NOT submit an application more than every 48 hours, doing so will get your account banned for spamming.<br /><br /> While waiting, you might check out the <a href=/index.php?pageid=mcguide>Ultimate Guide</a>.</div>"; } mysql_close($con); ?> |
|||||||