|
PHP - Users Posting Html Concerns
Hello,
On my site I am allowing users to post HTML and I'm in the planning phase. I'm already written REGEX to get rid of <script> and <frame> tags, but I have ran into a problem regarding <embed> it seems as though in browsers such as chrome <embed> acts like an <iframe> tag. The problem is that with this sort of behavior users may link to potentially harmful sites like infinite alert boxes ect. How will I bee able to make sure users don't embed websites instead of flash? Alternate Question: Also if I do allow users to include websites, how could I disable alert boxes? Similar TutorialsMy employer asked if I could change an existing contact form on their website to allow clients to enter their Social Security Number along with the normal contact information if the client decide to do so, instead of going through the motion of physically send in the form via snail mail, fax, or in person (like it is currently handled). But since this piece of information is of such delicate nature, I wonder how I should approach this from both a legal standpoint and from a programming standpoint. The form currently sends the information entered by the user to an inbox with mail(), so my initial thought was to somehow encrypt the information, limiting the risk of someone getting a hold of this information once the use user clicks "Send". But is full blown SSL really necessary for this? Are there easier options? And what should I think about before enabling this? I have a file on my server that I will stream to the browser: header( "Content-Description: File Transfer" ); header( "Content-Type: application/force-download"); header( "Content-Length: " . filesize( $filename ) ); header( "Content-Disposition: attachment; filename=$filename"); readfile( $filename ); $filename is going to be in a location that's not publicly available (there's no URL to it, as it's on the server, and not within public_html or subdirectories). Any safety concerns here? Basically, I'm just curious if a user has any way to steal the file or otherwise access the directory. I don't think so, but I'm just tossing this out here as a general discussion. Thanks! Hi friends,
Another security issue but this time its regarding outputting data from a DB to a browser. Please have a look at the code below which displays some output fetched from a DB and sends it to a browser.
1. If I just wish to display this output on a screen and not provide the user with any buttons or hyperlinks to interact with the information, would I still need to sanitize the output before echoing it to the screen ?
2. If I was to make at least one of the fields a hyperlink, so that I could then display some related information on another webpage, what security concerns would I need to address in my code?
3. If I was to add a button against each of these records, on each row, and then select some related information on another webpage after processing the button handler, what would be the security concerns that I should address for the code below.
Thanks very much.
<table>
<tr>
<th> S.No. </th>
<th> Name </th>
<th> Age </th>
<th> City </th>
<th> Cell </th>
<th> Email</th>
</tr>
<?php
$cnt = 1;
while ($row = mysqli_fetch_array($result, MYSQLI_ASSOC))
{
echo "<tr>";
echo "<td>".$cnt++."</td>";
echo "<td>".$row['Name']. "</td>";
echo "<td>".$row['Age']. "</td>";
echo "<td>".$row['City']. "</td>";
echo "<td>".$row['Cell']. "</td>";
echo "<td>".$row['Email']. "</td>";
echo "</tr>";
}
?>
</table>
hi, I'm working with a script I've written (with a *lot* of help!!) I'm trying to get the results of a db search to be displayed in a html table, with a row for each result. I'm almost there, I've got 1 glitch and 1 cosmetic issue I can't resolve with the below script, any help would be greatly appreciated!! 1. the table displays the entire contents of the db before it is filtered through the search, I think this has something to do with the $num=mysql_numrows($result); expression, but I'm not sure how to fix it 2. I'd like the last column of the table to be about twice as wide as the others, as it contains a lot of free text, would I have to set the length of each column in order to do this or is there a shorthand way? the current script is: <form method="post" name="Search" action="test2.php"> <input type="text" name="name" autocomplete="OFF" /> <input value="Search" type="submit" name="Search" /> <input value="yes" type="hidden" name="submitted" /> </form> <?php if($_POST['submitted'] == 'yes') $username="*****"; $password="*****"; $database="*****"; $server="localhost"; $db_handle = mysql_connect($server, $user_name, $password); $db_found = mysql_select_db($database, $db_handle) or die( "Unable to select database"); $query="SELECT * FROM ***** WHERE surname LIKE '" . mysql_real_escape_string($_POST['name']) . "%'"; $result=mysql_query($query) or die ('<br>Query string: ' . $SQL . '<br>Produced error: ' . mysql_error() . '<br>'); if (mysql_num_rows($result) == 0) { echo "No results found"; exit; } $num=mysql_numrows($result); $fields_num = mysql_num_fields($result); echo "<h1>Table: {$table}</h1>"; echo "<table border='1'><tr>"; for($i=0; $i<$fields_num; $i++) { $field = mysql_fetch_field($result); echo "<td>{$field->name}</td>"; } echo "</tr>\n"; while($row = mysql_fetch_row($result)){ echo "<tr>"; foreach($row as $cell) echo "<td>$cell</td>"; echo "</tr>\n"; } mysql_free_result($result); mysql_close($db_handle); ?> Just a heads up, my OOP skills are in development so sorry for the roughness of things...(any tips always appreciated!) I'm basically making my own little repository site that will have snippets (for quick copy paste anywhere) (I know there are other services, but mine is a little different and needs to be private). I'll try to just post the necessary code: HTML trying to pass: Code: [Select] <p><br /><span class="something">Hey buddy</span></p> Javascript/JQuery: Code: [Select] //send info $.ajaxFileUpload({ url:'./upload_zip.php', secureuri:false, fileElementId:'form_zip', dataType: 'json', data: {... 'description': htmlEntities($('#modularContent form textarea[name="description"]').val())...}, success:function(data, status){ var html = ... html+= ...'<div class="description"><p>'+data.description+'<br /><br />';... $('#list').append(html); ... $('#modularOverlay,#modularContent').remove(); }, error:function(data, status, e){ alert(e); } ... function htmlEntities(str) { return String(str).replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"'); } //found via: http://css-tricks.com/snippets/javascript/htmlentities-for-javascript/ PHP: Code: [Select] <?php //Start object and modify initial values public function __construct($title,$description,$url,$snippet){ ... if($this->snippet == 'yes'){ $this->handle_snippet(); } } public function handle_snippet(){ $code = htmlentities($this->description, ENT_QUOTES | ENT_IGNORE, 'UTF-8',false); $this->description = $code; } //returning value public function getJSON($action){ //temp fix for js breaking if remove_tag_ids is empty/null if(empty($this->remove_tag_ids)){ $this->remove_tag_ids = 'null'; } if($this->snippet == 'yes'){ $this->description = stripslashes($this->description); } switch($action){ case 'delete': //not important default: $json = array(...'description'=>$this->description...); break; return $json; } ?> POST Value: (via firebug) Code: [Select] description: <p><br /><span class="something">Hey buddy</span></p> JSON Return value: (via firebug) Code: [Select] description: <p><br /><span class="something">Hey buddy</span></p> DB value: Code: [Select] <p><br /><span class=\"something\">Hey buddy</span></p> As far as error, I have no idea what the error is haha. It does not get through to the error code cause the plugin tosses an error b4 that (using an ajaxUpload plugin http://www.phpletter.com/Our-Projects/AjaxFileUpload/, (this does not affect the upload, it uploads just fine, but it tosses an error for some reason)). Anyone have any insights/ideas? Thanks for any and all help, Justin Hi, I have two html made text boxes one that is called "name" and another that is called "regnum". I also have a submit button. They are both used to add data to a database. The name text box should add a name to the database under the "name" heading and the regnum should add a number under the "regnum" heading Here is the code for them: HTML Code: <form action="" method="post"> <p> Name: <input type="text" name="name"/> </p> <p> Regnum: <input type="text" name="regnum"/> </p> <p> <input type="submit" value="Add To Database" name = "submit2" /> </p> </form> Here is the PHP code that i am using for adding the user to the database: PHP Code: $host="localhost"; $username="root"; $password=""; $database="lab2"; mysql_connect("$host", "$username", "$password") or die(mysql_error()); mysql_select_db("$database") or die(mysql_error()); $name = $_POST['name']; $regnum = $_POST['regnum']; if(!$_POST['submit2']){ echo "Enter A Vaue"; }else{ mysql_query("INSERT INTO lab2('name', 'regnum') VALUES(NULL, '$name', '$regnum')") or die(mysql_error()); echo "User Added To Database"; } The problem i get with this is "Undefined Index name and regnum". I watched a video on youtube and this is how the guy did it but it worked for him and for some reason it doesn't work for me. Can anyone help?? Thanks. Hello
I am trying to work out how many regular users I have to my site and how long those users tend to be users..
So, I have a table that logs every time a user visits my site and logs in, it stores the date / time as a unix timestamp and it logs their user id.
I started by getting the id's of any user who logs in more than 5 times in a specified period, but now I want to extend that...
SELECT userID as user, count(userID) as logins FROM login_history where timestamp > UNIX_TIMESTAMP('2014-06-01 00:00:00') and timestamp < UNIX_TIMESTAMP('2014-07-01 00:00:00') group by user having logins > 5;
Hi all, I have an html form that sends formdata to a php script called example.php with the POST method. example.php then has the following structu Code: [Select] <?php if(isset($_POST['var1'])) {$var1 = $_POST['var1'];} else {$var1 = 'English';} if(isset($_POST['var2'])) {$var2 = $_POST['var2'];} else {$var2 = 'French';} print" <html> <body> <form> <select id='select1'> <option>var1</option> <option>var2</option> <option>etc...</option> </select> <input type='text' id='input1'> ETC. ETC. </form> </body> </html> "; ?> So example.php has an embedded html form. How do I specify that some elements of the form should take their values from the variables retrieved at the start of the script via the POST command? For example, I want select1 to have 'var1' pre-selected and I want input1 to display var2. var1 & var2 get sent through to example.php fine, I just don't know how to get the embedded html form to use them. Please help! Thanks a lot. I just discovered that I have a major security flaw with my website. Anyone who logs in to the website can easily access other users information as well as delete and edit other users information just by changing the ID variable in the address bar. I have user ID Session started on these pages but still people can do anything they like with other users information just by editing the address bar. For example if your logged in in the address bar of www.mywebsite.com/delete_mystuff.php?id=5 and change the "5" say to a "9" then you will have access to user#9 information. Every important page that I have has this code: Code: [Select] session_start(); if (!isset($_SESSION['user_id'])) { // Start defining the URL. $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']); // Check for a trailing slash. if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) { $url = substr ($url, 0, -1); // Chop off the slash. } // Add the page. $url .= '/index.php'; ob_end_clean(); // Delete the buffer. header("Location: $url"); exit(); // Quit the script. } else { //Else If Logged In Run The Script if((isset($_GET['id'])) && (is_numeric($_GET['id']))) { $id = (int) $_GET['id']; } elseif ((isset($_POST['id'])) && (is_numeric($_POST['id']))) { $id = (int) $_POST['id']; } else { echo ' No valid ID found, passed in url or form element'; exit(); } What am I doing wrong? Please help if you know how to correct this. Many thanks in advance. i'm doing a form that posts values to XML, and i don't know how. can someone help me with a quick lesson in passing variables/XML data? i don't even know what question to ask, actually - the XML format i've been given is: Code: [Select] <?xml version="1.0" encoding="UTF-8"?> <lead> <innerNode></innerNode> <last_name>Smith</last_name> <first_name>John</first_name> </lead> and what i've come up with so far is this, but i don't even know if i'm on the right track: Code: [Select] $last_name = $_REQUEST['l_name']; $first_name = $_REQUEST['f_name']; $url = "http://url.com/leads"; $post_string = '<?xml version="1.0" encoding="UTF-8"?> <lead> <innerNode></innerNode> <last_name>'.$last_name.'</last_name> <first_name>'.$first_name.'</first_name> </lead>'; $header = "POST HTTP/1.0 \r\n"; $header .= "Content-type: text/xml \r\n"; $header .= "Content-length: ".strlen($post_string)." \r\n"; $header .= "Content-transfer-encoding: text \r\n"; $header .= "Connection: close \r\n\r\n"; $header = $post_string; $ch = curl_init(); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_URL,$url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_TIMEOUT, 4); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header); $data = curl_exec($ch); if(curl_errno($ch)) { print curl_error($ch); } else { echo "yay"; curl_close($ch); } i'm being told "should return a response.xml with either a success or failure post status." which is confusing me can someone help a bit? thanks very much... GN TWO questions: I haven't actually CONNECTED and POSTED. My form has two input fields that combine in a TOTAL field. I notice that the address bar is carrying TOTAL=input1+input2 when it TRIES to connect. Do I need to include the TOTAL field in the database if the info is NOT relavant data? the strg and chick TOTALS? Will the database accept PARTIAL data from a form that has 25 field with only 6 being populated for testing? the code is in a form whose method = "post". i have failed to echo $r_in. i eed help on this. $lowest_time = 30 - 14; $adder = 2*5*9; echo '<table width="526" border="0"><tr> <td width="169"> <input type="text" name="$r_in" value="'.$lowest_time.'" style="width:169px" readonly="readonly" class="text_non_color"/></td> <td width="169"> <input type="text" name="$r_out" value="'.$adder.'" style="width:169px" readonly="readonly" class="text_non_color"/></td> </tr></table>'; I have an issue with my script, the date for some reason stopped posting after I changed the format in the date() section, I wanted it to post so it shows month-day-year, and it seems for some reason all it accepts is Y-m-d... Can someone help me out here please? Code: [Select] <?php require_once('connectvars.php'); if (isset($_POST['submit'])) { // Connect to the database $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); $PO_Date = date('MM "/" DD "/" YY',strtotime($_POST['PO_Date'])); $query = "INSERT INTO ncmr (PO_Date) VALUES ('$PO_Date')"; mysqli_query($dbc, $query); // Confirm success with the user echo '<p>The date have been successfully entered</p>'; mysqli_close($dbc); // Clear the score data to clear the form $PO_Date = ""; } echo'<form form id="all" method="post">'; echo '<div id="abd"><span class="b">On: </span><input type="text" name="Added_By_Date" value="" /></div>'; echo '<div id="button"><input type="submit" value="Submit Edits" name="submit" /></div>'; echo '</form>' ?> Hi guys, I have a list box. say the code is Code: [Select] <select name="drop1" id="Select1" size="4" multiple="multiple"> <option value="1">item 1</option> <option value="2">item 2</option> <option value="3">item 3</option> <option value="4">item 4</option> <option value="0">All</option> </select> The user will select few items. How do i capture the data through the "POST" method. Code: [Select] $data = $_POST['drop']; would not work coz there is an array if data. Can any one help or point me in the right direction? Thanks in advance can anyone help me as to whay I get this error: Problem with the query: INSERT INTO options (item_id, option ) VALUES('1', 'hi' ) You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'option ) VALUES('1', 'hi' )' at line 1 with this code: Code: [Select] foreach($_POST["user"] AS $key => $val) { $user = $val; $id1 = $_POST['id1'][$key]; $sql = "INSERT INTO options (item_id, option ) VALUES('$id1', '$user' )"; $rs = mysql_query($sql) or die ("Problem with the query: $sql <br />" . mysql_error()); } Code: [Select] <input type="checkbox" name="yes" id="checkme" /><div id = "extra"> <div id="user"> Enter User Names:<br> <input type="text" name="user[]"/><br></div> <div id="add_user" style="display: none;"><input type="text" name="user[]"/> Is there anyway to do this: my form is posting to self, then checking login creds. if they are incorrect it spits out "invaild bla bla" but if they are correct send them to a different page? here is the short version of what I have. if(isset($_POST['submit'])) { //check inputs vs db if ($check) { header("Location: http://". $_SERVER['SERVER_NAME']."/include/process_renew.php"); } else { echo "<font color='red'>Username or Password did not match.</font> <br /><br />"; } } } I tested it using echo first and it worked fine then replaced the echo with header and now when I submit it just refreshes the page. is this not possible? i am basically trying to retrieve the response of a chatbot from mysql database with query below. As i run script i don't get any error from the server but it seems the post doesn't take $data2 which is an array that includes the keys "user_id" and "text" that are normally accepted (eg: $dmessage->post('direct_messages/new/wrap_links=true', 'text'->'example', '12345'); As result of the above i can't post to Twitter the chatobot response as the recipient (my other twitter account) doesn't get the answer...what do you think? Code: [Select] include_once ('connect.php'); connect_to_database(); $query2 = mysql_query ("SELECT response FROM conversation_log WHERE id = (SELECT MAX(id) FROM conversation_log)") or die (mysql_error()); $row = mysql_fetch_row($query2); $response = $row[0]; //this is the array with the parameters to be used to send bot responses via Twitter API. It normally takes $data2 = array("text"=>"$response" , "user_id"=> "$userid"); //this modifies the array values with response e userid fields $data2["text"] = "$response"; $data2["user_id"] = "$userid"; require_once('config_oauth.php'); // includes the applications Oauth keys require_once($_SERVER['DOCUMENT_ROOT'].'Program-O/gui/xml/oauth/twitteroauth.php'); //Full path to twitteroauth.php library $dmessage = new TwitterOAuth($consumer_key,$consumer_secret, $oAuthToken, $oAuthSecret); // create new instance with the credentials //sends the bot response via Twitter API by going through the array $data2 $dmessage->post('direct_messages/new/wrap_links=true', $data2); hello, i have a while loop that displays multiple tables of data depending on how many are in the database... i have a link if you click it will redirect to another page that prompts you to save an xls file with the table data... this was all working for me before when i had the while loop display rows of data in one table...well i decided that i would like the while loop to display a separate table each time... when i changed it... the xls file only shows one table of data... how can i set up so it will export all tables of data... is there some kind of loop i can set up for it to append the tables?? i have the table data all in a variable $table which i put into a hidden form field that redirects to the xls export page.... any help is appreciated... <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Admin</title> </head> <body> <?php $sql= mysql_query("SELECT * FROM programs") or die (mysql_error()); while($row = mysql_fetch_array($sql)){ $table = "<table border='1' width='600' style='border-collapse:collapse;'>" . "<th colspan='4'>Programs</th>" . "<tr>" . "<td>ID</td>" . "<td>Views</td>" . "<td>Enabled</td>" . "</tr>"; $prog_titles = $row['titles']; $prog_titles = explode(',' , $prog_titles); $table .= "<tr>" . "<td>".$row['id']. "</td>" . "<td>".$row['views']. "</td>" . "<td>".$row['enabled']. "</td>" . "<td></td>" . "</tr>" . "<tr>" . "<td>Title ID</td>" . "<td>Name</td>" . "<td>Description</td>" . "<td>Image</td>" . "</tr>" ; foreach ( $prog_titles as $title ) { $sql2= mysql_query("SELECT * FROM titles WHERE title = '$title' "); $row2 = mysql_fetch_array($sql2); $table .= "<tr>" . "<td>" . $row2['id'] . "</td>" . "<td>" . $row2['title'] . "</td>" . "<td>" . $row2['description'] . "</td>" . "<td>". "<img width='50px' src='images/" . $row2['img'] . "'/></td>" . "</tr>" ; } // close foreach $table .= "</table>"; echo $table; echo "<br /><br /><br />"; } // close while ?> <br /> <br /> <FORM action="export.php"> <INPUT type="submit" value="Export to XLS"> <INPUT type="hidden" value="<?php print $table;?>" name="export"> </FORM> </body> </html> I am working on a PHP/MySQL authorization script. The script seems to work initially, but when I try to Login and post the Form ( echo '<form method="post" action=authorize_1.php">'; echo '<table>'; echo '<tr><td>Userid:</td>'; echo '<td><input type="text" name="userid"></td></tr>'; echo '<tr><td>Password:</td>'; echo '<td><input type="password" name="password"></td></tr>'; echo '<tr><td colspan="2" align="center">'; echo '<input type="submit" value="Log in"></td></tr>'; echo '</table></form>'; ) Internet Explorer returns the error that the page is not found.... but I am using one .php file for the authorization so I am sure the page is found because i can see the Login portion. Any ideas as to what is going wrong? I have this code with clears the input box onclick... Code: [Select] <input type="text" name="username" value="Username" onclick="value=''"/> however is there any way to use php to get the value of username, before its posted? that way i can make it so it only clears if the value of username is "username" |
|||||||