|
PHP - Making Admin Form Safe
Several months ago I created an "Add an Article" form to create articles for my website.
Just now it dawned on me that this is really insecure, because if someone happened to know that my form was located at... Code: [Select] http://local.dev3/create_article.php ...then they could insert things into my database?! What are some things I can do to make this back-end, admin form secure and out of the hands of hackers? Thanks, Debbie Similar TutorialsI am building an XML string to send to another server. The manual I am going off of says, Quote NOTE: * XML has a special set of characters that cannot be used in normal XML strings. These characters a Special Character Equivalent & & < < > > " " ' ' It goes on to say... Quote # To avoid problems with special characters, URLEncode special characters (example: ~ ! @ # % ^ &) before sending to the IS Gateway # If you are using POST method, UTF-8 encoding must be used. I am unsure of what to do based on the information above?! It looks like I might want to use urlencode?? Also, maybe I need either htmlentities (or possibly htmlspecialchars)?? Please enlighten me (and help protect my data)!! Thanks, Debbie I am using seo friendly urls so when someone makes a post named "this is a post" the url will point to www.example.com/topic/this_is_a_post But when the user enters a character in their post name that means something in a url(? /) it obviously breaks. How can i make the urls safe from this without str_replace as i want to keep the characters. I am trying to make an admin page for a client using the rich text editor CKeditor. I have the standard page set up to get it's content with a php include of an html file. This html files is also used to preload the content into the CKeditor. What I need to know is how to get the CKeditor to change the html file so it will load into the page. The admin page is located at www.wisconsincrosscountry.org/admin the html content is located at www.wisconsincrosscountry.org/phpContent/Content-test.html the page that the changes should appear on www.wisconsincrosscountry.org/testing.php I don't have much experience in php, so any help is greatly appreciated. Hey guys, I'm kind of a n00b with PHP and i'm trying to practice by building a mock e-comm site, but i'm having a problem with my admin login form. When the information is submitted the form just clears and doesn't redirect me to the index.php file i have set-up. My knowledge of php isn't where i'd like it to be yet, so i'm here for help! I'll post the code for bpoth the admin login page and the index.php file. ADMIN LOGIN PAGE | | V <?php session_start(); if (isset($_SESSION["username"])) { header("location: index.php"); exit(); } ?> <?php if (isset($_POST["username"]) && isset($_POST["password"])){ $username = $_POST["username"]; // filter everything but numbers and letters $password = $_POST["password"]; // filter everything but numbers and letters include "../storescripts/connect_to_mysql.php"; $sql = mysql_query("SELECT id FROM admin WHERE username='$username' AND password='$password' LIMIT 1"); $existCount = mysql_num_rows($sql); // count the row nums if ($existCount == 1) { // evaluate the count while($row = mysql_fetch_array($sql)){ $id = $row["id"]; } $_SESSION["id"] = $id; $_SESSION["username"] = $username; $_SESSION["password"] = $password; header("location: index.php"); exit(); } else { echo 'That information is incorrect, try again <a href="index.php">Click Here</a>'; exit(); } } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Store Admin Area</title> <link rel="stylesheet" type="text/css" href="../css/main_style.css" /> </head> <body> <div id="wrapper"> <div id="text"><br /> <div align="left" style="margin-left:100px; margin-top:100px;"> <h2>Please Login To Manage The Store</h2> <br /><br /> <form id="form1" name="form1" method="post" action="admin_login.php"> <strong>Username</strong> <input name="username" type="text" id="username" size="40" /> <br /><br /> <strong>Password</strong> <input name="password" type="password" id="password" size="40" /> <br /> <br /> <input type="submit" name="button" id="button" value="Login" /> </form> </div> </div><!--closes wrapper--> </body> </html> INDEX.PHP FILE | | V <?php session_start(); if (!isset($_SESSION["username"])) { header("location: admin_login.php"); exit(); } $usernameID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]); $username = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["username"]); $password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]); include "../storescripts/connect_to_mysql.php"; $sql = mysql_query("SELECT * FROM admin WHERE id='$usernameID' AND username='$username' AND password='$password' LIMIT 1"); // query the person $existCount = mysql_num_rows($sql); // count the row nums if ($existCount == 0) { // evaluate the count echo "Your login session data is not on record in the database."; exit(); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Store Admin Area</title> <link rel="stylesheet" type="text/css" href="../css/main_style.css" /> </head> <body> <div id="wrapper"> <div id="text"><br /> <div align="left" style="margin-left:100px; margin-top:100px;"> <h2>Hello store manager, what would you like to do today?</h2> <p><a href="inventory_list.php">Manage Inventory</a><br /> <a href="#">Manage Blah Blah </a></p> </div> <br /> <br /> <br /> </div><!--closes wrapper--> </body> </html> Any help and suggestions are greatly appreciated! Thanks! Login.php Code: [Select] <?php mysql_connect("localhost","root") or die(mysql_error()); mysql_select_db("Regis") or die(mysql_error()); if (isset($_POST["sub"])) { $_POST['pass'] = md5($_POST['pass']); if (!get_magic_quotes_gpc()) { $_POST['username'] = addslashes($_POST['username']); $_POST['pass'] = addslashes($_POST['pass']); } $usercheck = $_POST["username"]; $check = mysql_query("SELECT username FROM registration WHERE username = '$usercheck'") or die(mysql_error()); $check2 = mysql_num_rows($check); //if the name exists it gives an error if ($check2 != 0) { echo("<SCRIPT LANGUAGE='JavaScript'>window.alert('Sorry, the username" ." ".$usercheck." ". "is already in use.')</SCRIPT>"); echo ("<SCRIPT LANGUAGE='JavaScript'>setTimeOut(window.location = 'registration.php',1)</script>"); } else if($_POST['username'] && $_POST['pass'] && $_POST['pass2'] ) { $insert = "INSERT INTO registration (username, password) VALUES ('".$_POST['username']."', '".$_POST['pass']."')"; $add_member = mysql_query($insert); echo("<SCRIPT LANGUAGE='JavaScript'>window.alert('Registration had been succesfully added :)')</SCRIPT>"); } } ?> <html> <head> <script type="text/javascript"> function a() { var x = document.login.username.value; var y = document.login.pass.value; if(x==""&& y=="") { alert("Please insert all message!"); return false; } if(x=="") { alert("Please insert an username!"); return false; } if(y=="") { alert("Please insert an password!"); return false; } } </script> </head> <body> <table border="0"> <form name="login" method="post" action="form2.php" onsubmit="return a()"> <tr><td colspan=2><h1>Login</h1></td></tr> <tr><td>Username:</td> <td><input type="text" name="username" maxlength="40"></td></tr> <tr><td>Password:</td> <td><input type="password" name="pass" maxlength="50"></td></tr> <tr><td><input type="submit" name="submit" value="Register"></a></td> <td><input type="submit" name="submit" value="Login"></td></tr> </form> </body></html> form2.php Code: [Select] <?php mysql_connect("localhost","root") or die(mysql_error()); mysql_select_db("cute") or die(mysql_error()); $message=$_POST['message']; $n=$_POST['username']; if(isset($_POST['submit'])) //if submit button push has been detected { if(strlen($message)>1) { $message=strip_tags($message); $IP=$_SERVER["REMOTE_ADDR"]; //grabs poster's IP $checkforbanned="SELECT IP from ipbans where IP='$IP'"; $checkforbanned2=mysql_query($checkforbanned) or die("Could not check for banned IPS"); if(mysql_num_rows($checkforbanned2)>0) //IP is in the banned list { print "You IP is banned from posting."; } else { $thedate = date("U"); //grab date and time of the post $insertmessage="INSERT into chatmessages (name,IP,postime,message) values('$n','$IP','$thedate','$message')"; mysql_query($insertmessage) or die("Could not insert message"); } } } ?> <html> <head> <script type="text/javascript"> function addsmiley(code) { var pretext = document.smile.message.value; this.code = code; document.smile.message.value = pretext + code; } function a() { var x = document.smile.message.value; if(x=="") { alert("Please insert an message!"); return false; } } </script> <style type="text/css"> body{ background-color: #d8da3d } </style> </head> <body> <form name="smile" method="post" action="form2.php" onSubmit="return a()" > Your message:<br><textarea name='message' cols='40' rows='2'></textarea><br> <img src="smile.gif" alt=":)" onClick="addsmiley(':)')" style="cursor:pointer;border:0" /> <img src="blush.gif" alt=":)" onClick="addsmiley('*blush*')" style="cursor:pointer;border:0" /> <input type="hidden" name="username" value="<?php echo $n;?>"> <input type='submit' name='submit' value='Send' class='biasa' ></form> <br> <br> </body> </html> My problem is in login.php in form section, can one form can be used user or admin because just now im doing is for user if user login it goes to form2.php but im want also in the same form if admin the form post to form3.php any way to do that thank you the form results are being sent to the selected email address in the array ... but I need a copy sent to the admin email address as well. before adding the array addresses ... the forms results were being sent to the admin, but after adding the array ... the admin address is out of the loop. How do I get the admin@home.com address to receive a copy of the forms results? I'm not sure if it needs to be a Bcc or what? Thanks in advance. _________________________________________________ _______________________________________ $to = $_POST["to"]; if(!in_array($to,array("ian@elsewhere.com","adam@elsewhere.com","keith@elsewhere.com","sue@elsewhere.com","mark@elsewhere.com","scott@elsewhere.com","joyce@elsewhere.com","joe@elsewhere.com","ken@elsewhere.com","info@elsewhere.com"))) $to = "admin@home.com"; $subject = "Order"; The table is: next next_id id 0 2 1 1 3 2 0 4 3 0 1 4 The form: <?php include 'dbc.php'; page_protect(); if(!checkAdmin()) { header("Location: login.php"); exit(); } if($_POST['doSubmit'] == 'Create') { list($next_id) = mysql_fetch_row(mysql_query("select next_id from users where id='$id'")); mysql_query("update users set approved='1' where id='$id'"); mysql_query("update users set next='1' where id='$next_id'"); mysql_query("update users set next='0' where id='$id'"); list($to_email) = mysql_fetch_row(mysql_query("select user_email from users where id='$id'")); $ret = $_SERVER['PHP_SELF'] . '?'.$_POST['query_str']; header("Location: $ret"); exit(); $message = "Hello \n "; @mail($to_email, "Aaaaack", $message, "From: \"Lobo\" <auto-reply@$host>\r\n" . "X-Mailer: PHP/" . phpversion()); } ?> Code: [Select] <html> <body> <table width="80%" border="0" cellpadding="5" cellspacing="2" class="myaccount"> <tr> <td>i<form name="form1" method="post" action="form.php"> <input name="doSubmit" type="submit" id="doSubmit" value="Create"> </p> </form> </td> </tr> </table> </body></html> I am sorry if this is posted in the wrong place! Here to learn. Thank you for any clues! hello. I need your help please. I'm building logistics website with user panel and admin panel. I've done all login and register forms. now I want to : admin can add package with: tracking number , weight , cost , and declaration form. user can fill declaration form after admin add package to user panel. then admin can see the declared form. is it possible in php? thank you in advance hi i need help an idea how can i separate members from admins since i dont know how to create login form i used tutorial ( http://www.youtube.com/watch?v=4oSCuEtxRK8 ) (its session login form only that i made it work other tutorials wre too old or something) how what i want to do is separate members and admins because admin need more rights to do now i have idea but dont know will it work like that what i want to do is create additional row in table named it flag and create 0 (inactive user) 1 (member) 2 (admin) will that work? and how can i create different navigation bars for users and admins? do you recommend that i use different folders to create it or just script based on session and flag? Hello, I am trying to make a captcha, but having some trouble My code matches the tutorial I'm following, the 1st screenshot is the captcha.php file, the 2nd is the captcha_generate.php file, and the 3rd is the result in My browser, I am using firefox and linuxmint 10, with apache2 php5 and GD installed, any Help will be greatly appreciated!!!!! thanx GOD BLESS!!! [attachment deleted by admin] I've been trying to make my contact form engine mandatory for the name, phone number and email fields, but when I upload it on the ftp and test it, I keep getting errors. Here's the code I have that is working without the fields being mandatory: <?php $EmailFrom = "example@gmail.com"; $EmailTo = "example@gmail.com"; $EmailTo = "example@gmail.com"; $EmailTo = "example@gmail.com"; $Subject = "New Lead!!!"; $Name = Trim(stripslashes($_POST['Name'])); $Phone_Number = Trim(stripslashes($_POST['Phone_Number'])); $Email = Trim(stripslashes($_POST['Email'])); $Message = Trim(stripslashes($_POST['Message'])); // validation $validationOK=true; if (!$validationOK) { print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">"; exit; } // prepare email body text $Body = ""; $Body .= "Name: "; $Body .= $Name; $Body .= "\n"; $Body .= "Phone Number: "; $Body .= $Phone_Number; $Body .= "\n"; $Body .= "Email: "; $Body .= $Email; $Body .= "\n"; $Body .= "Message: "; $Body .= $Message; $Body .= "\n"; // send email $success = mail($EmailTo, $Subject, $Body, "From: <$EmailFrom>"); // redirect to success page if ($success) {//&& ($Phone_Number != "" || $Email != "") { print "<meta http-equiv=\"refresh\" content=\"0;URL=contactthanks.php\">"; } else{ print "<meta http-equiv=\"refresh\" content=\"0;URL=error.htm\">"; } ?> I would like it to return something that says: "Enter Your Name/Phone Number/Email" corresponding to the appropriate field they didn't fill out. Thanks for any input you can provide! Hopefully the title fits this well enough. I am having trouble explaining my idea in words and therefore am having trouble researching what I would like to do. First off, let me say that I only have the most basic understanding of web development knowledge. I can usually look stuff up and hack stuff together and make it work. I am sure none of is done very efficiently, but as long as it works I am happy. This project started off as a simple idea. I have a list of events on my page. When clicking on an event, I want it to open up a page to the right with a signup form and a "table" displaying the sign-ups. Seemed easy enough. Originally I was going to use Google Docs to accomplish this all. An embedded calendar with the events at the left. When clicking on the event it opened up the desired event page in an <iframe> to the right. Inside of that there would have been an embedded Docs form which exports the data to a docs spreadsheet. To the right of the form, the docs Spreadsheet would have been embedded. In my head this works, and on paper it works. However, when trying to embed two Google elements, one would break. Even if I had one on the page, and one embedded on a page that was being displayed via <iframe>. You can see this here, www.leagues.simrigs.com , I stopped mid way through when I realized it wasn't going to work. Anyway, so now I want to lose the whole Google aspect completely. I will have off to the left, nicely styled image "button" links to each event page. I still want the pages to open in an <iframe> off to the right. This is simple enough I want to keep it all within the same page. This part is easy enough for me. The part I am having trouble with now is the form and spreadsheet part. I can manage making the signup form. After that I am lost. I need to have this input data logged somewhere, sorted into a sensible manor, and then displayed on the page next to where they signed up. Hopefully this makes some sort of sense. It works in my mind, I just don't know how to describe it. If need be, I can do a little photoshop mockup on what I am looking for. Thanks in advance. Hi, I'm trying to make a form that will submit a customers order into my database. The form it self is no problem and posting it to the database that part I can do, but I want this form to find existing posts in my database as the user inputs information. As an example if I add an ordrer for a customer ordering item numberr "1234" the form will search for item numberr "1234" and print it back to the form before the user submit the form, like "auto finish" the form. So in other words it will search the database "on the fly" for this item and fill it in. Could someone point me in the right direction? Somewhere in the PHP manual or maybe a good tutorial on this topic. I have been spending the majority of this week figuring out why my files are not showing up at my upload location that I set up in my newly created simple upload form. It just seems like php doesn't like me at all. Here is what my code looks like below. Code: [Select] <?php if (move_uploaded_file($_FILES['thefile']['name'], $upload_file)) $destination = "/www/zymichost.com/m/t/l/mtlproductions/htdocs/"; $upload_file = $destination . basename($_FILES['thefile']['name']);{ echo "Your file has been uploaded successfully!"; }/* else { echo "Your file did not upload successfully. Check to make sure your file meets the requirements and then try again."; print_r($_FILES);}*/?> I have the orange marked areas commented out due to the unexpected T_ELSE error thing. What do I do to get my files to show up at my upload location when I use my upload form? Thanks! If I wanted to make multiple fields required before letting a User move past the field is this the proper way to do it? Code: [Select] if(isSet($_POST['playerFirst']['playerLast']['feet']['inches']['year']['status'])) { ## Something } else { ## Something else } Im trying to make my form remember the last input made by user, so I wrote the following and I get a syntax error on the input line. The error is: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in C:\wamp\www\ezsynonym\index.php on line 90 Code: [Select] <form id="searchform" method="post" action="index.php"> <input id="input" name="synonymsearch" type="text" value="<?php echo $_POST['synonymsearch']; ?>" maxlength="400px" /> </form> TIA Code: [Select] $stick_topic = isset($_POST['stick_topic']) ? '1' : '0'; does this need to be escaped while entering the database or no because the values could only be 1 or 0 ? srry it's just i got hacked so i am trying to do my security #1 using this below is it safe against hackers? Code: [Select] $post_id = intval($_GET['report']); if ($post_id < 1) message($lang_common['Bad request']); query: Code: [Select] $result = $db->query('SELECT subject, forum_id FROM '.$db->prefix.'topics WHERE id='.$topic_id) or error('Unable to fetch topic info', __FILE__, __LINE__, $db->error()); should i escape my $topic_id ? Hi guys, I have been using the same code for years now to include my default page and pull content into my layouts.
I found the code online and its a bit confusing so was just wondering if its still safe to use, and is it all needed nowadays?
or is there a simpler way i could be doing this?
Thanks for any help
<?php
if (isset($_GET['nav']))
{
if (strpos($_GET['nav'], "/"))
{
$direc = substr(str_replace('..', '', $_GET['nav']), 0, strpos($_GET['nav'], "/")) . "/";
$file = substr(strrchr($_GET['nav'], "/"), 1);
if (file_exists($direc.$file.".php"))
{
require($direc.$file.".php");
} else {
require("error.php");
}
} else {
if (file_exists(basename($_GET['nav']).".php"))
{
require(basename($_GET['nav']).".php");
} else {
require("error.php");
}
}
} else {
require("links.php");
}
?>
Hello all. Just wanted to run this past you guys to see if I am missing anything important. I am making a script that I plan to allow a lot of other people around the web to use, so I want to make sure it's as bullet proof as possible. I am passing two values and grabbing them with a _GET, one is a big number, and the other is only letters and 8 characters long. her's my code so far. Code: [Select] <?php $clan = $_GET['clanid']; // make sure its an INT //if(isint($clan)){ if(ereg("[^0-9]", $clan)){ //im an int. echo ("ERROR Invalid CLANID"); die; } // make sure its a 8 letter only word. $style=$_GET['style']; // cut style down to 8 characters long. $style=substr($style, 0, 8); if(ereg("[^a-zA-Z]+", $style)) { // Contains only letters. echo("ERROR Invalid STYLE NAME"); die; } ?> to my noob php eye's it looks pretty solid, I cant think of any way a malicious user could get past it, but like I said, thought I would run it past you guys first , you can never be to careful. |
|||||||