|
PHP - Email Field Help(sanitization Fail)
okay so i have a slight problem. i have been testing my form with fake emails if i put something like CXZC@ff.ff in my email field i get an email with
From : CXZC@ff.ff.cheatordie.com i do have a function called clean_string() that weeds out the following href|bcc|cc|to:|content-type can i add to this to weed something like this out? i already am using filter_vars validate_email filter and regex ontop of this and it is still happening. Similar TutorialsHTML code: Code: [Select] <form method="post" action="viewpage.php?page_id=5"> Email: <input name="email" type="text"><br> Full Name: <input name="name" type="text"><br> Age: <input name="age" type="text"><br> Summoner Name: <input name="summon" type="text"><br> Do you have vent? <input name="vent" type="text"><br> Do you have a mic? <input name="mic" type="text"><br> How often can you be on? <input name="online" type="text"><br> What level are you? <input name="level" type="text"><br> Who do you like to play as? <input name="champs" type="text"> </form><br> Can you help donate to the clan for vent and the site?<br> <textarea name="name" rows="7" cols="25"></textarea><br> Before you say anything about the PHP not scripted to do all fields, I already know this I'm trying to figure out how to send multiple ones in one message: PHP Code: Code: [Select] <?php if (isset($_POST['submit'])) { $to = "hidden for privacy"; $subject = "LoL Recruitment"; $email = $_REQUEST['email'] ; $message = ($_REQUEST['name'], $_REQUEST['age']) ; $headers = "From: $email"; $sent = mail($to, $subject, $message, $headers) ; if($sent) { print "Your mail was sent successfully"; } else { print "We encountered an error sending your mail"; } } ?> I'm willing to bet my Code: [Select] $message = ($_REQUEST['name'], $_REQUEST['age']) ;if FAR wrong I thought I'd done this a hundred times before... but I am lost. Even after running mysql_real_escape_string, strip_tags and addslashes etc, I can still enter SQL into my input and it screws with the query. I can't simply use regex to check for valid characters since it's an input that lets the user format a post with BBcode and characters they want. What's the proper way to 'clean' the input, then? Thanks in advance Hi,
I've noticed that many members routinely recommend intval() for “sanitizing” user input. I think this is a very bad idea for a couple of reasons:
PHP integers are stored in 32 bits or 64 bits depending on the platform. This is not enough to cover all MySQL integer types. For example, a 32-bit PHP integer can neither hold an INT UNSIGNED nor a BIGINT. And even a 64-bit PHP integer cannot hold a BIGINT UNSIGNED. That's obviously a problem and can lead to very nasty truncation bugs.
Silently changing the user input is very confusing and potentially harmful. Let's say the user tries to delete a record, but the provided ID is not numeric. This is clearly an error. Either the user has entered a wrong value, or there's an application bug. In any case, the request cannot be processed safely and should be rejected. What the intval() does instead is turn the invalid input into a “random” ID and pass it on to the database system to delete the record. Bad idea!
Many people already struggle to understand the difference between mysql_real_escape_string(), addslashes(), htmlentities(), filter_var() etc. Now we have yet another function in the ever-growing pool of “sanitize” functions. This doesn't really help.
So I think intval() should never be used for data “sanitization”. Just use the appropriate escape function like mysql_real_escape_string().
Hello... I have a site that sends an email using the following code: Code: [Select] mail($email,"Welcome to ohio-dui-laws.com","Hello ".$fname.",\n\nYour account on Ohio Dui Laws has been created.\nPlease login and fill out your profile details in order to have access to all the member content. \n\n\tUsername : ".$email." \n\tPassword : ".$_POST["password"]."\n\nThanks for joining http://Ohio-dui-laws.com"); Currently, when the recipient receives the email the From is defaulting to the server and looks like this: ohiodui@209747.axxs.overnighthosting.com What I would like is for the From in the email header to show noreply@ohio-dui-laws.com. Would you be so kind and add whatever I need to the above code so that it displays noreply@ohio-dui-laws.com? Thank you so much. Hi FYI I'm a n00b in this particular forum & php n00b really but I'm having a problem & cant find a solution anywhere! I need to be able to send an email from a form. Within the form is a dropdown field for different regions. When a region is selected it sets the email address for that region into an input/text field. I need to pickup that value and send the email to that address but not sure how. Have been told to use echo$email & that perhaps my variable is empty but I haven't got a clue where to put it or what that means. Help please?! my code: include ('maketable.php'); include ('mailbot.php'); include ('auditFile.php'); $office = $_REQUEST["office"]; $callername = $_REQUEST["callername"]; $callerphone = $_REQUEST["callerphone"]; $callaction = $_REQUEST["callaction"]; $callerInfo = "Callers Name=".$callername; $commentInfo = "Callers Phone No=".$callerphone; $callDetail = "Action Taken=".$callaction; $title = "DOC Call Results"; $stylesheet = "stylesheet.css"; $logo = "tcclogo.jpg"; $display = makeHeader($title,$stylesheet,$logo); $display .= makeTable("Caller Details",$callerInfo,1); $display .= makeTable("",$commentInfo,1); $display .= makeTable("",$callDetail,1); $display .= '</body></html>'; $info = $callerInfo."; ".$commentInfo."; ".$callDetail; auditFile($title, $info); echo $email; mailbot($title,$display,"email","info@tcc.co.nz","ThankYou.html"); Hello, I'm currently using this code to check for blank fields: if(isset($_POST['submit'])) { $emailconfirm = $_POST['emailconfirm']; $user_message = $_POST['message']; $name = $_POST['name']; $visitor_email = $_POST['email']; if(empty($name)|| empty($visitor_email)|| empty($user_message)) { $errors .= "<div id='contact_form_errorloc' class='err1'>Some of the above fields have not been filled in.</div><br>"; } This however, does not check for valid emails, I've found this code: function is_valid_email($email) { $result = TRUE; if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,4})$", $email)) { $result = FALSE; } return $result; } My question was if the above is possible aswell as incorporating the blank field checks. Many thanks! i wanting users to be able to update there email address and check to see if the new email already exists. if the email is the same as current email ignore the check. i have no errors showing up but if I enter a email already in the db it still accepts the new email instead of bringing the back the error message. Code: [Select] // email enterd from form // $email=$_POST['email']; $queryuser=mysql_query("SELECT * FROM members WHERE inv='$ivn' ") or die (mysql_error()); while($info = mysql_fetch_array( $queryuser )) { $check=$info['email']; // gets current email // } if($check!=$email){ // if check not equal to $email check the new email address already exists// $queryuser=mysql_query("SELECT * FROM members WHERE email='$email' "); //$result=mysql_query($sql); $checkuser=mysql_num_rows($queryuser); if($checkuser != 0) { $error= "0"; header('LOCATION:../pages/myprofile.php?id='.$error.''); } } cheers Hello Php Freaks I am following this tutorial how to make a login for my website, the only trouble is that... It dosen't seem to work, so i wanna know if its only me who cant make it work... and if it is why XD... Tutorial can be found he http://www.knowledgesutra.com/forums/topic/7887-php-simple-login-tutorial/ Now when i get started it starts saying error at line 6: if ($_GET["op"] == "login") It says that when im about to login right above the login. Now when i put in data i get error on line 19: $r = mysql_query($q); That one, and i have no idea how to fix it. Anyone please ? hello agen i got problem using login php in database i have stored passwords as *4D5FC004C2D5AE0B5513693AD1B271F8A2A92CEC (i think its hash inserted as password) case is that it dont read password :/ kinda strange, any help will be welcome Code: [Select] <? session_start(); if(isset($_GET['reg'])){ $reg=$_GET['reg']; }else{ $reg=""; } if($reg==1){ $msg1="<font color=\"#FF0000\"><b>Your details have been added, please login</b></font>"; }elseif($reg==2){ $msg1="<font color=\"#FF0000\"><b>You have been successfully logged out.</b></font>"; } if(isset($_POST['submit'])){ if( empty($_POST['uname']) && (empty($_POST['upass']))){ header( "Location:Messages.php?msg=1" ); exit(); } //transfer to shorter var $n=$_POST['uname']; $p=$_POST['upass']; //connect to db include('config.php'); $query="select * from user where uname='$n' and pw='$p' "; $result=mysql_query($query); $num=mysql_num_rows($result); if($num>0 ){ //put in session vars $mytime=time(); $mytime=date("H:i:s A",$mytime); $_SESSION['time'] = $mytime; $_SESSION['status'] = 'logged'; $_SESSION['username'] = $n; //goto next page header("location:welcome.php"); exit; }else{ $_SESSION['status'] = 'not logged'; header( "Location:Messages.php?msg=2" ); exit(); } } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html><!-- InstanceBegin template="/Templates/Auth.dwt.php" codeOutsideHTMLIsLocked="false" --> <head> <!-- InstanceBeginEditable name="doctitle" --> <title>Login</title> <!-- InstanceEndEditable --> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <!-- InstanceBeginEditable name="head" --> <!-- InstanceEndEditable --> <link href="styleLog.css" rel="stylesheet" type="text/css"> </head> <body> <table width="100%" border="0" cellspacing="7" cellpadding="0"> <tr class="temptitle"> <td><!-- InstanceBeginEditable name="EditRegion4" -->Login<!-- InstanceEndEditable --></td> </tr> <tr> <td><!-- InstanceBeginEditable name="EditRegion3" --> <form name="form1" method="post" action="login.php"> <table width="81%" border="0" align="center" cellpadding="0" cellspacing="3"> <tr class="listtop"> <td colspan="3">Login Status:<? if(isset($msg1)){ echo "$msg1"; }?></td> </tr> <tr> <td width="9%">Username</td> <td width="41%"><input name="uname" type="text" id="uname" size="50"></td> </tr> <tr> <td>Password</td> <td><input name="upass" type="password" id="upass" size="50"></td> </tr> <tr> <td colspan="2"><div align="center"><a href="password.php">Forgotten your password?</a>|<a href="register.php">Register</a> </div></td> </tr> <tr> <td> </td> <td><input type="submit" name="submit" value="Login"></td> </tr> </table> </form> <!-- InstanceEndEditable --></td> </tr> <tr> <td><div align="center">Copyright 2005 </div></td> </tr> </table> </body> <!-- InstanceEnd --></html> Had a crack at making my own generator which makes some jumble 32 characters long with letters and numbers. In logic it seemed fine to me. It practice it just does nothing. function generate(){ $abc = array("a", "b", "c", "d", "e", "f", "g", "h", "i", "j", "k", "l", "m", "n", "o", "p", "q", "r", "s", "t", "u", "v", "w", "x", "y", "z"); $num = array("0", "1", "2", "3", "4", "5", "6", "7", "8", "9"); $result = ""; for ($i = 0; $i < 32; $i++){ $bool = rand(0,1); if ($bool = 1) { $result . $abc[rand(0,25)]; } else { $result . $num[rand(0,9)]; } } echo $result; } Here's my code: I'm trying to make a function that returns true if the supplied string contains illegal characters, or false otherwise. I can't get it to work. Could someone please comment? Code: [Select] <?php function contains_illegal_chars($value) { if ( preg_match("['=]", $value) > 0 ) { return true; } return false; } $value = "this contain both illegal characters: ' and =" . "<BR>"; echo "Value is: $value"; if( contains_illegal_chars($value) ) echo "yes"; else echo "no"; // This is always being returned! Even though the string clearly contains both the quote and the equals sign! ?> I've tried various sort methods on this array. And seem to be failing. Code: [Select] Array ( [monkey quest] => 8 [monkey] => 2 [monkey sports] => 0 [monkey go happy] => 0 [monkey go happy 3] => 1 [monkey joes] => 0 [monkey games] => 2 [monkey bread recipe] => 1 [monkey go happy 2] => 3 [monkey quest trailer] => 4 [monkey quest guide] => 5 [monkey quest nick] => 6 ) What I want to do or attempt to do rather is sort the array by the => value from highest to lowest (or maybe in reverse as well, but one thing at a time) My last failed attempt I was trying out usort() as my concept.. Code: [Select] function cmp($a, $b) { if ($a == $b) { return 0; } return ($a < $b) ? -1 : 1; } echo "<pre>"; print_r(usort($kw, "cmp")); echo "</pre>"; But the only thing I am left with on the page is just 1 everything else seems to be getting lost, or I dunno whats going on. So I think I've done stumped my self. Now I'm looking for idea's assuming I am tackling this all wrong. I can not seem to figure out how to do this.. I just need to add 100+99+98+97+96...+1 no you can not do 100! because that multiples them =] I am using this code to evaluate whether checkboxes within a group have been selected:
function IsChecked($chkname,$value)
{
if(!empty($_POST[$chkname]))
{
foreach($_POST[$chkname] as $chkval)
{
if($chkval == $value)
{
return true;
}
}
}
return false;
}
Now, I've decided that I want to add a message upon finding NO SELECTED checkbox items, but it is not functioning as desired.
if(empty($_POST[$chkname]))
{
echo("You didn't select any checkboxes.");
}
How can I get this or something similar to trigger? Hi community. The radio buttons on my form suddenly stopped working. For the life of me I can’t figure out why. Everything seems to look fine. I did some moving around on servers so I wonder if something got messed up during the transfer. I’m wondering if a new version of PHP was installed and made something obsolete. I was wondering if someone could take a look. Thank you in advance for your advise.
<form action="brian_1.php" method="post" name="form1" id="form1"> <input name="name" type="text" id="name" size="30" tabindex="1"/> Company if Applicable: <input name="company" type="text" id="company" size="30" tabindex="2"/> Phone: <input name="phone" type="text" id="phone" tabindex="3" onkeypress="return formatPhone(event,this)" onkeydown="return getKey(event,this)" size="13" maxlength="12"/> Example: XXXXXXXXXX Alternate Phone: <input name="altphone" type="text" id="altphone" tabindex="4" onkeypress="return formatPhone(event,this)" onkeydown="return getKey(event,this)" size="13" maxlength="13"/> Example: XXXXXXXXXX Street Address:<input name="mail" type="text" id="mail" size="60" tabindex="5"/> City, State, Zip Code: <input name="city" type="text" id="city" size="60" tabindex="5"/> E-mail: <input name="emai" type="text" id="emai" size="60" tabindex="6"/> Would you like to be part of our mailing list? <label><input type="radio" name="list" value="Yes" id="RadioGroup1_0" tabindex="7"/>Yes</label><label><input type="radio" name="list" value="No" id="RadioGroup1_1" tabindex="8"/>No</label> Are you interested in volunteering for upcoming events? <label><input type="radio" name="volunteer" value="Yes" id="RadioGroup2_0" tabindex="9"/>Yes</label><label><input type="radio" name="volunteer" value="No" id="RadioGroup2_1" tabindex="10"/>No</label> Are you interested in becoming a sponsor by receiving opportunities to advertise through us? <label><input type="radio" name="opportunities" value="Yes" id="RadioGroup3_0" tabindex="11"/>Yes</label><label><input type="radio" name="opportunities" value="No" id="RadioGroup3_1" tabindex="12"/>No</label> Would you like to join our efforts by offering your services or products to further our cause? <label><input type="radio" name="cause" value="Yes" id="RadioGroup4_0" tabindex="15"/>Yes</label><label><input type="radio" name="cause" value="No" id="RadioGroup4_1" tabindex="16"/>No</label> If so, in what ways would you like to contribute? <textarea name="contribute" cols="60" rows="4"></textarea> <input type="submit" name="Submit" value="Sumbit" /><input type="reset" name="reset" id="reset" value="Clear" /> </form>
<?php
/* Email Variables */
$emailSubject = 'Contact Form';
$webMaster = 'brianewagnerfund@gmail.com';
$webMaster = 'matt@webskillsplus.com';
//$webMaster = 'murrterr@rcn.com';
/* Data Variables */
$name = $_POST['name'];
$company = $_POST['company'];
$phone = $_POST['phone'];
$altphone = $_POST['altphone'];
$mail = $_POST['mail'];
$city = $_POST['city'];
$emai = $_POST['emai'];
if (isset($_POST["submit"])) {
echo $_POST["list"];
}
if (isset($_POST["submit"])) {
echo $_POST["volunteer"];
}
if (isset($_POST["submit"])) {
echo $_POST["opportunities"];
}
if (isset($_POST["submit"])) {
echo $_POST["cause"];
}
$contribute = $_POST['contribute'];
$body = <<<EOD
\r\n \r\n <br>
Name(s): $name \r\n <br>
Company if Applicable: $company \r\n <br>
Phone: $phone \r\n <br>
Alternate Phone: $altphone \r\n <br>
Street Address: $mail \r\n <br>
City, State, Zip Code: $city \r\n <br>
Email: $emai \r\n <br>
Would you like to be part of our mailing list? $list \r\n <br>
Are you interested in volunteering for upcoming events? $volunteer \r\n <br>
Are you interested in becoming a sponsor by receiving opportunities to advertise through us? $opportunities \r\n <br>
Would you like to join our efforts by offering your services or products to further our cause? $cause \r\n <br>
If so, in what ways would you like to contribute? $contribute \r\n <br>
EOD;
$from = "From: BrianEWagnerFund@gmail.com\r\n";
$from .= "Reply-To: ".$emai."\r\n";
$from .= "Content-type: text/html\r\n";
mail($webMaster, $emailSubject, $body, $from);
/* Results rendered as HTML */
echo "<meta http-equiv=\"refresh\" content=\"0;URL=http://www.brianewagnerfund.org/thankyou.html\">";
?>
I'm adding html tags with an "if" statement. $fw = "word" if ($fw == "a"){ echo "something"; }elseif ($fw == "b"){ echo "something else"; }else{ echo "this"; } So why would everything skip right to the "else" and echo that, even if $fw equals "a" or "b".... What I am trying to achieve here is a simple URL to server file download script. It works fantastically, however, I am trying to achieve an error message when the script fails to get a file. Right now, when the file is downloaded, it provides the echo 'Successfully downloaded (FILENAME) !'. But when it fails I would like for it to say something like, file could not be downloaded. As of right now it gives me a warning that it could not open stream and it still echos file successfully downloaded. Any advice? Full code: Code: [Select] <?php include '../dbc.php'; page_protect(); if (isset($_POST['submit'])) { $file = $_POST['filename']; $target= $_POST['hosttarget']; file_put_contents("$file", file_get_contents("$target")); echo "Successfully uploaded ".$file."!"; } else{ echo "Unable to retrieve file!"; } ?> <div class="wrap"> <FORM ENCTYPE="multipart/form-data" ACTION="" METHOD=POST> <div class="download"> <div class="left">Target:<br>Filename:</div> <div class="right"><INPUT TYPE="text" NAME="hosttarget" ID="text" VALUE=""><br> <INPUT TYPE="text" NAME="filename" ID="text" VALUE=""><br></div> <INPUT TYPE="submit" NAME="submit" ID="submit " CLASS='submit_btn' VALUE="Get File"> <div class="clear"></div> </div> </FORM> </div> Hello, I am trying to send a query and receive data from it, the query is sent successfully and gets the neccessary data, the problem is that store_result returns false
if($result=$db->query("SELECT `times_failed` FROM `".$table_prefix."_failed_login` WHERE `ip`='$current_ip' AND `ip2`='$current_ip2'")) {$result->num_rows returns 1 row I outputted the query using echo SELECT `times_failed` FROM `am_failed_login` WHERE `ip`='127.0.0.1' AND `ip2`='' and tried to send a query using phpMyAdmin and it returned the result as I wanted. The "safe_store" (don't mind the name, I just named it like it)
function safe_store($error) {I tried to use just $db->store_result(); but it returned Fatal error: Call to undefined method mysqli::free() in C:\xamp\htdocs\projects\lib\functions\user.php on line 310 And fact, that the query returned a result and the num_rows found 1 line in the result. Kaperstone. Edited by KubeR, 22 October 2014 - 01:39 PM. Thanks for reading this. I have just begun using php, and I cannot, for my life, figure out what I am doing wrong here. I want to submit a form for a person to register with my site. It's simple, just name, email and password. I keep getting an error that the connection failed, so I will just show you what I have up until that point. My form is Post method, and it looks like: Code: [Select] <form method="post" action="signup.php" enctype="multipart/form-data"> <input name="name" type="text" id="name"> <input name="email" type="text" id="email"> <input name="pass" type="password"> <input type="submit" name="Submit" value="Submit"> </form> And the connection script is like so: Code: [Select] <?php $username="db_username"; $password="db_password"; $database="db_name"; $dbc=mysql_connect ("localhost", "$username", "$password") or die ('I cannot connect to the database.'); mysql_select_db ("$database", "$dbc"); It's the 'I cannot connect to the database.' error that I keep getting. In case it helps, the rest of the thing looks like this: Code: [Select] <?php $name= $_POST['name']; $email= $_POST['email']; $pass= $_POST['pass']; $query = "INSERT INTO table (name, email, password) VALUES ('$name', '$email', '$pass')"; mysql_query($query); mysql_close(); I have deliberately left out the php opening and closing tags (<?php...?>). Thanks so much for any help. Adam MOD EDIT: [code] . . . [/code] BBCode tags added. Hi - I have spent 2 days trying to figure this out. I must be doing something stupid ... I am trying to update the DB with a collection of variables off of a various POST array's. I have indexed the variables so that I can loop through them with a FOR. However I am having all kinds of trouble: 1 - WEIGHT is giving 5 values even though the counter should only go 4 times. 2 - The WEIGHT variable is going into the wrong field in the DB even though I specify in my Query a specific place. 3 - I get undefined offset errors even though I have initialised the variables with their respective offsets. 4 - Adding the conditional statement adds even more offset errors even though they are initialised I am starting to wonder if my entire approach to updating my DB is flawed. As a student of PHP I think I need someone with more experience to look at what I am doing and tell me if something jumps out at them. There is a lot of statements echoing out values - and they all seem to check out. Man Many thanks for your advice Code: [Select] function finishedorder(){ $prodname = $_POST['prodname']; $prodid =$_POST['prodid']; $quantity = $_POST['quantity']; $pricelb = $_POST['pricelb']; $customerid = $_POST['customerid']; $price = $_POST['price']; $orderid = $_POST['orderid']; $weight = $_POST['weight']; echo "Varuable WEight"; print_r($weight); echo"<br/>"; echo "line 196 Weight"; print_r ($_POST['weight']); echo"<br/>"; echo "line 192 PriceLB"; print_r ($_POST['pricelb']); echo "<br/>"; echo "line 193 Price"; print_r ($_POST['price']); echo "<br/>"; echo "line 194 ProdID"; print_r ($_POST['prodid']); echo "<br/>"; echo "line 195 OrderID"; print_r ($_POST['orderid']); echo "<br/><br/>"; $numloops = count($_POST['prodid']); for ($i = 0; $i < $numloops ; $i++) { // !!! Start of the for loop !!! if (!isset($orderid[$i])) $orderid[$i] =''; if (!isset($prodid[$i])) $prodid[$i] =''; if (!isset($weight[$i])) $weight[$i] =''; if (!isset($pricelb[$i])) $pricelb[$i] =''; // This only initialises the Price & Weight variable to avoid an offset error message. if (!isset($weight[$i])) $weight[$i] =''; $ordervalue = $pricelb[$i] * $weight[$i]; echo " L. 216 The number is " . $i . "<br />"; echo "line 221 ProdID".$prodid[$i];echo "<br/>"; echo "line 217 Pricelb".$pricelb[$i];echo "<br/>"; echo 'Weight L. 219 weight[i]'. $weight[$i];echo "<br/>"; echo "line 220 weight".$weight; echo "<br/>"; echo "line 221 Numloops".$numloops; echo "<br/><br/>"; echo ' L. 225 $ordervalue ' .$ordervalue;echo "<br/>"; } //if ($pricelb[$i] == 0 ){ // conditonal statement // $ordervalue = $price[$i]; // } $sql =" UPDATE confirmedorder SET weight='$weight[$i]', ordervalue='$ordervalue', confirmedorder.picking = 'finished', confirmedorder.sale = 'open' WHERE prodID = '$prodid[$i]' AND OrderID = '$orderid[$i]' ; "; $this->db->query($sql); } // !! End For Loop. !! |
|||||||