|
PHP - Php Security? (standard Sanatise Code)
I am currently working on my PHP/MySQL driven website. However, I have read in recent weeks that there are a number of security measures which need to be taken and one of them is sanitising input to prevent html/MySQL injection into a database. So I was wondering if there is an 'industry standard' for sanitising PHP. For example, if a website only want there database to be searched by letters or numbers do they use a specific code? I have found one based on numbers (for ID numbers) but I cant find on one based on letters.
I found this but it is quite complicated and looks very different to the guide I found on YouTube. so is there an industry standard which blocks people using any other code than numbers or letters? http://bobby-tables.com/php.html I was also wondering is there are anyother security measures I need to be aware of when using PHP? Similar TutorialsHi All, Newbie here.
I run a website using xmb forums software as a base login script to connect to my database and created my own crude and simple pages for adding and displaying the data learning as I went. Over the years with recent upgrades of php versions its now virtually useless and unsecure code. I archive a lot of news articles but have had trouble pasting text that includes apostrophe's and special characters, but managed to fix that using addslashes() now. Can someone suggest a tutorial or a way to rebuild my site from scratch or something I can use as a template to connect to my pages ?. I'd like to write - or acquire - code that displays a simple table (name, phone number, email address, plus a comments field) on a web page in a password-protected page and allows a user to add his own information, update it or delete it. I figure hundreds of people and companies have written something like this so I'd like to find either an example I can imitate or even an existing package that I can simply customize to the specifics for my own table. Can anyone help me with that? Or am I going to have to reinvent the wheel for the gazillionth time and write it myself? This topic has been moved to Editor Help (Dreamweaver, Zend, etc). http://www.phpfreaks.com/forums/index.php?topic=322054.0 hello everyone, i try to make a registration script and change password script with PIN as security code, registration script was working perfect, but change password script didn't work. here i give a full code for you to review. here link to file Test.7z I hope someone can help and give me information what i'am missing. The raw output is this.. full example: http://instant.simplyhired.com/a/jobs/xml-v1/l-06238/q-engineer/ws-100/si-0/fdb-21/sb-rd/mi-10 I can generally get the value of this stuff.. like if I wanted the "jt" line I can get ENGINEER, and the rest of the data.. what i am having trouble with is getting the attribute (i think thats the right term for this with XML). For example the "src" line it as an attribute "url=" I am trying to figure out how to get that value.. Below is a sample of the raw.. and below that is the code I am working with to load up the XML. I know theres simple_xml but in my case thats not an option so I am working on slightly custom work (as little as it is). Code: [Select] <r> <jt>ENGINEER</jt> <cn url="">Soldream</cn> <src url="http://instant.simplyhired.com/a/job-details/view/jobkey-5109.J3H3036RVZPZ4RFRRKR/jp-0/hits-70?aff_id=2512">CareerBuilder</src> <loc cty="Tolland" st="CT" postal="06084" county="" region="" country="US">Tolland, CT</loc> <ls>2011-02-20T13:28:39Z</ls> <dp>2011-02-18T08:00:00Z</dp> <e>Engineer/CNC Machinist Tolland CT2429177 Aerospace MFG Co. seeks MFG/Design Engineer &amp; CNC Machinist with 5+ years of experience in aerospace manufacturing. Duties for engineers include developing new processes, drafting, and CNC programming. CNC Machinist should have knowledge of FANUC control. Send resume to...</e> <af></af> <pl url=""/> </r> $feedURL = 'http://instant.simplyhired.com/a/jobs/xml-v1/l-06238/q-engineer/ws-100/si-0/fdb-21/sb-rd/mi-10'; $doc = new DOMDocument(); $doc->load($feedURL); $arrFeeds = array(); foreach ($doc->getElementsByTagName('r') as $node) { $itemRSS = array ( 'title' => $node->getElementsByTagName('jt')->item(0)->nodeValue, 'desc' => $node->getElementsByTagName('description')->item(0)->nodeValue, 'link' => $node->getAttributeNode('src'), 'date' => $node->getElementsByTagName('pubDate')->item(0)->nodeValue, 'creator' => $node->getElementsByTagName('creator')->item(0)->nodeValue, 'permaz' => $node->getElementsByTagName('guid')->item(0)->nodeValue ); array_push($arrFeeds, $itemRSS); //print_r($arrFeeds); } array_unique($arrFeeds); ?> This is the simplest of forms, but it has no character. It is the type I use in everything. form1.php <html> <head> </head> <body> <?php // Connect to database===================================================== include("connect_db.php"); // retrieve form data ====================================================== $id = $_POST['id']; // sending query =========================================================== $query = "SELECT ama,model_name,model_mfg,wingspan,engine,decibels FROM airplanes WHERE id='$id'"; if( !$result = mysql_query($query) ) { echo "<br>Query $query<br>Failed with error: " . mysql_error() . '<br>'; } else { $fetch = mysql_fetch_array( $result ); } // $fetch = mysql_fetch_array(mysql_query("SELECT ama,model_name,model_mfg,wingspan,engine,decibels FROM airplanes // WHERE id='$id'")); // Output form with retrieved data ========================================== ?> <h3>Change the data and then click the CHANGE button</h3><br> <form name="myForm" action="delete_airplanes.php" onsubmit="return validateForm()" method="post"> ID #:<input type="text" name="id" value="<?=$fetch[id]?>" /><br> AMA #:<input type="text" name="ama" value="<?=$fetch[ama]?>" /><br> Model Name:<input type="text" name="model_name" value="<?=$fetch[model_name]?>" /><br> Model Mfg:<input type="text" name="model_mfg" value="<?=$fetch[model_mfg]?>" /><br> Wingspan:<input type="text" name="wingspan" value="<?=$fetch[wingspan]?>" /><br> Engine:<input type="text" name="engine" value="<?=$fetch[engine]?>" /><br> Decibels:<input type="text" name="decibels" value="<?=$fetch[decibels]?>" /><br><br> <input name="submit" id="submit" value="CHANGE!" type="submit"> </form> <br> <body> </html> I would love to be able to get this form to work. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Enter Airplane Data</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta name="language" content="en" /> <style type="text/css"> .focus { background: #FEF1C1; } .class123-label { font-family: Verdana; font-size: small; } .class123-sidebyside { float:left; margin:0 5px 0 0;} .class123-twocol { float:left; width:45%; margin:0 5px 0 0;} .class123-threecol { float:left; width:30%; margin:0 5px 0 0;} .class123-likert_style_li { display:inline-block; vertical-align:middle; text-align:center; top:0px; padding:2px; width:64px; height:50px; margin:0px; margin-right:1px; margin-bottom:1px; font:11px/18px verdana; background:#ddd; zoom:1; *display:inline; } .class123-likert_style_li2 { display:inline-block; vertical-align:middle; text-align:center; top:0px; padding:2px; width:64px; height:50px; margin:0px; margin-right:1px; margin-bottom:0px; font:12px/18px verdana; background:#fff; zoom:1; *display:inline; border-top:1px solid #ddd; } .fontbold { font-weight: bold; } .fontitalic { font-style: italic; } .requiredspan { font-family: Verdana; font-size:10px; color:#f00; } </style> </head> <body style="background-color: rgb(138, 174, 222); direction: ltr;"> <div style="height: 50px;"> </div> <center> <table style="border-collapse: collapse;" id="AutoNumber1" border="0" cellpadding="0" cellspacing="0" width="658"> <tbody> <tr> <td class="tdborder" colspan="3" width="658"> <img alt="shadow" class="tdimagesus" src="/templates/cache/dynamicimage-1-1560BD.png" height="9" width="100%" /> </td> </tr> <tr> <td height="38" width="4"> </td> <td class="tdheader" style="border-style: solid solid none; border-color: rgb(1, 76, 169) rgb(1, 76, 169) -moz-use-text-color; border-width: thin thin medium;" bgcolor="#1560bd" height="38" width="650"> <img alt="logo" src="http://www.123contactform.com/templates/logos/computers_anvelope_white.png" align="left" /> </td> <td height="38" width="4"> </td> </tr> <tr> <td height="171" width="4"> </td> <td class="tdmain" style="border-style: none solid; border-color: -moz-use-text-color rgb(1, 76, 169); border-width: medium thin; padding-right: 10px;" bgcolor="#ffffff" height="171" width="650"> <div class="selector-off"> <center> <script type="text/javascript"> <!-- function InputActions(field,id) { var i=1; var lid="none"; for (i=1;i<=100;i++) { lid='row'+i; lidsec='rowsec'+i; if (document.getElementById(lid) != null) { if (lid==id) { document.getElementById(lid).className='focus'; if (document.getElementById(lidsec) != null) document.getElementById(lidsec).className='focus'; } else { document.getElementById(lid).className=''; if (document.getElementById(lidsec) != null) document.getElementById(lidsec).className=''; } } } } //--> </script> <form class="form" action="http://www.123contactform.com/contact-form-crmamx-122034.html" method="post" enctype="multipart/form-data"><input name="action" value="verify" type="hidden" /> <table style="min-width: 250px;" cellpadding="4"> <tbody> <tr id="row1"> <td style="text-align: left;" valign="top"><label class="class123-label" id="id123-title684273" for="id123-control684273">Name:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td style="" align="left"><input id="id123-control684273" name="control684273" onclick="InputActions(this,'row1');" onkeyup="InputActions(this,'row1');" onchange="" value="" size="20" type="text" /> </td> </tr> <tr id="row2"> <td style="text-align: left;" valign="top"><label class="class123-label" id="id123-title684275" for="id123-control684275">Subject:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td style="" align="left"><input id="id123-control684275" name="control684275" onclick="InputActions(this,'row2');" onkeyup="InputActions(this,'row2');" onchange="" value="" size="20" type="text" /> </td> </tr> <tr id="row3"> <td style="text-align: left;" valign="top"><label class="class123-label" id="id123-title684281" for="id123-control684281">Model Name:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td style="" align="left"><input id="id123-control684281" name="control684281" onclick="InputActions(this,'row3');" onkeyup="InputActions(this,'row3');" onchange="" value="" size="35" type="text" /> </td> </tr> <tr id="row4"> <td style="text-align: left;" valign="top"><label class="class123-label" id="id123-title684286" for="id123-control684286">Model Mfg:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td style="" align="left"><input id="id123-control684286" name="control684286" onclick="InputActions(this,'row4');" onkeyup="InputActions(this,'row4');" onchange="" value="" size="35" type="text" /> </td> </tr> <tr id="row5"> <td style="text-align: left;" valign="top"><label class="class123-label" id="id123-title684287" for="id123-control684287">Wingspan:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td style="" align="left"><input id="id123-control684287" name="control684287" onclick="InputActions(this,'row5');" onkeyup="InputActions(this,'row5');" onchange="" value="" size="35" type="text" /> </td> </tr> <tr id="row6"> <td style="text-align: left;" valign="top"><label class="class123-label" id="id123-title684288" for="id123-control684288">Engine Mfg/Size:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td style="" align="left"><input id="id123-control684288" name="control684288" onclick="InputActions(this,'row6');" onkeyup="InputActions(this,'row6');" onchange="" value="" size="35" type="text" /> </td> </tr> <tr id="row7"> <td style="text-align: left;" valign="top"><label class="class123-label" id="id123-title684289" for="id123-control684289">Decibel Reading:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td style="" align="left"><input id="id123-control684289" name="control684289" onclick="InputActions(this,'row7');" onkeyup="InputActions(this,'row7');" onchange="" value="" size="35" type="text" /> </td> </tr> <tr id="row8"> <td style="text-align: left;" valign="top"><label class="class123-label" for="id123-captcha" id="verifno">Verification No.:</label><span class="requiredspan customspan" title="Required field">*</span></td> <td align="left" valign="top"><input id="id123-captcha" onclick="InputActions(this,'row8');" onkeyup="InputActions(this,'row8');" name="txtNumber" value="" size="16" type="text" /></td> </tr> <tr> <td align="right"><a title="Don't know why you have to enter this verification number? Click here!" href="http://www.123contactform.com/faq.html#q1" onclick="window.open('http://www.123contactform.com/faq.html#q1','_blank','width=740, height=90, left=' + (screen.width/2-370) + ', top=250');return false;"><img src="http://www.123contactform.com/img/help_icon.gif" alt="contact form faq" border="0" /></a></td> <td align="left"><img alt="verification image" src="http://www.123contactform.com/random.php" /></td> </tr> <tr> <td></td> <td align="left"><input class="class123-button" id="id123-button-send" value="Send email" type="submit" /></td> </tr> </tbody> </table> <div style="height: 1px; display: none; visibility: hidden;"> <input name="email" type="text" /></div> </form> </center> </div> </td> <td height="171" width="4"></td> </tr> </tbody> </table> </center> </body> </html> Of course I did not write this. I have never used a form before built as a table, only like the form1.php 1. Does this form work in the same way? 2. I want to retrieve a record from the db and display it in this form. Do I do it in the same way as in form1.html with a value=? 3. If the above is true then I would assume (that always gets me in trouble) that in my next program (update_db.php) I would capture the input data the same. Thanks like contact form is there a help standard you guys might suggest? I am looking to finally move to a popular coding style. Anyone know any great ones I should look into? So far I have looked into PEAR. Thanks! Hi, I'm trying to make an error message appear when a user misses a text field, or fills in an error. All the errors are sent to a form.php, this then sends the error message back to the current page. Here is the code I am using to retrieve the error message: if($form->error = ("user")){ echo $form->error("user"); } if($form->error = ("pass")){ echo $form->error("pass"); } Which works fine, but I only want ONE error message to be displayed at a time. This IS what I want: There are two fields, user, and password. If the user fails to enter anything into both, only one error message will appear "Please enter your username" (which is what the form.php does). When the user fills in the username, but fails to fill in the password then it works, only one error message appears (as there is only one error to send) When the user fills in the password, but fails to fill in the username it also works, only one error message appears. Its just when the user fails to fill in either, it prints both error messages when I only want it to print the 'user' error message. Please help, Thanks This topic has been moved to PHP Math Help. http://www.phpfreaks.com/forums/index.php?topic=320840.0 This topic has been moved to PHP Applications. http://www.phpfreaks.com/forums/index.php?topic=346652.0 i am trying to build a payment gate way library do you think this is the best way of going about it requirements code to be flexible for different naming conventions to conform with standards not to break why i am thinking of doing it this way one application could have for addressline1 as add_1 while i different app will have it as add_line_1 $test2 = "yay"; $test = 'a:1:{s:6:"teatme";s:5:"test2";}'; // think of this a a db field $test = unserialize($test); echo"<pre style=\"text-align:left;\">"; print_r($test); echo"</pre>"; foreach ($test as $key => $value) { $test[$key] = $$value; } echo"<pre style=\"text-align:left;\">"; print_r($test); echo"</pre>"; please give us your thoughts I'm trying to connect to a SOAP API using PHP-SOAP. The problem is that the API is not adhering to the SOAP standard entirely. The SOAP Headers XML which the SOAP client needs to generate are as follows: Code: [Select] <SOAP-ENV:Header> <TargetVolume>foo</TargetVolume> </SOAP-ENV:Header> The problem is that the PHP SoapHeader class requires namespaces to be set for SOAP Header child elements (as in the standard). My code goes: Code: [Select] $ns = 'http://some.namespace.com'; $header = new SoapHeader($ns,'TargetVolume','foo'); $soapClient->__setHeaders($header); which produces: Code: [Select] <SOAP-ENV:Header> <ns1:TargetVolume>foo</ns1:TargetVolume> </SOAP-ENV:Header> Unfortunately 1. the SOAP API I'm using doesn't accept the ns1 namespace - or any namespace 2. The SoapHeader constructor does not accept NULL as its first parameter 3. I can't change the API! This is not a bug in PHP. See the discussion at http://bugs.php.net/bug.php?id=31755 which details that it's invalid in SOAP to use a namespace here. I am stuck in between a rock and a hard place with finding a work-around for this problem: to somehow get PHP-SOAP to send the required non-standard header to the API. Can anybody help? Specifically for hashing a password to be stored in a database. I know SHA1 and MD5 are essentially considered broken. I've been using MD5 with a salt value on all my projects but I'm starting a new project and wondering if there's a stronger algorithm I should be using? Hi there, I'm wondering If anyone can assist me. I am currently a design student In Leeds, UK. I'm currently creating an online campaign whereby customers use QR codes to link to a created website with interesting youtube video on. At the moment I've just created a simple link to the chosen content http://newmedia.leeds.ac.uk/ug10/cs10dw/culture.html However I've come across Youtube API Standard feeds on the Youtube Reference Guide. http://code.google.com/apis/youtube/2.0/reference.html It states you can 'send a GET request to the URL associated with that feed', however, I've never really touched php before. Could anyone give me advise on how I would link say the Top rated feed to my site using https://gdata.youtube.com/feeds/api/standardfeeds/top_rated Would that be difficult? ANY replies would be much appreciated! Regards David. This topic has been moved to Linux. http://www.phpfreaks.com/forums/index.php?topic=306518.0 This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=331038.0 This topic has been moved to Third Party PHP Scripts. http://www.phpfreaks.com/forums/index.php?topic=321924.0 Hi, I am currently working on an Invoice System using PHP and MySQL. However I was just wondering if the system I am using is secure enough. The Client gets a link like this: Code: [Select] mysite.com/?customerid=b3e470c55aad30eb38ee52eec1d8cb52 Each client has a unique "id" I also have an ID for the administrative back-end. I do clean the GET variable before querying the database though. Do I need to secure this with anything else or is this enough, as this is my first time creating anything with PHP and MySQL together. Thanks, mme |
|||||||