|
PHP - Crippling Php To Allow Some User-submitted Scripts
Hi! I'd like to allow some user-submitted plugins or custom code bits on pages. I'm basically making an online game generator for dummies and would like to allow some extra customization.
Obviously I don't want to offer the full capability of php. I found safer eval and I believe with php's tokenizer I could make a parser to check user-submitted scripts for malicious coding against a white list. (For html cleaning I'd use htmlpurifier, though I haven't found a good solution for any CSS or Javascript yet. The php cleaning seems a larger road block anyway.) I was wondering if anyone here had a better solution? I don't want to make up my own coding language and I would prefer not to have to look over each script before use. I know this is a bad idea in general, sorry if I give anyone a heart attack by my even considering doing this and thank you in advance for any help! Similar TutorialsI've got a BIG problem... When a user submits my form it works fine, displays a "Transaction Success/Failed", and e-mails me a confirmation. However, if the user then navigates to another page (e.g. "Home"), and then clicks their browser's "Back" button, my form gets re-submitted?! This is on a VPS, but I just chatted with server support and they are saying, Quote register_globals = Off So what is going wrong?! Debbie Hi there, I have a newsletter sign up form which just puts the data (id and email) into a mysql table. To stop people hacking the site, is there a way to make sure the only thing being submitted in the input is an email address? Here's my current form and submit php: Code: [Select] <?php $mailer = $_GET['mailer']; if ($mailer == 'added') { $email=$_POST['email']; if($email == '') { echo '<div class="daily_not_submitted"><span style="padding-right:6px;"><img src="https://store.huhmagazine.co.uk/images/cross.jpg"></span>Please fill in all the fields.</div>'; }else { $sql="INSERT INTO `dailymailer` (`email`) VALUES ('$email');"; $result=mysql_query($sql) or die(mysql_error()); if($result){ echo "<div class='daily_submitted'><span style='padding-right:6px;'><img src='http://www.huhmagazine.co.uk/images/uploaded/checkboxtick.jpg'></span>Thank you.</div>"; } else { echo "Error\n"; } } } ?> <div id="sidebarnewsletter"> <form name="mailinglist" method="post" action="?mailer=added"> <input type="text" name="email" class="sidebarnewsletter" placeholder="Enter Your Email Address" /> <input type="submit" class="sidebarnewsletter_button" value="Sign Up"> </form> <div class="clear"></div> </div> I'd like to edit specific parts of a submitted text what is the best way to do this? For example I get the following text: [name country] is very cold this time of year. Because I like the cold I would love to live there [end of line 2] whole lot more text here until [name country] if this text here exists, blabla [but Germany] is blabla [end of line] in some cases some more text here [summary] bla bla The text in the brackets are words that I already know before it has been submitted. Getting the words out has been part of my previous script, using preg_match and put them in variables. I want to put the first portion of the text in a row, if 2nd, 3rd and 4th portion exist, put them in a row too. Any ideas? [edited] I prefer to have these portions cut out and put in a variable. So I end up having a few variables and can later echo that out in rows Edited by dde, 18 January 2015 - 04:01 AM. Hello, Basically, What I'm looking for would be for a method of blocking certain email addresses from being submitted in a form, I need it to block certain emails that are on the list. I think the best way to describe it would be a form submission blacklist that is checked before it gets submitted. Many thanks I am trying to filter characters that get submitted into forms and than database. I have been paying with trim function $string = $_POST[name]; $newstring = trim($string,"W"); echo "$newstring"; but it does not seem to do what I really need. If I enter name World I do get "orld" back, but what if I want to filter out W (or w) and L (or l) to get "ord". I am mainly going after removing ' " ; : . > , < - _ ( ) * & ^ % $ # @ ! \ | / ? I know there is a different way to do it, but it has been long tome since I have seen it, and I do not know where. Thanks for your help I now know how to append GET over normal hyperlinks, but I don't know how to do it with form submissions. Here's the problem: I have a form like this one: <form method="GET" action=""> <?php require_once ('sort_category_func.php'); $switch = 1; sort_category ($switch); ?> + Most Liked <input type='checkbox' value='mostLiked' name='mostLiked' /> <br /> <input type="submit" name="sortSubmit" value='Go' /> <br /><br /> </form> And the variables: // DROP DOWN MENU VARIABLES $select_category = $_REQUEST['sort_category']; $most_liked = $_GET['mostLiked']; I'm using a while loop to list user submission, you can also sort them by category which works over GET, this works as long as there is no GET data already in the URL, but as soon as there is GET data it won't work anymore. Here's an example: If I have a user profile page opened like this: profile.php?user=konopkov And a category has been chosen to sort the user's submissions the URL will change to: profile.php?sort_category=Logos INSTEAD it should be: profile.php?user=konopkov&sort_category=Logos As I said I know how to achieve this with hyperlinks now, but I have no clue how do it with form submissions. Any suggestions? Thanks. Up until now, I have been writing Forms that submit back to themselves. Now I want to break up my code. I usually have this PHP at the top of my forms... Code: [Select] <?php // ******************************************** // HANDLE FORM. * // ******************************************** if ($_SERVER['REQUEST_METHOD']=='POST'){ // Form was Submitted (Post). If I change my Form Action to point to another script, will this code work in that new script?? (In other words, will Script_B be able to detect $_SERVER['REQUEST_METHOD']=='POST' ??) Thanks, Debbie To execute code on successfully submitting text input, is this "bare minimum" code secure enough?
if(!empty($_POST["textfield_input"])) { ...or is it best to make sure all 4 of these are confirmed:
if (
The html portion is simply: I've searched on the net about this several times, and see different answers, and it looks like each PHP expert has their favorite.... but I would rather know the "best practices" answer to this. Thank you!!
Edited November 5, 2019 by StevenOliver I want the script to check if something already has been submitted into the database before the submission, I tried it to do it with num_rows, but I'm encountering a problem. Here's the script: $con_submit = $_POST['submit']; $user_id = $_SESSION['user_id']; if ($con_submit && isset($user_id)) { $dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME); // POST variables $knuffix_name = strip_tags(trim($_POST['knuffix_name'])); $knuffix_contribution = $_POST['knuffix_contribution']; $knuffix_category = strip_tags(trim($_POST['sort_category'])); $query = sprintf("SELECT * FROM con WHERE contribution = '%s'", mysqli_real_escape_string($dbc, $knuffix_contribution)); $query_run = mysqli_query ($dbc, $query) or die (mysqli_error ($dbc)); $num_rows = mysqli_num_rows ($query_run) or die (mysqli_error ($dbc)); // $assoc = mysqli_fetch_assoc ($query_run) or die (mysqli_error ($dbc)); echo "num rows" . $num_rows; // and then as an example: if ($num_rows == 0) { // run INSERT INTO script } } When there are entries in the database then num_rows will return me the amount of entries in the echo, BUT if there are ZERO entries, then nothing will happen, and that is because of the query. Since the query looks as follows: Code: [Select] SELECT * FROM con WHERE contribution = '$variable_post_submission' Which means if there's no entry in the database at all, then the query has nothing to select, which again makes the rest of the script NOT work. Which means that num_rows does not return any value, the echo will not even get printed out. But I on the other hand would like num_rows to return zero and have the script continue by INSERTING the submitted data into the database. Any ideas how I could accomplish this? Hi
We have a nicely working smtp contact form, however the form redirects to the contact.php file as default I presume, when we want it to go to a thank you page. Can you [please take a look at the code below and clarify where I need to put the thank you page URL;
$redirect_url = "http://".$_SERVER['SERVER_NAME']; //Redirect URL after submit the form $mail->From = $mail->Username; //Default From email same as smtp user $mail->FromName = "Mobile website"; $mail->AddAddress("essexcarrentals@yahoo.co.uk", "Mobile Website"); //Email address where you wish to receive/collect those emails. $mail->WordWrap = 50; // set word wrap to 50 characters $mail->IsHTML(true); // set email format to HTML $mail->Subject = $_POST['Enquiry']; $message = "Name: ".$_POST['name']." \r\n <br>Email Address: ".$_POST['email']." \r\n <br> Phone: ".$_POST['phone']." \r\n <br> Vehicle: ".$_POST['select']." \r\n <br> Dates: ".$_POST['dates']; $mail->Body = $message; if(!$mail->Send()) { echo "Message could not be sent. <p>"; echo "Mailer Error: " . $mail->ErrorInfo; exit; } echo "Message has been sent"; header("Location: $redirect_url"); } ?> I have tried replacing the http:// but this returns a page underfined error on submission? We appreciate your help on this one guys :0) Ash --- hey guys im having trouble showing the news by the date it was submitted, I want to also seperate it into 3 seperate parts, first section will have the Main news which is only 1 row, it will have the value 1 in the column named type (is this news main or recent). The date on it doesn't matter because i want to show it even tho there might be news that is ahead of it. The next section will have 3 rows of recent news parts. I want to show the 3 most recent news that there are in the database with the value 2 in the column named type. I want it to show the recent news by the date submitted. Okay the last part will have the old news. There I want to show 3 rows of news that is after the 3 rows of news in recent news. That value will be 2 in the column named type. Here is my current code. <?php session_start(); if(isset($_SESSION['username'])) { mysql_connect("localhost","root",""); mysql_select_db("chat"); $result = mysql_query("SELECT * FROM `news` WHERE `type`='1' ORDER BY `news`.`newsid` DESC LIMIT 1"); $query = mysql_query("SELECT * FROM news WHERE `type`='1' "); //$ifadmin_result = mysql_query("SELECT * FROM users WHERE `username`='$loggedin' "); if(mysql_num_rows($query)!=0) { $loggedin = $_SESSION['username']; $myrow = mysql_fetch_array($result); echo "<b>Title: "; echo $myrow['title']; echo "</b><br>On: <i>"; echo $myrow['dtime']; echo "</i><hr align=left width=160>"; echo $myrow['text1']; //check if admin $ifadmin_result = mysql_query("SELECT * FROM users WHERE `username`='$loggedin'"); $ifadmin = mysql_fetch_array($ifadmin_result); if ($ifadmin['admin'] == 1) { echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a> || <a href=\"edit_news.php?newsid=$myrow[newsid]\">Edit</a> || <a href=\"delete_news.php?newsid=$myrow[newsid]\">Delete</a><BR><BR>"; } else { echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a><BR>"; } //check if admin echo "<hr align=left width=500>"; } else { echo "no rows<br>"; } $iCount=0; $var=false; //RECENT $result = mysql_query("SELECT * FROM `news` WHERE `type`='2' ORDER BY `news`.`newsid` DESC LIMIT 6"); //lets make a loop and get all news from the database while($myrow = mysql_fetch_array($result)) {//begin of loop //now print the results: $iCount = $iCount+1; if($iCount >= 4) { if($var == false) { $var=true; echo "<hr align=left width=500>"; echo '<div> More News</div'; } //Generate your refcent news here echo the title etc.ma echo "<div><b>Title: "; echo $myrow['title']; echo "</b> <i>On:" . $myrow['dtime'] . '</i></div>'; echo "<a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a>"; } else { echo "<b>Title: "; echo $myrow['title']; echo "</b><br>On: <i>"; echo $myrow['dtime']; echo "</i><br>"; //echo "<hr align=left width=160>"; echo $myrow['text1']; // Now print the options to (Read,Edit & Delete the news) $ifadmin_result = mysql_query("SELECT * FROM users WHERE `username`='$loggedin'"); $ifadmin = mysql_fetch_array($ifadmin_result); if ($ifadmin['admin'] == 1) { echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a> || <a href=\"edit_news.php?newsid=$myrow[newsid]\">Edit</a> || <a href=\"delete_news.php?newsid=$myrow[newsid]\">Delete</a><BR><hr align=\"left\" width=\"160\">"; } else { echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a><hr align=\"left\" width=\"160\">"; } /* echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a> || <a href=\"edit_news.php?newsid=$myrow[newsid]\">Edit</a> || <a href=\"delete_news.php?newsid=$myrow[newsid]\">Delete</a><br><hr align=\"left\" width=\"160\">"; */ } }//end of loop } else { mysql_connect("localhost","root",""); mysql_select_db("chat"); $result = mysql_query("SELECT * FROM `news` WHERE `type`='1' ORDER BY `news`.`newsid` DESC LIMIT 1"); $query = mysql_query("SELECT * FROM news WHERE `type`='1' "); if(mysql_num_rows($query)!=0) { $myrow = mysql_fetch_array($result); echo "<b>Title: "; echo $myrow['title']; echo "</b><br>On: <i>"; echo $myrow['dtime']; echo "</i><hr align=left width=160>"; echo $myrow['text1']; echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a><BR>"; echo "<hr align=left width=500>"; } else { echo "no rows<br>"; } $iCount=0; $var=false; //RECENT $result = mysql_query("SELECT * FROM `news` WHERE `type`='2' ORDER BY `news`.`newsid` DESC LIMIT 6"); //lets make a loop and get all news from the database while($myrow = mysql_fetch_array($result)) { //begin of loop //now print the results: $iCount = $iCount+1; if($iCount >= 4) { if($var == false) { $var=true; echo "<hr align=left width=500>"; echo '<div> More News</div'; } //Generate your refcent news here echo the title etc.ma echo "<div><b>Title: "; echo $myrow['title']; echo "</b> <i>On:" . $myrow['dtime'] . '</i></div>'; echo "<a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a>"; } else { echo "<b>Title: "; echo $myrow['title']; echo "</b><br>On: <i>"; echo $myrow['dtime']; echo "</i><br>"; //echo "<hr align=left width=160>"; echo $myrow['text1']; // Now print the options to (Read,Edit & Delete the news) echo "<br><a href=\"read_more.php?newsid=$myrow[newsid]\">Read More...</a><hr align=left width=160>"; } }//end of loop } ?> <br> <hr align=left width=500> <!-- <hr align=left width=500> <br><br> <a href=index.php>Home</a> <a href=add_news.php>Add News</a> --> Here is how my database table looks like Dont mind the number of rows it is, I want it to show the first I guess 7 rows of news that is dated to the earliest time from present. There soon will be hundreds of rows. Here is how I made it fill in the row with the most recent time it was posted. NOW() in $result = mysql_query("INSERT INTO news (title, dtime, text1, text2, type) VALUES ('$title',NOW(),'$text1','$text2','$type')"); Basically I want it to show the most recent rows based on the time they were posted. Also, incase you need more information please post and il give me information. Hi: I am using this code for my contact us feedback form: Code: [Select] <?php $error = NULL; $myDate = NULL; $FullName = NULL; $Address = NULL; $City = NULL; $State = NULL; $Zip = NULL; $Phone = NULL; $Email = NULL; $Website = NULL; $Comments = NULL; if(isset($_POST['submit'])) { $myDate = $_POST['myDate']; $FullName = $_POST['FullName']; $Address = $_POST['Address']; $City = $_POST['City']; $State = $_POST['State']; $Zip = $_POST['Zip']; $Phone = $_POST['Phone']; $Email = $_POST['Email']; $Website = $_POST['Website']; $Comments = $_POST['Comments']; if(empty($FullName)) { $error .= '-- Enter your Full Name. <br />'; } if(empty($Email)) { $error .= '-- Enter your Email. <br />'; } if($error == NULL) { $sql = sprintf("INSERT INTO myContactData(myDate,FullName,Address,City,State,Zip,Phone,Email,Website,Comments) VALUES ('%s','%s','%s','%s','%s','%s','%s','%s','%s','%s')", mysql_real_escape_string($myDate), mysql_real_escape_string($FullName), mysql_real_escape_string($Address), mysql_real_escape_string($City), mysql_real_escape_string($State), mysql_real_escape_string($Zip), mysql_real_escape_string($Phone), mysql_real_escape_string($Email), mysql_real_escape_string($Website), mysql_real_escape_string($Comments)); if(mysql_query($sql)) { $error .= 'Thank you for contacting us.'; mail( "d@direct.com", "Contact Request", "Date Sent: $myDate\n Full Name: $FullName\n Address: $Address\n City: $City\n State: $State\n Zip: $Zip\n Phone: $Phone\n Email: $Email\n Website: $Website\n Comments: $Comments\n", "From: $Email" ); } else { $error .= 'There was an error in our Database, please Try again!'; } } } echo '<span class="textError">' . $error . '</span>'; ?> <form name="myform" action="" method="post"> <input type="hidden" name="myDate" size="45" maxlength="50" value="<?php echo date("F j, Y"); ?>" /> <div id="tableFormDiv"> <fieldset><span class="floatLeftFormWidth"><span class="textErrorItalic">* - Required</span></span> <span class="floatFormLeft"> </span></fieldset> <fieldset><span class="floatLeftFormWidth"><span class="textErrorItalic">*</span> Full Name:</span> <span class="floatFormLeft"><input type="text" name="FullName" size="45" maxlength="50" value="<?php echo $FullName; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth">Address:</span> <span class="floatFormLeft"><input type="text" name="Address" size="45" maxlength="50" value="<?php echo $Address; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth">City:</span> <span class="floatFormLeft"><input type="text" name="City" size="45" maxlength="50" value="<?php echo $City; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth">State:</span> <span class="floatFormLeft"><input type="text" name="State" size="45" maxlength="50" value="<?php echo $State; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth">Zip:</span> <span class="floatFormLeft"><input type="text" name="Zip" size="45" maxlength="50" value="<?php echo $Zip; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth">Phone:</span> <span class="floatFormLeft"><input type="text" name="Phone" size="45" maxlength="50" value="<?php echo $Phone; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth"><span class="textErrorItalic">*</span> Email:</span> <span class="floatFormLeft"><input type="text" name="Email" size="45" maxlength="50" value="<?php echo $Email; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth">Website:</span> <span class="floatFormLeft"><input type="text" name="Website" size="45" maxlength="50" value="<?php echo $Website; ?>" /></span></fieldset> <fieldset><span class="floatLeftFormWidth">Comments:</span> <span class="floatFormLeft"><textarea name="Comments" cols="40" rows="10"><?php echo $Comments; ?></textarea></span></fieldset> </div> <input type="submit" name="submit" value="Submit" class="submitButton" /><br /> </form> I the only thing I can't figure out is, how do I clear the form fields AFTER the form has been submitted and the message "Thank you for contacting us." appears ?? I haven't been able to figure it out with JavaScript/PHP, so I posted my original code in hopes that someone will have an idea. Anyone? Thanks! I have been using an inventory application built on PHP/MySQL. Since this morning I could submit the data and they were perfectly reflected on the MySQL Table. However, for a few hours I cannot save the submitted data to the table and it doesn't show any error message. Please note no change have been made since it was successfully running. The developer of this application is not available right now.
PLEASR HELP I AM A NOVICE IN PHP/MYSQL.
Hi All, I have a text field in a form that when submitted, passes the submitted data, using $_POST into a second webpage. I then use an insert statement on that page to insert the submitted text in to a DB. I have finding that if user's place either a quote (") or a apostrophie (') in the form, it truncate's the insert statement, as it takes the characters as the end of the line. Is there any other way of managing quotes and apostrophies in forms? Cheers Matt Hello everyone, I'm having a difficult time figuring out what my problem is here. I'm trying to submit a couple of strings (to the user they are messages to be sent to other users) and I am having trouble with the string being cut off at quotation marks. Here is the code that I'm using: Code: [Select] <?php if (isset($_POST['submit'])) { $staffmessage = $_POST['staffmessage']; $studentmessage = $_POST['studentmessage']; echo "$staffmessage<br /> <br />$studentmessage"; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> </head> <body> <?php $message1="This is a test message. It does not get cut off here when the \"quotation marks\" are added."; $message2="This is a test message. It DOES get cut off here when the \"quotation marks\" are added."; ?> <form name="form" method="post" action="test.php"> <textarea class="textarea" name="staffmessage" rows="12"> <?php echo $message1; ?> </textarea></p> <input name="studentmessage" type="hidden" value="<?php echo $message2; ?>" /> <input class="submit2" type="submit" name="submit" value="Send Message" /> </form> </body> </html> The result that I'm getting is that when $staffmessage is echoed, I get the full message. When $studentmessage is echoed, the message gets cut off at the first quotation mark. The only thing that is different when creating these two variables is that $staffmessage is submitted using a "textarea" field in the form, and $studentmessage is submitted using a "hidden" field in the form. Other than that, they are handled the exact same way. Can anyone please help me figure out how to remedy this so that $studentmessage is not cut off at the quotation mark? Thanks in advance for your help! Hi There, Is there any way that when a user submits a form, but places a link inside - for example: It is located at this location: http://mylink.com Is there any way that PHP can pick up the fact that there is a link there and tag it correctly so it is clickable? Cheers Matt Hi There, I am putting a form together that when submitted, pumps data in to an SQL DB. However I am having problems with quotation marks - for example, it's and her's and thier's cause an error, because the insert statement takes the quote as the end of the row. How can PHP handle this so that it either removes, or replaces that quote? Thanks Matt Hey guys, OK, so actually I have two questions that are kind of related. The first one is how I can allow users to use <i>, <b>, <strong> tags when submitting information in a form. I would like to allow certain tags so they can emphasize things in their text, but I still want to strip the rest for security reasons. I tried using strip_tags() with some exceptions as a second parameter, but as far as I understand, that just allows them to be displayed as text, not for the browser to make text bold for instance. Below is what I have now. function stripdata($data) { return trim(htmlentities(stripslashes($data), ENT_QUOTES)); } echo stripdata($someDataFromMySQL); I also want to ask if the solution above is 100% safe so that users can not submit malicious code that can execute when users' visit a page of mine that displays that code. Thank you in advance. I have an account on theirsite.com and I want to be able to submit my login credentials from mysite.com/page1.php and then redirect back to mysite.com/page2.php. I've been Googling for hours now and nothing I can find works and I don't know a thing about cURL and would rather not get into it. Not to mention, I'm using free hosting for now and I don't believe I'm able to use cURL anyways. I can get it to log in with the credentials just fine, that's no problem, but I just have no clue how to get it to redirect back to my page or just send the credentials and then staying on my page because I could work with that as well (send credentials to theirsite.com from mysite.com/page1.php and staying on mysite.com/page1.php). Is there anyone that could give me a hand on how to do this without using cURL since my php.ini is not editable? Thanks how can i disply this message withing the form echo "data submitted successfully!"; currently after validation check when data is entered the message show on top of my page not within the form function insertDATA($postData) { if(!ifEmailExists($postData['email'])){ $sql = " INSERT INTO tbl SET email = '".$postData['email']."', name = '".$postData['name']."', phone = '".$postData['phone']."' "; echo "data submitted successfully!";//this line withing the form executeSql($sql); } |
|||||||