|
PHP - How Can I Prevent Javascript Coding?
I've been alerted that someone can attack my site using XSS. I have a search box on my site and I've tested it by simply writing "<script>alert('test')</script>" When I do this a pop-up box does come up displaying the word "Test" I have written a preg_replace previously but now I want to add something to it to prevent <script>.
This was my original code Code: [Select] $search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', " $_POST['search'])); This is what I thought might work but no luck Code: [Select] $search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', "/<script[^>]*>.*<*script[^>]*>/i", $_POST['search'])); Could anyone please help and tell me how to modify the code to prevent javascript? Thanks Similar TutorialsIs this a correct approach to prevent email injection? $to: me@mydomain.com, myPartner@mydomain.com, $emailer; //then the rest of the stuff. $emailCheck = $_POST["emailer"]; if (eregi("(\r|\n)", $emailCheck)) { die("Why ?? "); } mail($to, $subject, "", $headers); Hello! This bit of code actually does work, I just want to check that this is the best/proper/most efficiant way of doing it. Basically i'm calling a PHP function that uses the javascripts prompt function, then returning the value that the user types in back to PHP. Most probably easier to show you. Code: [Select] <?php //prompt function function prompt($prompt_msg){ echo("<script type='text/javascript'> var answer = prompt('".$prompt_msg."'); </script>"); $answer = "<script type='text/javascript'> document.write(answer); </script>"; return($answer); } //program $prompt_msg = "Please type your name."; $name = prompt($prompt_msg); $output_msg = "Hello there ".$name."!"; echo($output_msg); ?> That is the entire code, I just want to know if this is the proper way to do something like this (using javascript and PHP together) thanks guys! Hi... I have a problemand I tried to resolved it but still I failed.. I need to add a code in a php file where I'm not the one who code, now I need to add code on that file, and the problem is the one who the owner of code is not here. I need to add code : Code: [Select] $sub_lotcode = substr($lotCode, 9, 4); $sql = "SELECT k.PCODE, k.kanban, p.Compounds, p.Max_Lot FROM kanban_checker k, param_settings p WHERE k.kanban = p.Max_Lot AND k.PCODE = '$sub_lotcode' AND p.Compounds = '$sub_lotcode'"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { notify that PCODE reach the maximum } else{ echo "continue"; } here is the code where I need to add this condition: Code: [Select] <?php error_reporting(0); $con = mysql_connect('localhost', 'root',''); if (!$con) { echo 'failed'; die(); } mysql_select_db("mes", $con); $lotCode = mysql_real_escape_string($_GET['normal']); $lotCodeDownGrade = mysql_real_escape_string($_GET['downgrade']); $terminalNo = mysql_real_escape_string($_GET['n']); $downMode = mysql_real_escape_string($_GET['down']); //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> if ($terminalNo == "1") { if ($lotCode != "") { $sql = "SELECT BARCODE FROM LEGALCODES WHERE BARCODE='$lotCode'"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { echo "X"; // X - for non existent in the mes table } else { //do this if code exist in the database: // //code exist in the database $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='1' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { echo "0"; // continue to transact } else { // query the last terminal it was used $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND ACTIVE=TRUE ORDER BY DATE_ENTRY DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); echo $row['TERMINAL_ID'] ; // already used here - me nakita // GET THE LAST TERMINAL NUMBER ACTIVE ADD 1 HERE TO DISPLAY WHICH TERMINAL TO GO } } } } //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> elseif ($terminalNo == "4") { if ($lotCode != "") { $sql = "SELECT BARCODE FROM LEGALCODES WHERE BARCODE='$lotCode'"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { echo "X"; // X - for non existent in the mes table } else { //if downgrade is checked do this : if ($downMode == "true") { $advanceTerminal = ((integer)($terminalNo) + 1); $advanceTerminal = (string)($advanceTerminal); $preTerminal = ((integer)($terminalNo) - 1); $preTerminal = (string)($preTerminal); //query if the lot code exist in advance terminal .. $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='$advanceTerminal' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { // check naman kung wala sa naunang terminal $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='$preTerminal' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND ACTIVE= TRUE ORDER BY TERMINAL_ID DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); if ($total <= 0) { // NO RECORDS FOUND GO TO TERMINAL 1 == optional echo "notran"; } else { echo $row['TERMINAL_ID'] ; } } else { $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='$terminalNo' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0 || $total >= 0) { echo "G"; } } } else { $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND ACTIVE= TRUE ORDER BY TERMINAL_ID DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); echo $row['TERMINAL_ID'] ; } } else { //query if the lot code exist in this terminal .. $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='$terminalNo' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { // wala nakita - then tsek if nag exist sa terminal na sinundan $preTerminal = ((integer)($terminalNo) - 1); $preTerminal = (string)($preTerminal); //then tsek if nag exist sa terminal na sinundan $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='$preTerminal' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { // walang nakita sa mga naunang terminal // do this if no previous transaction with pre requisite process // query the last terminal it was used $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND ACTIVE= TRUE ORDER BY TERMINAL_ID DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); // $row = mysql_fetch_array($result); if ($total <= 0) { // NO RECORDS FOUND GO TO TERMINAL 1 == optional echo "notran"; } else { echo $row['TERMINAL_ID']; // GET THE LAST TERMINAL NUMBER ACTIVE ADD 1 HERE TO DISPLAY WHICH TERMINAL TO GO } } else { echo "G"; } } else { //me record na nakita sa terminal na pinag transakan // query the last terminal it was used $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND ACTIVE=TRUE ORDER BY TERMINAL_ID DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); echo $row['TERMINAL_ID'] ; // already used here - me nakita // GET THE LAST TERMINAL NUMBER ACTIVE ADD 1 HERE TO DISPLAY WHICH TERMINAL TO GO } } // here is the terminator of else in downgrade } } //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> if ($lotCodeDownGrade != "") { $sql = "SELECT BARCODE FROM LEGALCODES WHERE BARCODE='$lotCodeDownGrade'"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { echo "X"; // X - for non existent in the mes table } else { //do this if code exist in the database: // //code exist in the database $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCodeDownGrade' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { echo "0"; // continue to transact } else { // query the last terminal it was used $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCodeDownGrade' AND ACTIVE=TRUE ORDER BY TERMINAL_ID DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); echo $row['TERMINAL_ID'] ; // already used here - me nakita // GET THE LAST TERMINAL NUMBER ACTIVE ADD 1 HERE TO DISPLAY WHICH TERMINAL TO GO } } } } //>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> else { if ($lotCode != "") { $sql = "SELECT BARCODE FROM LEGALCODES WHERE BARCODE='$lotCode'"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { echo "X"; // X - for non existent in the mes table } else { //query if the lot code exist in this terminal .. $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='$terminalNo' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { // wala nakita - then tsek if nag exist sa terminal na sinundan $preTerminal = ((integer)($terminalNo) - 1); $preTerminal = (string)($preTerminal); //then tsek if nag exist sa terminal na sinundan $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND TERMINAL_ID='$preTerminal' AND ACTIVE=TRUE"; $result = mysql_query($sql, $con); $total = mysql_num_rows($result); if ($total <= 0) { // walang nakita sa mga naunang terminal // do this if no previous transaction with pre requisite process // query the last terminal it was used $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND ACTIVE=TRUE ORDER BY TERMINAL_ID DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); if ($total <= 0) { // NO RECORDS FOUND GO TO TERMINAL 1 == optional echo "notran"; } else { echo $row['TERMINAL_ID']; // GET THE LAST TERMINAL NUMBER ACTIVE ADD 1 HERE TO DISPLAY WHICH TERMINAL TO GO } } else { echo "G"; } } else { //me record na nakita sa terminal na pinag transakan // query the last terminal it was used $sql = "SELECT LOT_CODE, TERMINAL_ID, ACTIVE FROM DEPENDENCY WHERE LOT_CODE='$lotCode' AND ACTIVE= TRUE ORDER BY TERMINAL_ID DESC LIMIT 1"; $result = mysql_query($sql, $con); $row = mysql_fetch_array($result); $total = mysql_num_rows($result); echo $row['TERMINAL_ID'] ; // already used here - me nakita // GET THE LAST TERMINAL NUMBER ACTIVE ADD 1 HERE TO DISPLAY WHICH TERMINAL TO GO } } } } mysql_close($con); ?> Code: [Select] function unUsedLotId(txtElemID){ var txtElemID_Active = txtElemID; //alert("VV" + txtElemID_Active.value + "VV" ); responsePHP = "no_reply"; changeFocus = false; var termNo = terminalNo(); ajaxRequest = remoteRequestObject(); ajaxRequest.onreadystatechange = function(){ if (ajaxRequest.readyState==4 && ajaxRequest.status==200) { // var result = ajaxRequest.responseText; responsePHP = ajaxRequest.responseText; //alert(responsePHP) // if (result=="1") { result = "Already used Tag";} // if (result=="0") { result = "Tag ok";} // if (result=="G") { result = "Tag ok";} // if (result=="B") { result = "Incomplete Process";} // var resultStr = (result=="1") ? 'Tag used or incomplete prerequisites' : 'Tag unused'; if (responsePHP == "failed") { txtElemID_Active.disabled = false; txtElemID_Active.value = ""; txtElemID_Active.focus(); notify("Report to MIS<br /> Please scan again."); } //------------------------------added by rhoda for integration-------------------------------------------------- /* else if (responsePHP == "C"){ notify("CCCC"); if (txtElemID_Active.disabled) { txtElemID_Active.disabled = false; } txtElemID_Active.value = ""; txtElemID_Active.focus(); } */ //-------------------------------------------------------------------------------- else if (responsePHP == "X") { //result = "Lot ID invalid."; //responsePHP = "Lot ID invalid."; notify("Lot ID invalid. Scan Again."); if (txtElemID_Active.disabled) { txtElemID_Active.disabled = false; } txtElemID_Active.value = ""; txtElemID_Active.focus(); } //-------------------------------------------------------------------------------- else if (responsePHP =="0" || responsePHP =="G"){ if (txtElemID_Name == "txtLotCode") { window.LotID = (txtElemID_Active.value) } if (txtElemID_Name == "txtLotCodeDownGrade") { window.LotID_Down = (txtElemID_Active.value) } strip(txtElemID_Active) if (termNo == "1") { isSelected('txtLotCode', 'selWeight_MachineID'); } if (termNo == "2" || termNo == "3") { isSelected('txtLotCode', 'txtKitWeight'); } if (termNo == "4" || termNo == "5" || termNo == "6" || termNo == "7") { //////////////////////////////// downgrade modification /////////////////////////////////////// if (termNo == "4") { //alert(termNo) var chkDownGrade = document.getElementById('chkDownGrade') if (chkDownGrade.checked == 1) { //alert("here") if (txtElemID_Name == 'txtLotCode') { isSelected('txtLotCode', 'txtLotCodeDownGrade'); } if (txtElemID_Name == 'txtLotCodeDownGrade') { isSelected('txtLotCodeDownGrade', 'selMachineID'); } } else { //alert("here") if (txtElemID_Name == 'txtLotCode') { isSelected('txtLotCode', 'selMachineID'); } } } else { isSelected('txtLotCode', 'selMachineID'); } //////////////////////////////////////////////////////////////////////////////////////// } if (document.getElementById('notice')!== null) { document.getElementsByTagName('body')[0].removeChild(document.getElementById('notice')) //>> clear the box } } //-------------------------------------------------------------------------------- else if (responsePHP == "notran") { var mensahe1 = "Please return to<br /><span style='font-size:30px;'>Chemical Weighing<br /> or Supervisor</span>"; notify(mensahe1); if (txtElemID_Active.disabled) { txtElemID_Active.disabled = false; } txtElemID_Active.value = ""; txtElemID_Active.focus(); } //-------------------------------------------------------------------------------- else { /* responsePHP == "1" || responsePHP == "B") { do this if tag is used in this terminal if (responsePHP == "1") { result = "Already used Lot ID"; responsePHP = "Already used Lot ID"; notify("Already used Lot ID.<br />Scan again."); } else if (responsePHP == "B") { // result = "Incomplete Transaction Process"; // responsePHP = "Incomplete Transaction Process"; notify("Incomplete Transaction Process.<br />Scan again."); } */ var mensahe1 = "Last Process: <span style='font-size:30px;'> Terminal " + responsePHP + "</span><br /><br />"; var mensahe2 = "Pls. Proceed: <span style='font-size:30px;'> Terminal " + (parseInt(responsePHP) + 1) + "</span>"; notify(mensahe1 + mensahe2); // notify("Incomplete Transaction Process.<br />Scan again."); if (txtElemID_Active.disabled) { txtElemID_Active.disabled = false; } txtElemID_Active.value = ""; txtElemID_Active.focus(); } //-------------------------------------------------------------------------------- } } var txtElemID_Name = txtElemID_Active.id; if (termNo == "4") { var downGrade = document.getElementById('chkDownGrade').checked; var str = txtElemID_Active.value + "&n=" + termNo + "&down=" + downGrade; } else { var str = txtElemID_Active.value + "&n=" + termNo; } if (txtElemID_Name == "txtLotCode") { //alert(txtElemID_Name) var url = "verifyLotId.php?normal=" + str; } if (txtElemID_Name == "txtLotCodeDownGrade") { //alert(txtElemID_Name) var url = "verifyLotId.php?downgrade=" + str; } ajaxRequest.open("GET", url, true); // force i.e. not to cache ajaxRequest.setRequestHeader("If-Modified-Since", "Sat, 1 Jan 2000 00:00:00 GMT"); //-------------------------------------------------- ajaxRequest.send(null); ajaxTimeOut = window.setTimeout("timeOut('" + txtElemID_Name + "');", 6000); } Hello Guys, Iam making a new ad serving script. In that site every publisher can register & they will get a url to serve ads. When a user click on that url the publisher will get earnings. But my problem is someone using something like this <iframe src="http://my-site.com/adserve.php" width = "100" height = "100"></iframe> & it will helps to get earnings without clicking on that url. I want to prevent this type of cheating & how it can be possible ?? I hope a expert will replay for me. Hi is there any way we can prevent suppose <textarea></textarea> when page reload it refresh and set default text i wanted to know is there any way to prevent certain things not to get refreshed is there any method in php which prevent to reload this ! <?php echo "<textarea > Enter your favorite quote!</textarea> \n" ; Code: [Select] if (isset($_GET['edit']) && $_GET['edit'] == 'textupdate'){ } <a href= \"{$_SERVER['PHP_SELF']}?page=1&edit=textupdate \" >Click</a>?> As the title says, I would like to know how exactly CSRF can be 100% (or close to it) prevented.
One of the most recommended solutions is to create a token and insert it into a hidden field, but I've tested it on another domain and you can just do a cURL request and retrieve the token then make another request with it included. Proof:
<?php
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "URL");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10);
$response = curl_exec($ch);
curl_close($ch);
$exploded = explode('type="hidden" name="token" value="', $response);
$token = substr($exploded[1], 0, 64);
echo $token; // ebd9ab96d40bdb21bbaa2e1a18d657be2e413105ae86ecc14def6137f38a1571
?>
I would hate to include captcha on all my forms, so how exactly does one prevent CSRF?
Based on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.
The code works fine.
<?phpÂ
include 'db.php';
error_reporting(E_ALL | E_WARNING | E_NOTICE);
ini_set('display_errors', TRUE);
 if(isset($_POST['submit']))
 {
  Â
 $username = $_POST['username'];Â
$password = Â ($_POST['password']);Â
$sql = "SELECT * FROM customer WHERE username = ?";
$stmt = $connection->prepare($sql);Â
$stmt->bind_param('s', $username);
$stmt->execute();
$result = $stmt->get_result();
$count = Â $result->num_rows;
  if($count == 1)Â
             {
while ($row = $result->fetch_assoc())
 {
  if ($row['status'] == 'blocked')
 {
 echo'your account is suspended'
  session_destroy();
  exit();
 }
 else if($row['status'] == 'active')
{
if($username !== $row['username'])Â
 {Â
echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>';
}Â
if($password !== $row['password'])Â
{
 echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';    Â
}
if($username == $row['username'] && $password == $row['password'])Â
{Â
header('Location:cpanel/');
else
{
}
}//if count
}//while loop
}//submit
?>
 I am loading a link with ajax. When the link pops on the screen and I click it, I get redirected to my 404 page and my lightbox doesn't load. If the link pops in and I refresh my browser, then I click the link my lightbox will show up. How can I do a prevent default on the <a href> in pure JS? No frameworks please. Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } I was asked to make new thread for this, so how do I use a session or something to restrict access to a page.....like if accounttype=Admin, stay here, all others go away......do you need to see code, or can you just give me an example....... I'm building a website that uses session variables. My understanding of session variables is that they only exist as long as the browser is open -- meaning that once the browser closes, the session variables are lost. Hi All, I was wondering if someone maybe knows a nice way to prevent double posting or posting within a certain time without using javascript. Or maybe even echoing an error if someone posts the exact same ase the previous post. I found this little snippet: Code: [Select] onClick="disabled=true;this.form.submit();return true;" Which prevents double clicking. But its javascript and I rather have something besides that to cover all situations. Would love to hear what you guys use or reccomend. Thanks! I have a problem which is why I am here. What I am trying to achieve I am creating a very very basic timetabling system online, using php and sql. I am still in the process of completing it and changing bits from here to there. Although I am fully aware that the current design / implementation needs several changes and amendments, but however it performs most of the basic functionalities from a login system to the ability to add data delete data and also reset the database and recreate. The problem I have a table called tCourse althouogh a full ERD implementation has not taken place, it is still trial and error period. The table consists of the following: - Course - Unit - Course_Code - Year (i.e. Yr1, Yr2, Yr3) - Credits (Value of the unit) - Day - Semester - Start_Time - End_Time - Room - Tutor At the moment the primary keys for the table a - Day - Start_Time - Room_ - Semester This basically prevents a particular day, a semester, a room having been booked at the same time. Which for a very basic one is ok. The only problem is though, if someone books for example: Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (ok) Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (Not ok, which is good, as it is a repeat and prevents double booking) However the problem comes he Monday >> 12:00:00 To 14:00:00 >> 205 >> Sem1 (ok) So this is allowing a booking even though that room will be busy i.e. booked between 13:00 to 14:00 So is there a way I can limit it, so if there is a room booked for that particular period it will not do it. I have done a bit of research and friend's have suggested doind several for loops and quering the database beforehand. I came here, mainly because there are a lot of experienced individuals here whom may have a simpler solution, although I can understand it won't be a one liner . I would appreciate any help, if not, it is still ok. Hi all, I am trying to make a emailscript with PEAR to send quite some people a personalized messaged. But i thought this could very well cause the script to time out. Now i read http://php.net/manual/en/function.set-time-limit.php, but i thought does maybe someone knows a way to prevent a time out instead of setting the time-limit to a larger amount. Some terms i saw floating around we ob_start, flush, sleep and a few others but i really never worked with these. If someone could point me in the right direction of thinking or maybe knows a tutorial or guide i really would love to hear it. Thank you! Our admin panel for a gaming community was recently hit by a successful MySQL injection attack. Here are the parameters they entered into forms to gain access. Code: [Select] ${99319+100354} Code: [Select] <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "http://testphp.vulnweb.com/dot.gif"> ]> <xxx>&acunetixent;</xxx> Not sure which one worked, or how they even managed to POST to that page. But how do these two strings work? What do they do? I am having problems with a search feature I am using for a website I am building. Everything was working fine when I was testing on my local machine using EasyPHP 3.0. The issue I am having is that once I uploaded the site to a "live" server and tested it, my search function wouldn't work. The issue resides in the two lines with the magic quotes and the real escape string, for some reason those lines worked fine while testing using EasyPHP 3.0, but now I must delete those lines in order for my search function to work. The problem is that deleting those lines makes me vulnerable to an SQL injection. I have tried deleting just the magic quotes line and everything works properly, but then I am not seeing any kind of strip slashing/sanitizing when I enter in a statement like this into my search: a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't. Any help on this issue would be greatly appreciated! //get data $button = $_GET['submit']; if (get_magic_quotes_gpc() == 0){ $search = mysql_real_escape_string($_GET['search']); // clean up the search string } else { $search = $_GET['search']; $limit = 9; $page = $_GET['page']; if($page) $start = ($page - 1) * $limit; I also tried using the mysql_real_escape_string on my construct, but I get syntax errors because of the | being used before and after the $search_each. That | character must remain in place in order for my search to work the way I want it to. $x++; if ($x==1) $construct .= "keywords LIKE '%".mysql_real_escape_string(|$search_each|)."%'"; else $construct .= "AND keywords LIKE '%|$search_each|%'"; } I have my script protected against all types of sql injection, XSS injection, cookies and bots. But now i want to know whats the best way of preventing session hijacking? I know nothing can be 100% secured but i want to know how to prevent it And u know it: prevention is better than cure! I have my template files and some functions in my server which are available for direct reach. like ; my "index.php" file includes "loginpage.php" form which is ok when I enter www.site.com/index.php but also when I enter to www.site.com/loginpage.php it works and shows me just login page. So this is what I dont want. How can I prevent to reach the files directly like this, I want them to work just for other pages of my website, not for directly seeing. By the way can this problem also be solved by hosting settings or mod_rewrite ? Hello everyone, I am trying to use only cookies so that session fixation is not possible. Unfortunately I can still log in when I disable cookies in Internet Explorer. Am I doing something wrong? Or do I misunderstand the concept? This is my code: Code: [Select] <?php class Session{ private $username; public function createSession($username){ $this->username = $username; ini_set("session.use_only_cookies", 1); session_start(); $_SESSION['username'] = $this->username; return $this->username; } } ?> How can I prevent the less than and greater than signs in the username field, and message on the post? As well as slashes. / \. Code: [Select] <form method="post" action="" id="reply"> <script type="text/javascript"> function hi(id){ var val = id.options[id.selectedIndex].value; var text = id.options[id.selectedIndex].text; if (val.length != 0){document.getElementById('user').value = text;hide('passrow');} else { document.getElementById('user').value = ''; document.getElementById('passrow').style.cssText = ''; } } </script> <div id="userpass" style="background: #000;"> <table style="border: 2px solid #252564; background: #1F1F5D;" width="100%" cellpadding="0" class="quick_userpass"> <tr> <td background="/images/bg3.jpg" height="26px"><font face=arial size=2 color="white"> <b>Your Name or Nickname</b></td> </tr> <tr> <td><input size=50 name="user" id="user" value="" style="margin-left: 10px;"></td> </tr> <tr><td background="/images/bg3.jpg" height=26px></td></tr> </table> <div id="passrow" style=""> <p> <table width=100% cellpadding=0 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;"> <tr><td background="/images/bg3.jpg" height=26px style=""><font face=arial size=2 color="white"> <b>Password (optional)</b></td></tr> <tr><td style=""><input size=50 name="pass" id="pass" type="password" style="margin-left: 10px;" value=""></td></tr> <tr><td background="/images/bg3.jpg" height=26px></td></tr> </table> </p> </div> <p> <table width=100% cellspacing=0 cellpadding=4 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;"> <tr bgcolor="#121236"><td><font face=arial size=2 color="white"><b>Enter your message here</b></font></td></tr> <tr><td><center><textarea id="quickreply" name="message" rows=10 cols=50 wrap="VIRTUAL" ></textarea></center></td></tr> </table> <div id="preview" style="display: none;"></div> </p> <br /> <center> <font face=arial size=2>When you're happy with your message, click:</font> <div id="javano"><input type="submit" value=" Post Message "></div> </center> <input type="hidden" name="tid" value="<?php echo $_GET["tid"];?>" /> </div> </form> That is the code I'm using for User/Pass/message fields. |
|||||||