PHP - How To Prevent
Hello Guys,
Iam making a new ad serving script. In that site every publisher can register & they will get a url to serve ads. When a user click on that url the publisher will get earnings. But my problem is someone using something like this <iframe src="http://my-site.com/adserve.php" width = "100" height = "100"></iframe> & it will helps to get earnings without clicking on that url. I want to prevent this type of cheating & how it can be possible ?? I hope a expert will replay for me. Similar TutorialsBased on the comments on my previous question, took some tutorials on how to avoid injections on query. Does the code below prevents against it in any way.? Secondly, can you recommend a good article that writes well in how to secure input data by users. Please be kind with your comments.😉😉. Thankks in advance.
The code works fine. <?php include 'db.php'; error_reporting(E_ALL | E_WARNING | E_NOTICE); ini_set('display_errors', TRUE);  if(isset($_POST['submit']))  {     $username = $_POST['username']; $password =  ($_POST['password']); $sql = "SELECT * FROM customer WHERE username = ?"; $stmt = $connection->prepare($sql); $stmt->bind_param('s', $username); $stmt->execute(); $result = $stmt->get_result(); $count =  $result->num_rows;   if($count == 1)              { while ($row = $result->fetch_assoc())  {   if ($row['status'] == 'blocked')  {  echo'your account is suspended'   session_destroy();   exit();  }  else if($row['status'] == 'active') { if($username !== $row['username'])  { echo '<script>swal.fire("ERROR!!", " Username is not correct. Check Again", "error");</script>'; } if($password !== $row['password']) {  echo'<script>swal.fire("ERROR!!!", "Your Password is Incorrect. Check Again.", "error");</script>';     } if($username == $row['username'] && $password == $row['password']) { header('Location:cpanel/'); else { } }//if count }//while loop }//submit ?>  Is this a correct approach to prevent email injection? $to: me@mydomain.com, myPartner@mydomain.com, $emailer; //then the rest of the stuff. $emailCheck = $_POST["emailer"]; if (eregi("(\r|\n)", $emailCheck)) { die("Why ?? "); } mail($to, $subject, "", $headers); Will this prevent a SQL injection? I am guessing the answer is no because it is too simple. // retrieve form data ========================================== $ama = $_POST['ama']; // Check for alphanumeric characters ===================================== $string = "$ama"; $new_string = preg_replace("/[^a-zA-Z0-9\s]/", "", $string); // echo $new_string; // Send query =========================================================== $query = "SELECT * FROM members WHERE ama='$new_string'"; if (!mysql_query($query)){ die('Error :' .mysql_error()); } Hi is there any way we can prevent suppose <textarea></textarea> when page reload it refresh and set default text i wanted to know is there any way to prevent certain things not to get refreshed is there any method in php which prevent to reload this ! <?php echo "<textarea > Enter your favorite quote!</textarea> \n" ; Code: [Select] if (isset($_GET['edit']) && $_GET['edit'] == 'textupdate'){ } <a href= \"{$_SERVER['PHP_SELF']}?page=1&edit=textupdate \" >Click</a>?> As the title says, I would like to know how exactly CSRF can be 100% (or close to it) prevented.
One of the most recommended solutions is to create a token and insert it into a hidden field, but I've tested it on another domain and you can just do a cURL request and retrieve the token then make another request with it included. Proof:
<?php $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, "URL"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_TIMEOUT, 10); $response = curl_exec($ch); curl_close($ch); $exploded = explode('type="hidden" name="token" value="', $response); $token = substr($exploded[1], 0, 64); echo $token; // ebd9ab96d40bdb21bbaa2e1a18d657be2e413105ae86ecc14def6137f38a1571 ?>I would hate to include captcha on all my forms, so how exactly does one prevent CSRF? I am loading a link with ajax. When the link pops on the screen and I click it, I get redirected to my 404 page and my lightbox doesn't load. If the link pops in and I refresh my browser, then I click the link my lightbox will show up. How can I do a prevent default on the <a href> in pure JS? No frameworks please. Hi All, I was wondering if someone maybe knows a nice way to prevent double posting or posting within a certain time without using javascript. Or maybe even echoing an error if someone posts the exact same ase the previous post. I found this little snippet: Code: [Select] onClick="disabled=true;this.form.submit();return true;" Which prevents double clicking. But its javascript and I rather have something besides that to cover all situations. Would love to hear what you guys use or reccomend. Thanks! I'm building a website that uses session variables. My understanding of session variables is that they only exist as long as the browser is open -- meaning that once the browser closes, the session variables are lost. I've been alerted that someone can attack my site using XSS. I have a search box on my site and I've tested it by simply writing "<script>alert('test')</script>" When I do this a pop-up box does come up displaying the word "Test" I have written a preg_replace previously but now I want to add something to it to prevent <script>. This was my original code Code: [Select] $search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', " $_POST['search'])); This is what I thought might work but no luck Code: [Select] $search = mysql_real_escape_string(preg_replace('/[^\w\'\"\@\-\.\,\(\) ]/i', '', "/<script[^>]*>.*<*script[^>]*>/i", $_POST['search'])); Could anyone please help and tell me how to modify the code to prevent javascript? Thanks This topic has been moved to Other. http://www.phpfreaks.com/forums/index.php?topic=345836.0 Hello all, A simple question: I have a HTML application from which a php script is executed. 'GET' method is used and no form is submitted. I was wondering if there is a way to prevent users from run this php script directly in the browser. Thank you all for your suggestions, Mamer $_POST['user_name'] = "CLUEL3SS"; $_POST['user_pass'] = "test123"; $_POST['confirm_pass'] = "test123"; $_POST['user_email'] = "user@email.com"; $_POST['confirm_pass'] = 'user@email.com'; function testFunc($inputVars){ foreach($inputVars as $key=>$value){ $escapeData[$key] = mysql_real_escape_string($value); } return $escapeData; } var_dump(testFunc($_POST)); I'm trying to make a user system for my site and I want to make sure its secure enough to void off injection attackers. Any useful advice and and suggestions would be greatly appreciated! Thanks! How can I prevent the less than and greater than signs in the username field, and message on the post? As well as slashes. / \. Code: [Select] <form method="post" action="" id="reply"> <script type="text/javascript"> function hi(id){ var val = id.options[id.selectedIndex].value; var text = id.options[id.selectedIndex].text; if (val.length != 0){document.getElementById('user').value = text;hide('passrow');} else { document.getElementById('user').value = ''; document.getElementById('passrow').style.cssText = ''; } } </script> <div id="userpass" style="background: #000;"> <table style="border: 2px solid #252564; background: #1F1F5D;" width="100%" cellpadding="0" class="quick_userpass"> <tr> <td background="/images/bg3.jpg" height="26px"><font face=arial size=2 color="white"> <b>Your Name or Nickname</b></td> </tr> <tr> <td><input size=50 name="user" id="user" value="" style="margin-left: 10px;"></td> </tr> <tr><td background="/images/bg3.jpg" height=26px></td></tr> </table> <div id="passrow" style=""> <p> <table width=100% cellpadding=0 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;"> <tr><td background="/images/bg3.jpg" height=26px style=""><font face=arial size=2 color="white"> <b>Password (optional)</b></td></tr> <tr><td style=""><input size=50 name="pass" id="pass" type="password" style="margin-left: 10px;" value=""></td></tr> <tr><td background="/images/bg3.jpg" height=26px></td></tr> </table> </p> </div> <p> <table width=100% cellspacing=0 cellpadding=4 class="quick_userpass" style="border: 2px solid #252564; background: #1F1F5D;"> <tr bgcolor="#121236"><td><font face=arial size=2 color="white"><b>Enter your message here</b></font></td></tr> <tr><td><center><textarea id="quickreply" name="message" rows=10 cols=50 wrap="VIRTUAL" ></textarea></center></td></tr> </table> <div id="preview" style="display: none;"></div> </p> <br /> <center> <font face=arial size=2>When you're happy with your message, click:</font> <div id="javano"><input type="submit" value=" Post Message "></div> </center> <input type="hidden" name="tid" value="<?php echo $_GET["tid"];?>" /> </div> </form> That is the code I'm using for User/Pass/message fields. Our admin panel for a gaming community was recently hit by a successful MySQL injection attack. Here are the parameters they entered into forms to gain access. Code: [Select] ${99319+100354} Code: [Select] <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE acunetix [ <!ENTITY acunetixent SYSTEM "http://testphp.vulnweb.com/dot.gif"> ]> <xxx>&acunetixent;</xxx> Not sure which one worked, or how they even managed to POST to that page. But how do these two strings work? What do they do? I am having problems with a search feature I am using for a website I am building. Everything was working fine when I was testing on my local machine using EasyPHP 3.0. The issue I am having is that once I uploaded the site to a "live" server and tested it, my search function wouldn't work. The issue resides in the two lines with the magic quotes and the real escape string, for some reason those lines worked fine while testing using EasyPHP 3.0, but now I must delete those lines in order for my search function to work. The problem is that deleting those lines makes me vulnerable to an SQL injection. I have tried deleting just the magic quotes line and everything works properly, but then I am not seeing any kind of strip slashing/sanitizing when I enter in a statement like this into my search: a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't. Any help on this issue would be greatly appreciated! //get data $button = $_GET['submit']; if (get_magic_quotes_gpc() == 0){ $search = mysql_real_escape_string($_GET['search']); // clean up the search string } else { $search = $_GET['search']; $limit = 9; $page = $_GET['page']; if($page) $start = ($page - 1) * $limit; I also tried using the mysql_real_escape_string on my construct, but I get syntax errors because of the | being used before and after the $search_each. That | character must remain in place in order for my search to work the way I want it to. $x++; if ($x==1) $construct .= "keywords LIKE '%".mysql_real_escape_string(|$search_each|)."%'"; else $construct .= "AND keywords LIKE '%|$search_each|%'"; } I have my template files and some functions in my server which are available for direct reach. like ; my "index.php" file includes "loginpage.php" form which is ok when I enter www.site.com/index.php but also when I enter to www.site.com/loginpage.php it works and shows me just login page. So this is what I dont want. How can I prevent to reach the files directly like this, I want them to work just for other pages of my website, not for directly seeing. By the way can this problem also be solved by hosting settings or mod_rewrite ? I have a problem which is why I am here. What I am trying to achieve I am creating a very very basic timetabling system online, using php and sql. I am still in the process of completing it and changing bits from here to there. Although I am fully aware that the current design / implementation needs several changes and amendments, but however it performs most of the basic functionalities from a login system to the ability to add data delete data and also reset the database and recreate. The problem I have a table called tCourse althouogh a full ERD implementation has not taken place, it is still trial and error period. The table consists of the following: - Course - Unit - Course_Code - Year (i.e. Yr1, Yr2, Yr3) - Credits (Value of the unit) - Day - Semester - Start_Time - End_Time - Room - Tutor At the moment the primary keys for the table a - Day - Start_Time - Room_ - Semester This basically prevents a particular day, a semester, a room having been booked at the same time. Which for a very basic one is ok. The only problem is though, if someone books for example: Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (ok) Monday >> 13:00:00 To 14:00:00 >> 205 >> Sem1 (Not ok, which is good, as it is a repeat and prevents double booking) However the problem comes he Monday >> 12:00:00 To 14:00:00 >> 205 >> Sem1 (ok) So this is allowing a booking even though that room will be busy i.e. booked between 13:00 to 14:00 So is there a way I can limit it, so if there is a room booked for that particular period it will not do it. I have done a bit of research and friend's have suggested doind several for loops and quering the database beforehand. I came here, mainly because there are a lot of experienced individuals here whom may have a simpler solution, although I can understand it won't be a one liner . I would appreciate any help, if not, it is still ok. I have my script protected against all types of sql injection, XSS injection, cookies and bots. But now i want to know whats the best way of preventing session hijacking? I know nothing can be 100% secured but i want to know how to prevent it And u know it: prevention is better than cure! I was asked to make new thread for this, so how do I use a session or something to restrict access to a page.....like if accounttype=Admin, stay here, all others go away......do you need to see code, or can you just give me an example....... Hi all, I am trying to make a emailscript with PEAR to send quite some people a personalized messaged. But i thought this could very well cause the script to time out. Now i read http://php.net/manual/en/function.set-time-limit.php, but i thought does maybe someone knows a way to prevent a time out instead of setting the time-limit to a larger amount. Some terms i saw floating around we ob_start, flush, sleep and a few others but i really never worked with these. If someone could point me in the right direction of thinking or maybe knows a tutorial or guide i really would love to hear it. Thank you! |