PHP - Added Security For Web App
Hi,
Im building a management web application that can contain sensitive information for people, allow for cheques to be printed, amoung other things. Im wondering what are some extra security features that could be added as some users may not want to have the web application available outside their business. I would preffer doing this without having to run the server locatlly on thier machine. i was thinking something like only allowing certain ip address's to access the sites login. Anyone have any other/better ideas? Similar Tutorialsthis is my first post so I hope someone can help find a solution to this problem. I created this website in wordpress www.porthopehealthcentre.com It displayed correct in firefox but not ie. There was an extra closing </div> tag in my header php. I deleted this and now it displays correct in ie but not firefox. Can I somehow link to two different header files one for ie and one for firefox? if so how do I do this? Or is there an easier solution to this. I would really appreciate someones help as this is the final thing that needs adjusting to finish the job. For some reason this only allows one SQL to be added... // SQL Connection $username="monstert_admin"; $password="admin"; $database="monstert_admin"; $connection = mysql_connect("localhost", $username, $password) or die("Connection Failure to Database"); // Select Database mysql_select_db($database, $connection) or die ($database . "No Database" . $username); //Select everything from the the table $MyQuery = "SELECT * FROM photos"; $retrieve = mysql_query($MyQuery) or die(mysql_error()); if(mysql_num_rows($retrieve) != 0): $row = mysql_fetch_assoc($retrieve); else: echo ''; endif; if(isset($_POST['Submit']) && !$errors) { $url = $newname; include('img.php'); $image = new SimpleImage(); $image->load($url); $image->resize(500,315); $image->save($newname); mysql_query("INSERT INTO photos (url) VALUES ('$url')"); echo "File Uploaded Successfully as <i> "; echo $newname; echo "</i>"; } What would the issue be? I only have two columns - ID and url Thanks in advance! The script below used to work fine but the HTTP_REFERER was unreliable so i added a re-direct if the HTTP_REFERER was unavailable and now nothing is being added to the MySQL BD, the script runs ok ie it sends the user back to where they come from, any ideas what could be wrong? <?php require("../include/mysqldb.php"); $uinwish = $_GET['uinwish']; $wishrefer = $_SERVER['HTTP_REFERER']; $wishdate = mktime(0, 0, 0, date("m"), date("d")+3, date("Y")); $rand_wish_cookie = $_COOKIE["wishtracking"]; $con = mysql_connect("$dbhost","$dbuser","$dbpass"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("$dbame", $con); //DB Stuff start code below //check if the uin and cookie have already been stored together. $sql = "select * from Wish_list_guest where usercookie='$rand_wish_cookie' and uinwish='$uinwish'"; $result = mysql_query($sql); $row = mysql_fetch_row($result); if (mysql_num_rows($result)!= 1) { $issetvar = "1"; if (!isset ($wishrefer)){ $host = $_SERVER['HTTP_HOST']; $extra = 'profile.php?uin='; header("Location: http://$host/$extra$uinwish"); exit; } if (isset ($wishrefer)){ header("Location: $wishrefer"); exit; } } if ($issetvar = 1) { mysql_query("INSERT INTO Wish_list_guest (usercookie, date_delete, uinwish, referwish) VALUES ('$rand_wish_cookie', '$wishdate', '$uinwish', '$wishrefer')"); mysql_close($con); if (!isset ($wishrefer)){ $host = $_SERVER['HTTP_HOST']; $extra = 'profile.php?uin='; header("Location: http://$host/$extra$uinwish"); exit; } if (isset ($wishrefer)){ header("Location: $wishrefer"); exit; } } ?> I got two values from a form in a page by POST method. Now I want to add this values to a text file. The code of form1.htm is like this: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> <title>Insert title here</title> </head> <body> <form action="write1.php" method="post"> <fieldset> <legend>Log In...</legend> <input type="text" name="uname" /><br> <input type="text" name="pass" /><br><br> <input type="submit" name="button" value="Log In" /> </fieldset> </form> </body> </html> And the code of write1.php is like this: <?php function arr_func() { $name = $_POST['uname']; $pass = $_POST['pass']; //trying to catch values in an array $arr[] = array("name"=>"$name", "pass"=>"$pass"); foreach ($arr as $val_arr) { foreach ($val_arr as $key=>$val) { echo "$key - $val<br>"; } echo '<br>'; } } $arr1 = arr_func(); //values are printed, no problem echo $arr1; //trying to change the array into string, is it wrong approach? $var1 = strval($arr1); // set file to write $file = 'student/dump.txt'; // open file $fh = fopen($file, 'w') or die('Could not open file!'); // write that variable into file fwrite($fh, "$var1\n") or die('Could not write to file'); // close file fclose($fh); ?> After log in in form1 I get two values of $name and $pass in write1.php but no values being added to the file mentioned in the path. I have a membership site that a user creates a username and password at registration. The user logs in and all that works. The usersname is located in the database under users. Each page is protected and you must login to access it. Here is the code for that
checkLogin('2'); $getuser = getUserRecords($_SESSION['user_id']);If the user login is correct they have access to the page. This all works fine as I said. On this page is a form that gets filled out. All the data except the username is added to the database for the contents of this form. I need to have the username added to the database to track who the data belongs to. Here is the code I have for this, can some tell me where I messed up. The line under the the code <body> pulls the username and the echo command prints the username on the page. I repeated this code under the if ($_SERVER['REQUEST_METHOD'] == "POST") code and it also prints the username. <?php // this is processed when the form is submitted // back on to this page (POST METHOD) if ($_SERVER['REQUEST_METHOD'] == "POST") { $usernow = $getuser[0]['username']; $userid = $usernow; echo "$userid"; # escape data and set variables $userid = addslashes($_POST["userid"]); $date = addslashes($_POST["date"]); $temperature = addslashes($_POST["temperature"]); $ph = addslashes($_POST["ph"]); $ammonia = addslashes($_POST["ammonia"]); $nitrite = addslashes($_POST["nitrite"]); $nitrate = addslashes($_POST["nitrate"]); $phosphate = addslashes($_POST["phosphate"]); $gh = addslashes($_POST["gh"]); $kh = addslashes($_POST["kh"]); $iron = addslashes($_POST["iron"]); $potassium = addslashes($_POST["potassium"]); $notes = addslashes($_POST["notes"]); // # setup SQL statement $sql = " INSERT INTO water_parameters "; $sql .= " (id, userid, date, temperature, ph, ammonia, nitrite, nitrate, phosphate, gh, kh, iron, potassium, notes) VALUES "; $sql .= " ('', '$userid', '$date', '$temperature', '$ph', '$ammonia', '$nitrite', '$nitrate', '$phosphate', '$gh', '$kh', '$iron', '$potassium', '$notes') "; // #execute SQL statement $result = mysql_query($sql); // # check for error if (mysql_error()) { print "Database ERROR: " . mysql_error(); } print "<h3><font color=red>New Water Parameters Were Added</font></h3>"; } ?> I hope that subject made sense! I have a page where I want to generate page-specific keywords automatically. Actually I have some general keywords stored in a text file and then I add the page-specific ones after those. The problem is, however, solely caused by the keywords I pull from my text file. A "1" is added to my list of keywords. Consider a news page like so: news.php // ... <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta name="keywords" content="<?php require('php/generateKeywordList.php'); ?>" /> </head> // ... And then generateKeywordList.php // I have omitted the part with the page-specific keywords, because it is not what causes the problem (commented it all out) set_include_path('/mypath/'); $str = require_once('includes/websiteKeywords.txt'); echo $str; // For some reason, the number 1 is added at the end of this string websiteKeywords.txt (it doesn't matter what I put in there) Code: [Select] these, are, my, keywords, for, my, website In my meta tag, the above would be displayed as: Code: [Select] these, are, my, keywords, for, my, website1 I then tried to make a simple php page like this $keywords = require('includes/websiteKeywords.txt'); echo $keywords; ... and it worked. At the moment I have absolutely no idea where the number 1 comes from. So, basically if I include the keywords directly from the text file into my meta tag, it displays fine. If I make a simple php page where I echo out the keywords from the text file, it displays fine. But if I include my php script, which echos the keywords, into my meta tag, the number 1 is added at the end of the string. Am I completely missing something here or is this extremely strange? Thanks for any help! I have a form that has this: Code: [Select] <input type="text" name="notes_date" size="10" value="<?php echo date("m/d/Y");?>" /> I enter into the database after processing the variable like this: Code: [Select] $notes_date=date ("Y-m-d H:i:s", strtotime($_POST['notes_date'])); However, it gets stored at 2012-03-15 00:00:00 How do I fix this so that the current time gets stored instead of 00:00:00? So I ran into the most bizarre problem ever on my live server. For some odd reason something, somewhere is adding an extra character after every " mark I have. Now I am using zend framework but this can not be an issue involving them since everything works perfectly on my localhost. I am using 1and1 to host my application but for the love of me I can not narrow this down any more. Ex of my problem, I type this into my text box: "This is a sentence" and it proceeds to saving this: \"This is a sentence\" Something is happening right after I submit my form because if I add the code directly in my database, it displays everything fine. Has any one ever ran into this problem before? I'm trying to make it so i can show the friends i added, or users that added a friend <table border=2 width="250" height="125"><tr> <?php $userfinal = get_username($_SESSION['user_id']); $Members = mysql_query("SELECT * FROM friends WHERE username='$userfinal' AND friendname"); $numRowsMembers = mysql_num_rows($Members); for($count = 1; $count <= $numRowsMembers; $count++) { $name = mysql_fetch_array($Members); ?> <td width="150" height="125"> <a href="view_profile.php?username=<? echo $name['friendname']?>"><img src="<? echo $name['main_P']?>" width="100" height="100"/> <? echo $name['friendname']?></a> <? if (isset($name['date']) && (time() - $name['date'] > 300)) { echo 'offline =['; } else { echo "<font color=green>[Online Now!]</font>"; } $name['date'] = time(); // update last activity time stamp ?> </td> <? } ?> </tr></table> database id friendname username 12 kristybellexo zhshero 13 demo zhshero 14 zhshero zhshero Hi, I am frustrated with getting db to store just unique entries, b/c every time I refresh the browser, the script runs and re-inserts the SAME INSERT query (but with different primary key of course which I don't want). My ques is is there a way upon the first insertion to tell it that this will be only instance of this record entered for the specified db table. So I don't want to have to encapsulate each INSERT statement in an if block to make sure that only one record exists so now I am doing it incorrectly with exit statement. please see code below: Code: [Select] <?php $_filePath="C:\\\dir\\\email.xml"; $node=basename($_filePath); $dom=new DOMDocument(); $dom->load($node); $labelPath=array(); $connection=mysql_connect("localhost","root"); mysql_select_db("dummydpev999"); $isXdocExist=mysql_query("SELECT file_Path,file_Name FROM xdocument WHERE file_Path='$_filePath' AND file_Name='$node'"); $docId=0; if(mysql_num_rows($isXdocExist)==1) { print "Entry already exists!"; $docId=mysql_next_id("xdocument")-1; print "<br />".$docId; exit; } else { mysql_query("INSERT INTO xdocument (file_Path,file_Name) VALUES ('$_filePath','$node')"); $docId=mysql_next_id("xdocument")-1; print "<br />".$docId; } writeXMLtoDBViaDOM($dom->documentElement,$labelPath,$docId); ?> Sorry I should elaborate, I think my problem is that I have tables with foreign keys rather than all tables with just primary keys, I am unsure... Any help much appreciated. I am trying to use the following query with sorting: $query = mysql_query("SELECT * FROM Table WHERE Date LIKE '$PeriodSelected' ORDER BY Date DESC"); $PeriodSelected is basically supposed to get me all results from month selected and it works fine. Now I am trying to add sorting to this query and although I get no errors it does not matter if I use ASC or DESC my results are sorted in the same way. Not sure what I am doing wrong. I am building a login script to help myself learn php. I currently have the script posting any registration form errors to the registration page. I am trying to make sure whatever the user has typed into the form will redisplay once they receive the error to prevent them from having to fill out the registration form again. I got it working, but there is an extra character "/" after what was entered by the user. Here is an example: Note: "1234" has been entered into username field on reg form. Code: [Select] <tr><td>Username: </td><td><input size="20" type="text" name="username" <?php if ($_POST){ echo "value =" . $_POST['username'] ;}?> /></td></tr> I get this output Code: [Select] 1234/ I do not know where the "/" is coming from. It should only be putting "1234" back into the username field. Any help would be great. <?php include("classes/DomDocumentParser.php"); //this could be the problem it appears in the error file $alreadyCrawled() = array(); $crawling = array(); $startUrl = "https://imagimedia.co.za"; //Get variable from input $hnam = str_replace("http://", "", "$startUrl"); $hnam = str_replace("https://", "", "$hnam"); $hnam = str_replace("www.", "", "$hnam"); $hnam = substr($hnam, 0, -6); function createLink($src, $url) { $scheme = parse_url($url)["scheme"]; $host = parse_url($url)["host"]; if(substr($src, 0, 2) == "//") { $src = $scheme.":".$src; } else if(substr($src, 0, 1) == "/") { $src = $scheme."://".$host.$src; } else if(substr($src, 0, 2) == "./") { $src = $scheme."://".$host.dirname(parse_url($url)["path"]).substr($src, 1); } else if(substr($src, 0, 3) == "../") { $src = $scheme."://".$host."/".substr($src, 3); } else if (substr($src, 0, 4) != "http") { $src = $scheme."://".$host."/".$src; } return $src; } function followLinks($url) { global $hnam; global $alreadyCrawled; global $crawling; $parser = new DomDocumentParser($url); $linkList = $parser->getLinks(); foreach($linkList as $link) { $href = $link->getAttribute("href"); if(strpos($href, "#") !== false) { continue; } else if(substr($href, 0, 11) == "javascript:") { continue; } $href = createLink($href, $url); if(strpos($href, "$hnam") == false) { continue; } //this could be the problem if(!in_array($href, $alreadyCrawled)) { $alreadyCrawled[] = $href; $crawling[] = $href; //insert $href } echo $href."<br />"; } array_shift($crawling); foreach($crawling as $site) { followLinks($site); } } followLinks($startUrl); ?> include file <?php class DomDocumentParser { private $doc; public function __construct($url) { $options = array( 'http'=>array('method'=>"GET", 'header'=>"User-Agent: imagimediaBot/0.1\n") ); $context = stream_context_create($options); $this->doc = new DomDocument(); @$this->doc->loadHTML(file_get_contents($url, false, $context)); } public function getLinks() { return $this->doc->getElementsByTagName("a"); } } ?> Edited December 19, 2020 by guymclarenza added include file Hello: I am working with a script that I am using to make a player roster - the user can add a photo, player title, number, years played, and a bio. The data comes from a submit form, then goes to the code below to process everything. It works fine if a photo is added, but if a photo is not added, the script does not work. Any idea why, and how I can fix it? Code: [Select] <?php // initialization $result_final = ""; $counter = 0; // List of our known photo types $known_photo_types = array( 'image/pjpeg' => 'jpg', 'image/jpeg' => 'jpg', 'image/gif' => 'gif', 'image/bmp' => 'bmp', 'image/x-png' => 'png' ); // GD Function List $gd_function_suffix = array( 'image/pjpeg' => 'JPEG', 'image/jpeg' => 'JPEG', 'image/gif' => 'GIF', 'image/bmp' => 'WBMP', 'image/x-png' => 'PNG' ); $photos_uploaded = $_FILES['photo_filename']; $player_title = $_POST['player_title']; $player_number = $_POST['player_number']; $years_played = $_POST['years_played']; $photo_caption = $_POST['photo_caption']; while( $counter <= count($photos_uploaded) ) { if($photos_uploaded['size'][$counter] > 0) { if(!array_key_exists($photos_uploaded['type'][$counter], $known_photo_types)) { $result_final .= "File ".($counter+1)." is not a photo<br />"; } else { //mysql_query( "INSERT INTO gallery_photos(`photo_filename`,`player_title`,`player_number`,`years_played`, `photo_caption`, `photo_category`) VALUES('0', '".addslashes($photo_caption[$counter])."', '".addslashes($_POST['category'])."')" ); mysql_query( "INSERT INTO gallery_photos(`photo_filename`,`player_title`,`player_number`,`years_played`, `photo_caption`, `photo_category`) VALUES('0', '".addslashes($player_title[$counter])."', '".addslashes($player_number[$counter])."' , '".addslashes($years_played[$counter])."', '".addslashes($photo_caption[$counter])."', '".addslashes($_POST['category'])."')" ); $new_id = mysql_insert_id(); $filetype = $photos_uploaded['type'][$counter]; $extention = $known_photo_types[$filetype]; $filename = $new_id.".".$extention; mysql_query( "UPDATE gallery_photos SET photo_filename='".addslashes($filename)."' WHERE photo_id='".addslashes($new_id)."'" ); // Store the orignal file copy($photos_uploaded['tmp_name'][$counter], $images_dir."/".$filename); // Let's get the Thumbnail size $size = GetImageSize( $images_dir."/".$filename ); if($size[0] > $size[1]) //{ //$thumbnail_width = 100; //$thumbnail_height = (int)(100 * $size[1] / $size[0]); //} //else //{ //$thumbnail_width = (int)(100 * $size[0] / $size[1]); //$thumbnail_height = 100; //} { //$thumbnail_width = 690; //$thumbnail_height = (int)(500 * $size[1] / $size[0]); $old_width = $size[0]; $old_height = $size[1]; $thumbnail_width = 690; $thumbnail_height = ($old_height * $thumbnail_width / $old_width); } else { $thumbnail_width = (int)(690 * $size[0] / $size[1]); $thumbnail_height = 500; } // Build Thumbnail with GD 1.x.x, you can use the other described methods too $function_suffix = $gd_function_suffix[$filetype]; $function_to_read = "ImageCreateFrom".$function_suffix; $function_to_write = "Image".$function_suffix; // Read the source file $source_handle = $function_to_read ( $images_dir."/".$filename ); if($source_handle) { // Let's create an blank image for the thumbnail //$destination_handle = ImageCreate ( $thumbnail_width, $thumbnail_height ); $destination_handle = imagecreatetruecolor( $thumbnail_width, $thumbnail_height ); // Now we resize it ImageCopyResized( $destination_handle, $source_handle, 0, 0, 0, 0, $thumbnail_width, $thumbnail_height, $size[0], $size[1] ); } // Let's save the thumbnail $function_to_write( $destination_handle, $images_dir."/tb_".$filename ); ImageDestroy($destination_handle ); // $result_final .= "<img src='".$images_dir. "/tb_".$filename."' style='margin-right: 20px; width: 100px;' />"; } } $counter++; } // Print Result echo <<<__HTML_END $result_final __HTML_END; ?> Thanks! I have a code that works but it wont add the data to my database. It says the data has been added but the actual data is not actually added. I have checked through this code to see any errors but I cant find any. Can someone help me Code: [Select] $sqll= takeanexam($_SESSION['username1'], $_SESSION['ssubject'], $_SESSION['smodule']); // mysql_data_seek(sqll, 0); while($info = mysql_fetch_array( $sqll )) { $questionId = $info['Que_ID']; $choice = array(); for ($i =1; $i < 5; $i++) { if (empty($_POST['choice'][$questionId][$i])) { $choice[$i] = 0; } else { $choice[$i] = 1; } } $username= $_SESSION['username1']; mysql_query("INSERT INTO answer (Ans_Answer1, Ans_Answer2, Ans_Answer3, Ans_Answer4, Que_ID, Use_ID) VALUES ({$choice[1]}, {$choice[2]}, {$choice[3]}, {$choice[4]}, $questionId, $username)"); } Hey guy <?php $con = mysql_connect("localhost","root",""); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("Examination", $con); $sql="INSERT INTO Test (Tes_Name, Tes_Description) VALUES ('$_POST[Tes_Name]','$_POST[Tes_Description]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "1 record added"; mysql_close($con) ?> This is my code and I can enter Tes_Name on to mysql but nothing is shown for Tes_Description. The form is Code: [Select] <html> <body> <h3>Test</h3> <table border="0"> <form method="POST" action="try2.php"> <tr><td>Tes_Name</td><td>:</td><td><input type="text" name="Tes_Name" size="20"></td></tr> <tr><td>Tes_Description</td><td>:</td><td><input type="Tes_Description" name="password" size="20"></td></tr> <tr><td> </td><td> </td><td><input type="submit" value="Submit"></td></tr> </form> </table> </body> </html> i have a log file which gets new data time by time. is there any way i can read only new added entries (block) in the file? instead of start reading file from start to the end of file. this file size will be in GBs soon. Thanks. currently i am using file() to read the file. following is the example of new added block in file.
----SMS_START----
recv_time:2014-10-09 18:32:39 Span: 1 From-Number: +1347XXXXXXX Timestamp: 14/10/09 18:32:16 96 Type: PDU SMS-SMSC-Number: +12404492163 Content: Thanks, ----SMS_END---- Hi Is it possible to make a row(with number) increase every time the same value is added to the table? Example: I enter "test" into a table and it gets the following data: id=1 name=test count=1 And the next time I enter "test" into the table it becomes id=1 name=test count=2 instead of id=1 name=test count=1 id=2 name=test count=1 I want to create a form where users can suggest stuff and I want to see what is the most popular ect. Thanks in advance How do I find the nearest div of dynamically added html?
I enter the following: select nam_last from names where nam_last = 'cohn' into a form field When I print it in the next program I get select nam_last from names where nam_last = \'cohn\' Which generates an error: SELECT Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'cohn\'' at line 1 What causes the \ to be added into the field, and how do I stop it? |