PHP - Is Mb_check_encoding Really Required For All Inputs?
I recently read another post which stated:
Unfortunately, you should verify every received string as being valid UTF-8 before you try to store it or use it anywhere. PHP's mb_check_encoding() does the trick, but you have to use it religiously. There's really no way around this, as malicious clients can submit data in whatever encoding they want, and I haven't found a trick to get PHP to do this for you reliably.
Seems like a lot of work. How important is really doing so? Can the DB be configured in some kind of strict mode which will error upon anything which isn't, and I can deal with it as an exception?
Similar TutorialsHow is it possible, in PHP, to display an error message next to a form input text field if a user is attempting to submit a form with empty fields? Moreover, how is it possible to remove the same error message when the user fills in the input field with the required data and/or refreshes the page? I have 2 files that I am working with: application.php and process.php.
application.php mainly has the HTML of the form. I am very new to learning PHP (I started learning it last week) and I have been searching for hours for a clear answer. I have already tried different methods for generating the error message including: using empty(), !isset, $_POST["name"] = "", etc, and have tried using session_start();, $row, echo, print, and other variables to try and display error message on the page, and I have tried using unset();, and = null, to try and remove the error message once the input field has been filled but all to no avail. Either the method I try only half works, or nothing works, and I cannot pinpoint which is the part that is not working. I only have 2 files to work with, and as an example of what I want to do is:
1. If the first name field is empty when the user clicks submit, an error message should appear next to the input. Is this possible with PHP? Does anyone have any idea why my inputs shrink (to default height and weight) after i press submit button? I use css width and height for inputs. All other settings (border, background color etc.) remain like they should. For form submit i use PHP self function where i check if submit button has been pressed and then perform the form action. Thank you II have been told that I should sanitize my inputs, what does that mean? Isn't that what trim does? Hello All, I'm working on this project, and everything was great but the last part is screwed. The procedure is supposed to be, you choose a hotel ---> book a room ---> confirm the booking and enter your details --> get redirected to paypal Everything is fine except for the confirmation part, where you're supposed to confirm the room you booked, number of nights and so on, all the info is right, except for the booked room, where it should show you the price for the room multiplied by the number of night... instead it gives "Total Price = 0" So anyone can give me an example on how can I make it show the result of multiplying 2 inputs by a user? Variables are $nrooms $newdate Here is the code I wrote Code: [Select] <?php $dbo = new DB(); $hotelObj = new hotelManager(); $hotelID = $_POST['hotelid']; $datein = $_POST['datein']; $dateout = $_POST['dateout']; $roomid = $_POST['roomid']; $roonsNo = $_POST['roomsNo']; $pr = $_POST['pr']; $_SESSION['hotelID'] = isset($_POST['hotelid']) ? $_POST['hotelid'] : $_SESSION['hotelID']; $_SESSION['datein'] = isset($_POST['datein']) ? $_POST['datein'] : $_SESSION['datein']; $_SESSION['dateout'] = isset($_POST['dateout']) ? $_POST['dateout'] : $_SESSION['dateout']; $_SESSION['roomid'] = isset($_POST['roomid']) ? $_POST['roomid'] : $_SESSION['roomid']; $_SESSION['nrooms'] = $_POST['nrooms']; $roomsarray = explode(",",$_POST['roomid']); $_SESSION['roomsarray'] = isset($_POST['roomid']) ? explode(",",$_POST['roomid']) : $_SESSION['roomsarray']; $roonsNo = $_POST['nrooms']; $_SESSION['nrooms'] = isset($_POST['roomnum']) ? explode(",",$_POST['roomnum']) : $_SESSION['nrooms']; /********************** hotels ************************/ /******************************************************/ echo "<table width=95% border=0 align=\"center\" cellpadding=\"0\" cellspacing=\"0\"> <tr><td valign=\"top\">"; echo "<table>"; echo "<tr>"; echo "<td valign=top>"; $imageqry=mysql_query("SELECT * FROM `hotelphotos` where hotel_id='".$_SESSION['hotelID']."' LIMIT 1"); $image=mysql_fetch_array($imageqry); $imagename=$image['attachmentName']; echo "<img src=\"foxmaincms/webroot/files/small/$imagename\"/>"; echo "</td>"; echo "<td>"; $result=$hotelObj->getHotelbyID($_SESSION['hotelID']); $row = mysql_fetch_array($result); echo "<table>"; echo "<tr><td valign=top><strong class=subtitle3>".$row['name']."</strong></td></tr>"; echo "<tr><td class=text valign=top>".$row['location']."</td></tr>"; echo "<tr><td class=text valign=top>check-in Date: ".$_SESSION['datein']."</td></tr>"; echo "<tr><td class=text valign=top>check-out Date: ".$_SESSION['dateout']."</td></tr>"; echo "<tr><td class=text valign=top>"; $newdate = $_SESSION['dateout'] - $_SESSION['datein']; $totalprice = $nrooms * $newdate; echo "</td></tr>"; echo "<tr><td class=text valign=top>Total Price: ".$totalprice."</td></tr>"; echo "</table>"; ?> I'm working on an online php program that can have a few hundred form inputs. Mainly just numbers from 1 to 50,000 depending on the field. I wanted to use cookies so the user can keep the data entered on their browser but i found out the hard way that the browsers have a limitation that I've exceeded. Does anyone have any ideas? Hi! I wanna know what is the best way to secure my inputs? Now I'm using something like this function: public function z($var) { $result1 = htmlspecialchars($var); $result = mysqli_real_escape_string($this->conn, $result1); return $result; } but I don't know how secure it is from all inputs... It couldn't be that with that my site is completely secure... So I wanna know what else I should use... I found something about PHP sanitize filters and similar... Same for mail, should I use that for e-mail, what should I use for e-mails as I think this 2 codes will brake character @ necessary for emails. Any suggestion is welcome Thanks Hey guys I have a lot of inputs from my form. Is there a way I can do like a for each or something instead of of having to write $myusername = stripslashes($_POST['name'); $mypassword = stripslashes($_POST['pass']); $myusername = mysql_real_escape_string($myusername); $mypassword = mysql_real_escape_string($mypassword); .... for all 16 fields? thanks I have a field like this <p>Price:</p> $<input type="text" name="price" size="5" disabled="disabled" value="<?= $price;?>"> Im using POST but if I try to echo $_POST['price'] nothing shows up... is it because its disabled? how can I do this if so? Hello I am trying to create a form with six text inputs. I may use them all and maybe not. is it possible to do that then after submitting the form i read all inputs? please help thank you What is the best way to force a user to input numeric value into a form, with the following condition: Either the number is an integer (positive or negative or zero), or non integer but limited to the one digit behind the dot (e.g. 1.2 is valid, but 1.21 is not)? I know I can test it in the server side, but I prefer it to be on the form side. Can it be in the HTML level? I was wondering if anyone knows a way where you can submit a form but content of the input fields will not be cleared? The reason why I want to achieve this effect is because I have a form and I want to user to be able to preview the results before properly submitting the form. Therefore I will have two submit buttons, one to preview and one to submit. Thanks for any help. Hello there, I've been searching for the answer to this for a while but haven't got anywhere. I'm fairly new at the whole PHP scripting so I maynot be phrasing it correctly Basically I just want a couple of things to happen: 1) A user registers and is shown a page confirming successful registration. This page confirms there details, tells them an email is on the way and they may now login. The problem lies here, I have made it so it inputs the username into the url. For example we end up with something like www.xxxxx.com/login.php?user=Jacketh. I would like it so that username value is input into the Username: input type on the login page. I'm guessing there must be some coding as that link doesn't actually put anything into it, the input does have id and name both as user. 2) Pretty much the same for the email confirmation, the link does the same and creates a query string that inputs the info into the specific fields. Is there a way to then click the submit button automatically or something? Hence if I input there username and password through the string and enforce automatic login? This would be nice if possible! Thanks, Jacketh I have a form with several text fields. For example (sorry, no code insert option on my phone) Quote<form method="post"> Enter value1 :<input type="text" name="str1"><br/> Enter value2 :<input type="text" name="str2"><br/> <input type="submit" > I would like to scan the INPUTS to determine which fields were left empty. Using !isset (to the best of my knowledge) would require that I list each input individually. Is there a PHP alternative that, similar to JavaScript, would allow me to evaluate every INPUT or TEXT field to then list those left empty? Hi, I've just installed a guestbook but when posting a message (signing in) it shows 'no entries yet'. On clicking the submit a very quick screen splashes up with a load of writing out of whoch I could just read ...line function open data file... You can check it out at www.qualitycarersdirect.com/careasp/portal.asp then click on 'post on the baord' it is a php file. I am working on php script that takes an input (using html) stores those values in a separate text file. I managed to get that to work. But the thing is I wanted to be able to sort those values alphabetically. Since their are an unspecified amount of inputs I tried using an explode on my output in order to store those values as an array so that I can sort them. Problem is explode makes each input its own separate array instead of one whole array. I figure some type of loop is needed to fix that but I can't figure out how to go about creating it [I'm pretty new to php]. Any advice? Heres my code for my PHP script: $filename = "ip_collection.txt"; $fileHandle = fopen('ip_collection.txt', 'a+') OR die("can't open file\n"); $ip = $_SERVER['REMOTE_ADDR']; $name = stripslashes($_POST['lastName'] . ", " . $_POST['firstName']); $textFromForm = $name. " | " . $ip; $newtext = $textFromFile . $textFromForm; $output = explode("\n",$newtext); sort($output); foreach($output as $key => $value) { fwrite($fileHandle, $value."\n"); } fclose($fileHandle); I don't have any PHP skills at all. In fact I'm probably looking for a script that can help accomplish what I'm asking about. Regardless, I'm having a hard time getting any answers or solutions to this. I would like to make a web form that collects cc#'s from my customers that is PCI Compliant in as simple a manner as possible. 99% of the time my clients are not being charged at all, and the cc is used simply to ensure a service is confirmed. If they were to be charged, I would have to do that manually as no payment gateways currently deposit into banks in the country I am in. One thought I had would be if I could have the cc# either split, or broken up into separate fields and emailed separately. I am told this is PCI Compliant. I would also be fine with the cc# being split between database and email. I know this is possible w/ zen cart, but I have been unable to find any scripts that do this and don't have a need for a shopping cart addition to my site. But, I am aware that zen cart and other shopping cart add ons have options for X's to cover a bunch of numbers in the middle of the string and write that directly to the database. One thing that is a necessity is that the majority of the data input to the form be emailed. So, I'm basically hoping to protect the cc data in the simplest way possible, which I thought would be to break it up. I'll be trashing the cc #'s once I get them. I have no need to file them. I do have a SSL on my server. I am completely open to other suggestions. Is something like this, or another option a possibility? My skills are rudimentary. I taught myself to write some html and also use Dreamweaver to subsidize for what I can't code myself. I apologize if this should be in one of the other forums. Hi, I built this reg-login file. Note, login.php asks for your login details. The webform (so to speak) uses SELECT sql query to check your login credentials. The reg.php asks for your new acc details. The webform (so to speak) uses INSERT sql query to add your details to db. I got my webform not displayed to you either as registration form or login form. It is a neutral form. It justs asks you for your email. Then checks against db. If it exists, it assumes you existing member and login() function takes over and logs you in. Else, registration() functions takes over and registers you. Note:
On the login(), at the end when user is logged into his member account, his personal details get displayed on screen. if($row = mysqli_fetch_array($result_3,MYSQLI_ASSOC))
1. I want you to see if there any errors in my code that will result in malfunction or hacker sql injecting or hacking. 2. I need you to show me how to VALIDATE user input. VALIDATE email using 1). html5 & 2). php 7 email validation function plus 3.) with REGEX so nothing but email is inputted. Show me these 3 ways to check for email. I need you to show me how to VALIDATE user password. VALIDATE password using 1). html5 & 2). php 7 & 3.) with REGEX so nothing but password (A-Z, 0-9 ONLY) is inputted. And no other chars. Show me these 3 ways to check for password. From there, I should pick on fast from you and manage to VALIDATE username input.
I don't know how to do these above 2 so kindly teach me by showing snippet with comments so i understand your snippet. NOTE:
I did not complete the password prompt because I have forgotten how to do it with SHA256. Can someone show me a typical example how to query for password with SHA256 or whatever the latest strong algorithm is ? Show me code with comments so I understand what you doing with your code.
Thank You!
<?php session_start(); if($_SERVER['REQUEST_METHOD'] == 'POST') { if(!isset($_POST['email_account']) || !isset($_POST['email_service'])) { $email_error = "<font color='red'>Input Email Address!</color>"; } else { //Connect to Database. (DB_SERVER, BD_USERNAME, DB_PASSWORD, DB_NAME). $conn = mysqli_connect("localhost","root","","powerpage"); $conn->set_charset('utf8mb4'); //Always set Charset. if($conn === false) { die("ERROR: Connection Error!. " . mysqli_connect_error()); } else { //Set Parameters. $email = trim($_POST["email_account"]) . '@' . trim($_POST["email_service"]); $_SESSION['email'] = trim($_POST["email_account"]) . '@' . trim($_POST["email_service"]);//If this fails on test then replace it with above line echo "line 25 triggered: $email<br>"; $sql_query = "SELECT COUNT(personal_email) FROM users WHERE personal_email = ?"; $stmt = mysqli_prepare($conn,$sql_query); if($stmt == False) { //Close Connection. mysqli_close($conn); echo "Line 33<br>";//DELETE THIS die("<pre>Mysqli Prepare Failed!\n".mysqli_stmt_error($stmt)."\n$sql_query</pre>"); } else { mysqli_stmt_bind_param($stmt,'s',$email); if(!mysqli_stmt_execute($stmt)) { //Close Connection. mysqli_close($conn); die("Could not mysqli_stmt_execute! Please try again later!"); } $result = mysqli_stmt_get_result($stmt); if(mysqli_fetch_array($result, MYSQLI_NUM)[0])//WHY THIS NOT WORK UNLESS NUM ARRAY GIVEN ? { echo "Line 57 triggered: Function login() will trigger!<br>"; //DELETE THIS $_SESSION['session_type'] = 'login'; login(); } else { echo "Line 61 triggered: Function register() will trigger!<br>"; //DELETE THIS $_SESSION['session_type'] = 'register'; register(); } } } } } function register() { //if(!isset($_SESSION['session_type'] or $_SESSION['session_type'] != 'registration')//Nog Dog's copied & pasted line if(!isset($_SESSION['session_type']) || $_SESSION['session_type'] != 'register') { //Close Statement. mysqli_stmt_close($stmt); //Close Connection. mysqli_close($conn); die("Line 86: Could not check email! Please try again later!"); } //$email = trim($_POST["email_account"]) . '@' . trim($_POST["email_service"]); $email = $_SESSION['email'];//If this fails on test then replace it with above line //Connect to Database. (DB_SERVER, BD_USERNAME, DB_PASSWORD, DB_NAME). $conn = mysqli_connect("localhost","root","","powerpage"); //Prepare an INSERT Statement. $sql_query_2 = "INSERT INTO users (personal_email) VALUES (?)"; if(!$stmt_2 = mysqli_prepare($conn,$sql_query_2)) { //Close Connection. mysqli_close($conn); die("Could not register! Please try again later!"); } else { //Bind Variables to the Prepared Statement as parameters. mysqli_stmt_bind_param($stmt_2,'s',$email); //Attempt to execute the Prepared Statement. if(!mysqli_stmt_execute($stmt_2)) { //Close Statement. mysqli_stmt_close($stmt_2); //Close Connection. mysqli_close($conn); die("Could not register! Please try again later!"); } mail(); } } function login() { if(!isset($_SESSION['session_type']) || $_SESSION['session_type'] != 'login') { //Close Statement. mysqli_stmt_close($stmt); //Close Connection. mysqli_close($conn); die("Could not check email! Please try again later!"); } //$email = trim($_POST["email_account"]) . '@' . trim($_POST["email_service"]); $email = $_SESSION['email'];//If this fails on test then replace it with above line //Connect to Database. (DB_SERVER, BD_USERNAME, DB_PASSWORD, DB_NAME). $conn = mysqli_connect("localhost","root","","powerpage"); //Prepare a Select Statement. $sql_query_3 = "SELECT id,username,first_name,middle_name,surname,gender,age_range FROM users WHERE personal_email = ?"; if(!$stmt_3 = mysqli_prepare($conn,$sql_query_3)) { //Close Statement. mysqli_stmt_close($stmt_3); //Close Connection. mysqli_close($conn); die("Could not check email! Please try again later!"); } else { //Bind Variables to the Prepared Statement as parameters. mysqli_stmt_bind_param($stmt_3,'s',$email); //Attempt to execute the Prepared Statement. if(!mysqli_stmt_execute($stmt_3)) { //Close Statement. mysqli_stmt_close($stmt_3); //Close Connection. mysqli_close($conn); die("Could not check email! Please try again later!"); } //mysqli_stmt_bind_result($stmt,$email); $result_3 = mysqli_stmt_get_result($stmt_3); //if(mysqli_fetch_array($result_3, MYSQLI_NUM)) //Fetch result row as an associative array. Since the result set contains only one row, we don't need to use the 'While loop'. //mysqli_stmt_fetch($stmt);//use this if you use 'mysqli_stmt_bind_result($stmt,$email). if($row = mysqli_fetch_array($result_3,MYSQLI_ASSOC)) //Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of 'mysqli_stmt_bind_result($stmt,$email)'. { //Retrieve Values. $id = $row["id"];//Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of //'mysqli_stmt_bind_result($stmt,$email_count)'; $username = $row["username"];//Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of //'mysqli_stmt_bind_result($stmt,$email_count)'; $first_name = $row["first_name"];//Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of //'mysqli_stmt_bind_result($stmt,$email_count)'; $middle_name = $row["middle_name"];//Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of //'mysqli_stmt_bind_result($stmt,$email_count)'; $surname = $row["surname"];//Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of //'mysqli_stmt_bind_result($stmt,$email_count)'; $gender = $row["gender"];//Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of //'mysqli_stmt_bind_result($stmt,$email_count)'; $age_range = $row["age_range"];//Use this if you use '$result = mysqli_stmt_get_result($stmt)' instead of //'mysqli_stmt_bind_result($stmt,$email_count)'; echo "Id: $id<br>"; echo "Username: $username<br>"; echo "First Name: $first_name<br>"; echo "Middle Name: $middle_name<br>"; echo "Surname: $surname<br>"; echo "Gender: $gender<br>"; echo "Age Range: $age_range<br>"; //Close Statement. mysqli_stmt_close($stmt_3); //Close Connection. mysqli_close($conn); } } } //DO NOT NEED TO REDO THE HTML CODE BELOW AS WAS NOT COPY & PASTE FROM ELESEWHERE .... ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta name="viewport" content="width=device=width, initial-scale=1"> </head> <body> <form action="" method="post"> <label for="email_account">Email:</label> <input type="text" name="email_account" id="email_first_part" placeholder="Email Address before '@'"> <label for="email_service"><b>@</b></label> <input type="text" name="email_service" id="email_last_part" placeholder="Email Address after '@'"> <?php if(!empty($email_error)){echo $email_error;}?> <br> <button type="submit" class="login_register" name="login_register">Register/Login</button> </body> <html> <?php ?>
I generated a table from the database, and at the end of each row there are two submits, one for save and another for delete. The values are generated as either text and select box input. Right now, I have all the submits named differently (ends a number), so I can loop through all available submits based on the number to check which row needs to be updated, and to retrieve the values during form processing, then only perform the query. I have also hidden input in each row to send the "primary key" that is used during query. Is there a better approach than to have so many different names for the buttons, not having to loop through all of them each time, and still keep a similar layout? I'm trying to avoid anything else than PHP. The table looks something like: col1____| col2_______| col3____|__________________ txt input | select input | txt input |save bttn | delete bttn txt input | select input | txt input |save bttn | delete bttn My PHP code for mySQL query result: echo '<input type="text" value="' . $row [ "dollar_amount" ] . '" onInput = "submit();" >'; This yields a neat HTML column of retrieved prices on my PHP page that looks kinda like this <input type="text" value="19.99" onInput="submit();"> <input type="text" value="7.55" onInput="submit();"> <input type="text" value="10.00" onInput="submit();"> <input type="text" value="4.99" onInput="submit();"> <input type="text" value="12.75" onInput="submit();">
Desired Effect:
Question:
Problems I've Encountered: It seems the only way to do this is to have PHP loop through EVERY post variable every time anything is posted and this seems inefficient.
Example: foreach($_POST as $var = $val) { // loop through all the posts on the page if(substr($var,0,12) == 'updatedollar') { // make sure it's an "updatedollar" post and not one of the other posts on the page. if(substr($var,12) != $val) { // get rid of "updatedollar" part and see if it's the value I wanted changed // do a mysql update query and update the table } } } So, there has to be a better way? Thank you.
Customers visit a "select merchandise page." Question: Is using 2 forms and hidden inputs the secure and accepted way to do this?
--------------------------------------------------------
<form method="post" action="<?=$SERVER['PHP_SELF']?>"> When finished, click here to create Packing Slip:
<form method="post" action="finished.php"> Thank you!!
|