|
PHP - Escaping Php Input -- Not Normal Input
I am writing a script that will parse my PHP classes and check for things like coupling, visualize my objects and connections, dependencies, check for convention usage, etc.
So, I have a simple file upload. I'm never saving the files, just get contents and dump the file and work with the string version.
I'm writing it for me, but I figure I might want to open it for others to use in the future, so I may as well write it that way to begin with -- so I need to validate user input. Problem is, the user input is supposed to be valid PHP code. I'm thinking that, as long as I'm careful, I shouldn't be executing any code contained in strings, but I'm no security expert and I want a warm fuzzy that my thought on this is correct. What kinds of things do I need to look out for? Is it possible to inject when working with strings?
My initial thought is to regex the entire file and replace key portions with known replacements. So ( and ) would become !* and !^ or $ would become @~ (combinations that -- I think -- don't make sense to php?) But that may be completely unnecessary processing time if I'm not in any danger, here. Thanks ahead of time for any help.
PS - as a side question -- what's the best way to verify a file is a php file? I know of getimagesize for images, but should I just check for <? to verify it's php? That seems like it would be too easy to fool -- then again, it might not matter much.
-Adam
Similar TutorialsI hope I can explain what is happening. I have created two forms in PHP. The first 'almost' works, i.e. it shows the data. But I have two problems - 1) the second pulldown menu is always empty and 2) $value from the first pulldown menu ALWAYS equals the last entry thus the last 'if' in the function subdomains ($domains) is always called (but still empty). The code may explain this better than me:
<!DOCTYPE html>
<html>
<body>
<!-- processDomains.php is this file - it calls itself (for testing purposes so I can see what is happening) -->
<form action="processDomains.php" method="post">
<?php
// create the domains array (there are actually several entries in the array but I cut it down for testing)
$domains = array (1 => 'Decommission', 'Migration');
echo "Select Domain:";
echo "<br>";
// Make the domain pull-down menu - this displays correctly
echo '<select name="domain">';
foreach ($domains as $key => $value) {
echo "<option value=\"$key\">$value</option>\n";
}
echo '</select>';
// input doesn't matter what is 'submitted', always goes to last $value
echo '<input type="submit" name="submit" value="Submit">';
// call function subdomains
subdomains ($value);
function subdomains ($domains) {
// define values for each array - each array contains available choices for the subdomain pulldown menu
$migration = array (1 => 'Application Migration', 'Application Patch', 'Application Upgrade');
$decommission = array (1 => 'Applications', 'Servers', 'Storage');
if ($domains === 'Migration') {
echo "Select subdomain:";
echo "<br>";
// Make the Migration pull-down menu
echo '<select name="migration">';
foreach ($migration as $key => $value) {
echo "<option value=\"$key\">$value</option>\n";
}
echo '</select>';
} else if ($domains === 'Decommission') {
/* ===
* since 'Decommission' is the last entry in the 'Domains' pulldown list, $value ALWAYS equals
* 'Decommission' and $domains equals $value. So this menu SHOULD work but is always
* empty. Thus, two problems - the pulldown menu is always empty and $value isn't based
* upon user input.
*/
echo "Select subdomain:"; // this prints so I know I'm in 'Decommission (I eliminated the echo "$domain" to show I'm always coming here)'
echo "<br>";
// Make the 'Decommission' pull-down menu
echo '<select name="decommission">';
foreach ($decommission as $key => $value) {
echo "<option value=\"$key\">$value</option>\n";
}
echo '</select>';
echo '<input type="submit" name="submit" value="Submit">'
) // end of 'if-else'
} // end of function 'subdomain'
?>
</form>
</body>
</html>
Let me say thank you in advance and I appreciate the help! I know I'm doing something (or more than one thing) wrong and I hope someone can tell me what it is.
Best Regards!
Edited by mac_gyver, 19 January 2015 - 09:37 PM. code tags around posted code please I have a calendar select date function for my form that returns the date in the calendar format for USA: 02/16/2012. I need to have this appear as is for the form and in the db for the 'record_date' column, but I need to format this date in mysql DATE format (2012-02-16) and submit it at the same time with another column name 'new_date' in the database in a hidden input field. Is there a way to do this possibly with a temporary table or something? Any ideas would be welcome. Doug Hi people, I really hope you guys can help me out today. I'm just a newbe at php and i'm having real trouble. Bassically all I want to do is have a user type in a company name in a html form. If what the user types in the form matches the company name in my php script i want the user to be sent to another page on my site. If what the user types in the form doesnt match the company name in my php script i want the user to be sent to a differnt page like an error page for example. this is my html form: Code: [Select] <form id="form1" name="form1" method="post" action="form_test.php"> <p>company name: <input type="text" name="company_name" id="company_name" /> </p> <p> <input type="submit" name="button" id="button" value="Submit" /> </p> </form> And this is the php code I'm trying to process the information on: Code: [Select] <?php $comp_name = abc; if(isset ($_POST["company_name"])){ if($_POST["company_name"] == $comp_name){ header("Location: http://www.hotmail.com"); exit(); } else{ header("Location: http://www.yahoo.com"); exit(); } } ?> The thing is i'm getting this error when i test it: Warning: Cannot modify header information - headers already sent by (output started at D:\Sites\killerphp.com\form_test.php:10) in D:\Sites\killerphp.com\form_test.php on line 17 Please can some one help me out, i'm sure this is just basic stuff but i just cant get it to work Cheers. i'm not sure how to ask this question on google, so i'm going to ask for your help. here's the code that i have the question about <form action='findMovie.php' method='post'> <table> <?php $result = mysql_query ("SELECT genre FROM genres ORDER BY genre"); while ($row = mysql_fetch_array($result)) { $genre = $row['genre']; echo "<tr><td>" .$genre ."</td><td><input type='hidden' name='" .$genre ."' value='" .$genre ."'><input type='submit' name='listMovies'></td></tr>"; } ?> </table> </form> so i have this form that creates a list of submits from a table that i have created. the form works perfectly fine (i realize the design is not that great... i'm just going for functionality now) what i need is to turn the value of the hidden field (which is dynamically created by a variable) into a variable in the handler so that I can search my movie table and get the movies by genre. does this make sense? and any help is greatly appreciated. i'm not a great programmer, but i do it in my spare time as a hobby. so go easy on my coding, it works and that's the most i'm concerned with at the moment. thanks ahead of time So basically I have a site, and on that site, I have a page that submits a form and updates a database. I have it set up so that someone can enter in Multiple values into a textarea, one on each line, and it will submit each of those values as a new row in the database, but for the life of me, I cannot figure out how to check those values against the actual users. It is basically a point system, where the staff can award points users of the site. But at the moment, a Staff member could enter in Jibberish, and it would insert that into the database, but I want it to check my users table to make sure the user exists before it inserts it into the database. here is my code: <?php include 'global.php'; echo $headersidebar; if ($_COOKIE['access'] == $accessstaff) { if(count($_POST)) { $array = preg_split('/(\r?\n)+/', $_POST['studentname']); foreach($array as $students) { $statusmsg = '<center><span style="background: #A6FF9E;">You have successfully submitted points to the database.</span></center>'; mysql_query("INSERT INTO points (giver, receiver, points, category, reason, date, status) VALUES ('{$_COOKIE['username']}', '{$students}', '{$_POST['pointamt']}', '{$_POST['pointcat']}', '{$_POST['pointreason']}', '{$date}', 'Validating')"); } } $addpointspage = $statusmsg . ' <form action="submit_points.php" method="post"> <table class="table" > <tr> <td colspan="10"> <h1><strong><center>Submit Points</center></strong></h1> </td> </tr> <tr> <td colspan="10" rowspan="100"> <center>Please remember to follow the house point limits when submitting house points.</center> </td> </tr> </table> <table class="table"> <tr> <td style="width: 15%;" valign="top"> Student Name:<br> <span style="font-size: 60%;">(List as many as you want; One per Line)</span> </td> <td colspan="10"> <center><textarea name="studentname" cols="60" rows="10"></textarea></center> </td> </tr> <tr> <td style="width: 15%;" valign="top"> Amount of Points: </td> <td> <input style="position: relative; left: 16px;" type="text" size="15" name="pointamt" /> </td> <td> Do not put anything that is not a number into this box. </td> </tr> <tr> <td style="width: 15%;" valign="top"> Point Category: </td> <td colspan="10"> <select name="pointcat" style="position: relative; left: 16px;"> <option SELECTED value="">-------</option> <option>Class Work</option> <option>Class Exam</option> <option>Extra Work</option> <option>Contests</option> <option>Teacher\'s Assistant</option> <option>Negative Points</option> </select> </td> </tr> <tr> <td style="width: 15%;" valign="top"> Reason: </td> <td colspan="10"> <input style="position: relative; left: 16px;" name="pointreason" type="text" size="80" /> </td> </tr> <tr> <td> </td> <td colspan="10"> <input style="position: relative; left: 16px;" type="submit" value="Submit Points" /> </td> </tr> </table </form> '; } elseif (1==1) { $addpointspage = $accessdenied; } echo ' <!-- start content --> <div id="content"> <div class="post"> <div class="entry"> <p><strong>' . $addpointspage . '</p> <p class="links">' . $addpointslink . '</p> </div> </div> </div> <!-- end content --> <div style="clear: both;"> </div> </div> <!-- end page --> </div>'; echo $footer; ?> I am fairly new to PHP, so I would appreciate any help someone could give me; I am not too good with arrays and such, so this one has got me stumped. I'm researching ways that my server can be vulnerable. So far, I've strongly relied on regex to sanitize anything susceptible to user input/manipulation. Should I be trying other methods? Should I be changing input to html entities, even though they're bypassed w/ regex? Any recommendations on other methods to secure my server besides securing user input? Hello friends i need to make the following idea Code: [Select] <form method="post"> Enter ID : <input type="text" name="id" /> <input type="submit" value="Submit" /> </form> and the input id should goes to php code on same page as $id $ORGtext= file_get_contents('NewsID=$id'); how to write it correct thanks I would like to sanitize input from users so when it's pulled out of the database and stuck into the page, they can't add malicous code to my page. I have heard of striptags but wonder if there is anything better. thanks I'm new to PHP So sorry if this is a nooby question, But i have 3 php pages, one asks for username, pass, database and host, and then posts it on the next php page. The next PHP Page asks if all the information is correct, with hidden inputs, and the values as the PHP settings, but wrapped in <?php ?> Example: <input type="hidden" name="user" value=<?php $user; ?> /> Will the above set the value of user to the PHP Value of $user? Hello All, i am trying to figerout how can i create a list of options that the user can input the values to as many lines as he wants and then getting the value of each row and inserting it to my DB (mysql) i havent found anyway to make this kind of list that is "open" for edit and is not limited... Can anyone suggest anything ? <INPUT TYPE = "Text" VALUE ="0" ID = "username2" NAME = "username2"> <?php $value1 = $_POST['username2']; $nine=$value1; $codx =$characters[$nine]->name; ?> Im tring to get '0' in username2 inputbox readit in php $nine $codx =$characters[$nine]->name;
It only works like this <?php $nine='0' $codx =$characters[$nine]->name; ?>
What i need is to get the users
the $nine will hold the number
How do I read the user input my textbox post pulls the input $nine = $_POST['username2']; $codx =$characters[$nine]->name; i noticed it wouldn't work it only works this way
$nine='0';
Let me know how to read in user input
sorry to repeat i needed to explain none What is the best way to santize a user input What covers it all without leaving the text with slashes Do i just need to escape my variables, or no i need to sanitize my queries as well? Whats the whole kitten kaboodle, anyone? am I missing anymore input attacks to pass not having 2 of the same balls? Code: [Select] $numbers = "19|20|19"; $numArray = explode("|", $numbers); if ($numArray['0'] == $numArray['1'] OR $numArray['0'] == $numArray['2'] ){ $std->Error2("You cannot pick 2 numbers with the same ticket"); } The if function will see if 19 = 20, or 19 = 20 then I would it need to do $numArray['1'] == $numArray['2'] and so on right to get all possible ways? If so, is there a easier way instead of just using all OR Statements and not manually thinking about what possible way, isn't there just a way to check if 2 arrays are the same? (or 3) I need to allow a user to input a CSV file and to display what they've got, possibly for corrections. I'm thinking of limitations for filesize, what happens if the columns overlap the page, and realtime. What seems to be a good way of providing this functionality? Any suggestions? Thanks! Mark Whit my code it only appear a list of 1 or 0 and the id but I don't know how to get to show only the id Like so: submit 0 60/ 0 59/ 0 58/ 0 57/ 0 56/ 0 45/ 0 38/ 1 37/ on my first page: Code: [Select] <table border="2"> <tr> <th>Id</th> <th>User</th> <th>Comment</th> <th>Yes</th> <th>No</th> </tr> <form method="post" action="admincommentdelete.php" id="formc"> <?php $vv = array(); $st = Comment::test($result['article']->id,0,999); $vv['comment'] = $st['comment']; $i = 0; foreach($vv['comment'] as $p) { $i++; echo "<tr>"; echo "<td>".$p->id."</td>"; echo "<td>".$p->usern."</td>"; echo "<td>".$p->com."</td>"; echo "<td><input name=$i type=radio value='1'/></td>"; echo "<td><input name=$i type=radio value='0'/></td>"; echo "<input type=hidden name=h".$i." value=$p->id/>"; echo "</tr>"; } ?> <input type="submit" value="submit" name="submit"> </form> </table> second: Code: [Select] <?php $id = array(); if(isset($_POST['submit'])) { $data = array(); $data = $_POST; foreach($data as $key) { echo $key."</br>"; } } ?> I thought I'd done this a hundred times before... but I am lost. Even after running mysql_real_escape_string, strip_tags and addslashes etc, I can still enter SQL into my input and it screws with the query. I can't simply use regex to check for valid characters since it's an input that lets the user format a post with BBcode and characters they want. What's the proper way to 'clean' the input, then? Thanks in advance Ok, I am trying to make it so that the field itself shows a N/A in it instead of being blank. So that a field does not remain blank. The original code is: Code: [Select] echo '<div id="ncmrsr"><tr><td><span class="b">NCMR Supplier Response:<br /></span></td><textarea name="ncmrsr" rows="6" cols="85"></textarea></tr></div><br />'; I figured this would show the "N/A" in the field. Code: [Select] echo '<div id="ncmrsr"><tr><td><span class="b">NCMR Supplier Response:<br /></span></td><textarea name="ncmrsr" rows="6" cols="85" value="N/A"></textarea></tr></div><br />'; Since this doesn't seem to work, is there a way to make it so that if a field is left empty that "N/A" is the response in said field? Hi ! I'm trying to understand how php://input works. I've read the manual ( http://php.net/manual/en/wrappers.php.php ) and I have an example of a file upload receiving the file with php://input instead of $_FILES. But I can't understand it, does somebody a good tutorial about php://input ? What is the data inside it? is always the same that $HTTP_RAW_POST_DATA ? How can we send a file to PHP and receive it with php://input ? I'm trying to see what's inside php://input with this code: Code: [Select] $in = fopen("php://input", "rb"); echo Debug::vars($in); if ($in) { while ($buff = fread($in, 4096)) { echo $buff . EOL; // fwrite($out, $buff); } } but I get always blank output (Debug is a Kohana class and it returns: Quote resource(stream) php://input Thanks !! Hello people. I am very new to PHP and have a website for microlight pilots where you can add an airfield. It is a Joomla based site and the input form can be seen here. http://microlight.co/index.php/New-Airfield I am quite prepared to re-write the whole input form again if I have to. Now here's my question. I would like the output of the form to be in an HTML table like it is on this page http://microlight.co/index.php/billaricay This is because at the moment people fill out the form, I get an e-mail with the info, and then have to put it into the airfield card manually myself. Sorry, If my explanation isn't very clear. But basically want users input into a table. I have something like this on one of my pages: $name = 'Bob'; Code: [Select] if ((isset($_POST['name'])) || ($_POST['name'] == '')) { $name = $_POST['name']; //update database } echo '<form action='' method='POST'>'; echo '<table><tr><td width="125">Name: </td><td><input type="text" name="signature" style="width: 270px;" value="' . $name . '" /></td></tr></table>'; echo '</form>'; Here's the problem: Initially, because the form data has not been sent the input box says: 'Bob'. If I remove the name Bob from the input box by manually clicking in it and deleting the name, and I submit the form, it keeps showing 'Bob', whereas I would like it to be empty. What am I doing wrong? |
|||||||