|
PHP - Protecting Mysql Db From Form Inputs
Hi, I'm putting together a database that once logged in, a user is able to insert, update and delete records via html forms.
The login is secured using mysql_real_escape_string, but I'm wondering should I do the same for all form elements that pass data to the db? There are a wide range of inputs, from numeric, alphanumeric, dates and more. I'd appreciate your feedback. Regards, James Similar TutorialsI have tried a large number of "solutions" to this but everytime I use them I see 0000-00-00 in my date field instead of the date even though I echoed and can see that the date looks correct. Here's where I'm at: I have a drop down for the month (1-12) and date fields (1-31) as well as a text input field for the year. Using the POST array, I have combined them into the xxxx-xx-xx format that I am using in my field as a date field in mysql. <code> $date_value =$_POST['year'].'-'.$_POST['month'].'-'.$_POST['day']; echo $date_value; </code> This outputs 2012-5-7 in my test echo but 0000-00-00 in the database. I have tried unsuccessfully to use in a numberof suggested versions of: strtotime() mktime Any help would be extremely appreciated. I am aware that I need to validate this data and insure that it is a valid date. That I'm okay with. I would like some help on getting it into the database. How is it possible, in PHP, to display an error message next to a form input text field if a user is attempting to submit a form with empty fields? Moreover, how is it possible to remove the same error message when the user fills in the input field with the required data and/or refreshes the page? I have 2 files that I am working with: application.php and process.php.
application.php mainly has the HTML of the form. I am very new to learning PHP (I started learning it last week) and I have been searching for hours for a clear answer. I have already tried different methods for generating the error message including: using empty(), !isset, $_POST["name"] = "", etc, and have tried using session_start();, $row, echo, print, and other variables to try and display error message on the page, and I have tried using unset();, and = null, to try and remove the error message once the input field has been filled but all to no avail. Either the method I try only half works, or nothing works, and I cannot pinpoint which is the part that is not working. I only have 2 files to work with, and as an example of what I want to do is:
1. If the first name field is empty when the user clicks submit, an error message should appear next to the input. Is this possible with PHP? I'm working on an online php program that can have a few hundred form inputs. Mainly just numbers from 1 to 50,000 depending on the field. I wanted to use cookies so the user can keep the data entered on their browser but i found out the hard way that the browsers have a limitation that I've exceeded. Does anyone have any ideas? What is the best way to force a user to input numeric value into a form, with the following condition: Either the number is an integer (positive or negative or zero), or non integer but limited to the one digit behind the dot (e.g. 1.2 is valid, but 1.21 is not)? I know I can test it in the server side, but I prefer it to be on the form side. Can it be in the HTML level? I generated a table from the database, and at the end of each row there are two submits, one for save and another for delete. The values are generated as either text and select box input. Right now, I have all the submits named differently (ends a number), so I can loop through all available submits based on the number to check which row needs to be updated, and to retrieve the values during form processing, then only perform the query. I have also hidden input in each row to send the "primary key" that is used during query. Is there a better approach than to have so many different names for the buttons, not having to loop through all of them each time, and still keep a similar layout? I'm trying to avoid anything else than PHP. The table looks something like: col1____| col2_______| col3____|__________________ txt input | select input | txt input |save bttn | delete bttn txt input | select input | txt input |save bttn | delete bttn I don't have any PHP skills at all. In fact I'm probably looking for a script that can help accomplish what I'm asking about. Regardless, I'm having a hard time getting any answers or solutions to this. I would like to make a web form that collects cc#'s from my customers that is PCI Compliant in as simple a manner as possible. 99% of the time my clients are not being charged at all, and the cc is used simply to ensure a service is confirmed. If they were to be charged, I would have to do that manually as no payment gateways currently deposit into banks in the country I am in. One thought I had would be if I could have the cc# either split, or broken up into separate fields and emailed separately. I am told this is PCI Compliant. I would also be fine with the cc# being split between database and email. I know this is possible w/ zen cart, but I have been unable to find any scripts that do this and don't have a need for a shopping cart addition to my site. But, I am aware that zen cart and other shopping cart add ons have options for X's to cover a bunch of numbers in the middle of the string and write that directly to the database. One thing that is a necessity is that the majority of the data input to the form be emailed. So, I'm basically hoping to protect the cc data in the simplest way possible, which I thought would be to break it up. I'll be trashing the cc #'s once I get them. I have no need to file them. I do have a SSL on my server. I am completely open to other suggestions. Is something like this, or another option a possibility? My skills are rudimentary. I taught myself to write some html and also use Dreamweaver to subsidize for what I can't code myself. I apologize if this should be in one of the other forums. Hello, I am very very new to PHP and have created a form that changes depending on a selection option. The website is here http://www.rmdesignstudio.com.au/wraptinprint/quotes.php and the PHP is all on the quotes.php page. The form sends to the email but when you fill in one form (example: Business Cards) the form sends, but along with all the entered fields the email also includes all the fields in all the hidden forms that werent filled in. I believe it is because they are drop down boxes and it is sending the first option in the list which happens to be "-----Please Select-----" Is there something I should be doing to my selection input field for this not to show up? Otherwise is there something I need to add to my PHP so it checks for the fields being filled in? I dont know how to add my code to this post, so if you could either show me or view my code via view source that would be awesome. Hello, I am doing a php registration form, file name is register.php Code: [Select] <?php include("config.php"); $submit = strip_tags($_POST['submit']); $username = strip_tags($_POST['user_box']); $password = md5(strip_tags($_POST['pass_box'])); $cpassword = md5(strip_tags($_POST['c_pass_box'])); $email = strip_tags($_POST['email_box']); $mobile = $_POST['mobile_box']; $ip = $_SERVER['REMOTE_ADDR']; $date = date('Y-m-d'); $time = date('h-i-s'); $i = 0; $checkusername = mysql_num_rows(mysql_query("SELECT * FROM members WHERE username='$username'")); $checkemail = mysql_num_rows(mysql_query("SELECT * FROM members WHERE email='$email'")); /* Validating username field */ if($username != NULL) { if (strlen($username) > 15 || strlen($username) < 6) { echo "<p>Username must be in range of 6 to 15 Characters.</p>"; } else { //check in DB if ($checkusername == 1) { echo "<p>Username already exist in database.</p>"; } else { $i++; } } } else { echo "<p>Username cannot be Blank</p>"; } /* ----------validating password field---------- */ if ($password != "d41d8cd98f00b204e9800998ecf8427e" || $cpassword != "d41d8cd98f00b204e9800998ecf8427e") { if ($password == $cpassword) { if (strlen($password) > 16 && strlen($password) < 4) { echo "<p>password must be in range of 4 to 16 Characters.</p>"; } else { $i++; } } else { echo "<p>Passwords do not match.</p>"; } } else { echo "<p>Password cannot be empty</p>"; } /* ----------Validating Passwords End---------- */ /* ----------Validating Email field Starts---------- */ if($email != NULL) { if($checkemail == 1) { echo "<p>Email already exist.</p>"; } else { $i++; } } else { echo "<p>Email field cannot be empty.</p>"; } /* ----------Validating Email fiend ends---------- */ /* ----------Validating Email field Starts---------- */ if($mobile != NULL) { if(strlen($mobile) >10) { echo "<p>Mobile cannot be more than 10 digits long</p>"; } else { $i++; } } else { echo "<p>Mobile field cannot be empty.</p>"; } /* ----------Validating Email fiend ends---------- */ if ($i == 4) { mysql_query("INSERT INTO members (username, password, email, mobile, ip, date, time) VALUES ('$username', '$cpassword', '$email', '$mobile', '$ip', '$date', '$time')"); echo "<p>Successful Registration Done !</p>"; } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> </head> <body> <form id="form1" name="form1" method="post" action=""> <table width="576" height="229" border="0"> <tr> <td width="139">Username :</td> <td colspan="2"><label for="user_box"></label> <input type="text" name="user_box" id="user_box" size="30" height="30" /> (Between 6 to 15 Characters)</td> </tr> <tr> <td>Password :</td> <td colspan="2"><label for="pass_box"></label> <input type="password" name="pass_box" id="pass_box" size="30" height="30" /> (Between 4 to 16 Characters)</td> </tr> <tr> <td>Confirm Password :</td> <td colspan="2"><label for="c_pass_box"></label> <input type="password" name="c_pass_box" id="c_pass_box" size="30" height="30" /></td> </tr> <tr> <td>Email Address :</td> <td colspan="2"><label for="email_box"></label> <input type="text" name="email_box" id="email_box" size="30" height="30" /></td> </tr> <tr> <td>Mobile No. :</td> <td colspan="2"><label for="mobile_box"></label> <input type="text" name="mobile_box" id="mobile_box" size="30" height="30" /> (10 Characters)</td> </tr> <tr> <td> </td> <td width="171"><input type="submit" name="submit" id="submit" value="Submit" /></td> <td width="252"><input type="reset" name="button2" id="button2" value="Reset" /></td> </tr> </table> </form> </body> </html> When I load page, it shows following errors before Username cannot be Blank Password cannot be empty Email field cannot be empty. Mobile field cannot be empty. What I want is on loading page i.e. before giving any inputs, it should not show any errors. Need help Hello,
I'm developing one website for a real-estate agency. I have a html form that is used to submit property details, There is multiple form inputs and also I need to upload multiple property images using Dropzone JS multiple image upload. Here I'm validating form inputs using jQuery Validation library. Validation works perfect and data Is being to posted to php file called submit_property_data.php. But when I implement the Dropzone JS image upload its not working.
JS File (property-submit.js)
$('document').ready(function() {
$("#notification-property").hide();
/* handling form validation */
$("#property-form").validate({
rules: {
prop_title: "required",
prop_price: {
required: true,
digits: true
},
prop_area: {
required: true,
digits: true
},
prop_address: "required",
prop_message: {
required: true,
minlength: 10,
maxlength: 2000
},
prop_owner_name: "required",
prop_owner_email: {
required: true,
email: true
},
prop_owner_phone: {
required: true,
digits: true
},
},
messages: {
'prop_title': {
required: "Please enter title for your property"
},
prop_price: {
required: "Please enter price of your property",
digits: "Please enter price in digits (AED)"
},
prop_area: "Please enter Sqft of your property",
prop_address: "Please enter address of your property",
prop_message: {
required: "Please enter detailed Information",
minlength: "Please enter something about your property in 50 - 20000 characters",
maxlength: "Please enter something about your property in 50 - 20000 characters"
},
prop_owner_name: "Please enter your name",
prop_owner_email: {
required: "Please enter your email address",
email: "Please enter valid email address"
},
prop_owner_phone: {
required: "Please enter your phone number",
digits: "Please enter valid phone number"
},
},
submitHandler: submitPropertyForm
});
/* Handling login functionality */
function submitPropertyForm() {
var data = $("#property-form").serialize();
$.ajax({
type: 'POST',
url: 'submit_property_data.php',
data: data,
beforeSend: function() {
$("#submit-button").html('<span class="glyphicon glyphicon-transfer"></span> Submiting ...');
},
success: function(response) {
if (response == "ok") {
console.log(1);
document.getElementById("property-form").reset();
$("#notification-property").html('<b> ' + response + ' !</b>').show();
//setTimeout(' window.location.href = "dashboard.php"; ',4000);
} else {
$("#notification-property").fadeIn(1000, function() {
$("#notification-property").html('<b>' + response + ' !</b>').fadeOut();
$("#submit-button").html(' Send');
});
}
},
complete:function(){
$('body, html').animate({scrollTop:$('form').offset().top}, 'slow');
}
});
return false;
}
$("#submit-button").bind('click', function() {
if ( $("#property-form").valid() ) {
submitPropertyForm();
} else {
console.log('form invalid');
}
})
Dropzone.autoDiscover = false;
$(function () {
$("div#myDropzone").dropzone({
url: 'submit_property_data.php',
addRemoveLinks: true,
maxFiles:11,
uploadMultiple: true,
autoProcessQueue: false,
parallelUploads: 10,
init: function () {
var myDropzone = this;
// Update selector to match your button
$("#submit-button").click(function (e) {
e.preventDefault();
myDropzone.processQueue();
});
this.on('sending', function(file, xhr, formData) {
// Append all form inputs to the formData Dropzone will POST
var data = $('#property-form').serializeArray();
$.each(data, function(key, el) {
formData.append(el.name, el.value);
});
});
this.on("success", function(file, responseText) {
alert(responseText);
});
},
});
});
});
HTML File (submit-property.php)
<html>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.6.1/jquery.min.js"></script>
<script src="https://ajax.aspnetcdn.com/ajax/jquery.validate/1.11.1/jquery.validate.min.js"></script>
!-- Submit Property start -->
<div class="content-area-7 submit-property">
<div class="container">
<div class="row">
<div class="col-md-12">
<!-- <div id="error_message" class="notification-box"></div> -->
</div>
<div id="notification-property" class="notification-box">sd</div>
<div class="col-md-12">
<div class="submit-address">
<form name = "property-form" method="post" id="property-form">
<div class="main-title-2">
<h1><span>Tell Me</span> Something About Your Property</h1>
</div>
<div class="search-contents-sidebar mb-30">
<div class="form-group">
<label>Property Title</label>
<input class="input-text" name="prop_title" id="prop_title" placeholder="Property Title">
</div>
<div class="row">
<div class="col-md-6 col-sm-6">
<div class="form-group">
<label>Status</label>
<select class="selectpicker search-fields" id="prop_status" name="prop_status">
<option value="Sale">For Sale</option>
<option value="Rent">For Rent</option>
</select>
</div>
</div>
<div class="col-md-6 col-sm-6">
<div class="form-group">
<label>Type</label>
<select class="selectpicker search-fields" id="prop_title" name="prop_type">
<option value="Modern">Modern</option>
<option value="Traditional">Traditional</option>
<option value="Arabic">Arabic</option>
</select>
</div>
</div>
</div>
<div class="row">
<div class="col-md-3 col-sm-6">
<div class="form-group">
<label>Price (Dirham)</label>
<input class="input-text" name="prop_price" id="prop_price" placeholder="AED">
</div>
</div>
<div class="col-md-3 col-sm-6">
<div class="form-group">
<label>Sqft</label>
<input class="input-text" name="prop_area" id="prop_area" placeholder="SqFt">
</div>
</div>
<div class="col-md-3 col-sm-6">
<div class="form-group">
<label>Bed Rooms</label>
<select class="selectpicker search-fields" name="prop_rooms" id="prop_rooms">
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select>
</div>
</div>
<!-- <div class="col-md-3 col-sm-6">
<div class="form-group">
<label>Bathroom</label>
<select class="selectpicker search-fields" name="1">
<option>1</option>
<option>2</option>
<option>3</option>
<option>4</option>
<option>5</option>
<option>6</option>
</select>
</div>
</div> -->
</div>
</div>
<div class="main-title-2">
<h1><span>Location</span></h1>
</div>
<div class="row mb-30 ">
<div class="col-md-6 col-sm-6">
<div class="form-group">
<label>Address</label>
<input class="input-text" id="prop_address" name="prop_address" placeholder="Address">
</div>
</div>
</div>
<div class="main-title-2">
<h1><span>Upload</span> Photos Of Villa </h1>
</div>
<div id="myDropzone" class="dropzone dropzone-design mb-10">
<div class="dz-default dz-message" data=""><span>Drop files here to upload</span></div>
</div>
<div class="main-title-2">
<h1><span>Detailed</span> Information</h1>
</div>
<div class="row mb-30">
<div class="col-md-12">
<div class="form-group">
<textarea class="input-text" id="prop_message" name="prop_message" placeholder="Detailed Information"></textarea>
</div>
</div>
</div>
<!--<div class="row mb-30">
<div class="col-md-4 col-sm-4">
<div class="form-group">
<label>Building Age <span>(optional)</span></label>
<select class="selectpicker search-fields" name="years">
<option>0-1 Years</option>
<option>0-5 Years</option>
<option>0-10 Years</option>
<option>0-20 Years</option>
<option>0-40 Years</option>
<option>40+Years</option>
</select>
</div>
</div>
<div class="col-md-4 col-sm-4">
<div class="form-group">
<label>Bedrooms (optional)</label>
<select class="selectpicker search-fields" name="1">
<option>1</option>
<option>2</option>
<option>3</option>
<option>4</option>
<option>5</option>
<option>6</option>
</select>
</div>
</div>
<div class="col-md-4 col-sm-4">
<div class="form-group">
<label>Bathrooms (optional)</label>
<select class="selectpicker search-fields" name="1">
<option>1</option>
<option>2</option>
<option>3</option>
<option>4</option>
<option>5</option>
<option>6</option>
</select>
</div>
</div>
<div class="col-lg-12">
<label class="margin-t-10">Features (optional)</label>
<div class="row">
<div class="col-lg-4 col-sm-4 col-xs-12">
<div class="checkbox checkbox-theme checkbox-circle">
<input id="opt_parking" name="opt_parking" value="1" type="checkbox">
<label for="checkbox1">
Free Parking
</label>
</div>
<div class="checkbox checkbox-theme checkbox-circle">
<input id="opt_air_condition" name="opt_air_condition" value="1" type="checkbox">
<label for="checkbox2">
Air Condition
</label>
</div>
<div class="checkbox checkbox-theme checkbox-circle">
<input id="opt_seat" name="opt_seat" value="1" type="checkbox">
<label for="checkbox3">
Places to seat
</label>
</div>
</div>
<div class="col-lg-4 col-sm-4 col-xs-12">
<div class="checkbox checkbox-theme checkbox-circle">
<input id="opt_swimming" name="opt_swimming" value="1" type="checkbox">
<label for="checkbox4">
Swimming Pool
</label>
</div>
<div class="checkbox checkbox-theme checkbox-circle">
<input id="opt_laundary" name="opt_laundary" value="1" type="checkbox">
<label for="checkbox5">
Laundry Room
</label>
</div>
<div class="checkbox checkbox-theme checkbox-circle">
<input id="opt_window_covering" name="opt_window_covering" value="1" type="checkbox">
<label for="checkbox6">
Window Covering
</label>
</div>
</div>
<div class="col-lg-4 col-sm-4 col-xs-12">
<div class="checkbox checkbox-theme checkbox-circle">
<input id="opt_parking" name="opt_parking" value="1" type="checkbox">
<label for="checkbox7">
Central Heating
</label>
</div>
<div class="checkbox checkbox-theme checkbox-circle">
<input id="checkbox8" type="checkbox">
<label for="checkbox8">
Alarm
</label>
</div>
</div>
</div>
</div>
</div>-->
<div class="main-title-2">
<h1><span>Contact</span> Details</h1>
</div>
<div class="row">
<div class="col-md-4 col-sm-4">
<div class="form-group">
<label>Name</label>
<input class="input-text" name="prop_owner_name" id="prop_owner_name" placeholder="Name">
</div>
</div>
<div class="col-md-4 col-sm-4">
<div class="form-group">
<label>Email</label>
<input class="input-text" name="prop_owner_email" id="prop_owner_email" placeholder="Email">
</div>
</div>
<div class="col-md-4 col-sm-4">
<div class="form-group">
<label>Contact No</label>
<input class="input-text" name="prop_owner_phone" id="prop_owner_phone" placeholder="Phone">
</div>
</div>
</div>
<div class="col-md-12">
<button type="button" name="submit-button" id="submit-button">Submit</button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
<script src="property-submit.js"></script>
<script src="js/dropzone.js"></script>
</html>
PHP File (submit_property_data.php)
<?php
echo "ok";
require_once("functions.php");
$ds = DIRECTORY_SEPARATOR; //1
$storeFolder = 'villas-images';
$encpt_data = rand(1000,5000);
if (!empty($_FILES)) {
$tempFile = $_FILES['file']['tmp_name']; //3
$targetPath = dirname( __FILE__ ) . $ds. $storeFolder . $ds; //4
$targetFile = $targetPath.$_FILES['file']['name']; //5
if(move_uploaded_file($tempFile,$targetFile))
{
echo '<b>Success</b>';
}
}
?>
What I actually need ?
I need to validate the form inputs first & upload the images once the form is valid also I need to post all the inputs to my php file called submit_property_data.php Also I need the image inputs to store into my database.
I read ages ago (and checked to see if it's true, it was and given how it works, it must still be) the end user can alter the value of any form field, using Firebug or similar, before submitting it. Two things I've figured out today: 1) a form input doesn't need a value - doesn't even need the attribute - if you're only checking whether the POST var isset and the actual value isn't important 2) Although it appears not to matter in the example I'm working on now, if the script doesn't check what the value is, and potentially sanitise it, the user could submit the form with any value, true, false, malicious, idk... So my question is: is this one of the ways malicious bad things can happen and do I *have to* specify a value, not because the script won't work without it, it does, but because in the real world it opens a security door if I don't check for malicious script by saying "if value not as expected, script has to die". Having formulated the question properly and thought about it I can't imagine simply making a form, without obvious connections to anything important, could be a problem in the way I'm asking about but I asked it now so Edited by appobs, 03 July 2014 - 12:08 PM. How can i save array from inputs, witch is $igraci and it have 5 values, to mysql base, i tryed but in mysql it shows Array. This is form: <form action="dodaj_klan.php" method="post" > <p> <label>Naziv klana:</label> <input name="naziv" type="text" size="20%" /> <label>Web Sajt:</label> <input name="website" type="text" size="20%" /> <label>E-Mail:</label> <input name="email" type="text" size="20%" /> <br /><br /> <label>Igraci klana(5):</label> <input name="lider" type="radio" value="1" /> <input name="igraci[]" type="text" size="20%" /><br /> <input name="lider" type="radio" value="2" /> <input name="igraci[]" type="text" size="20%" /><br /> <input name="lider" type="radio" value="3" /> <input name="igraci[]" type="text" size="20%" /><br /> <input name="lider" type="radio" value="4" /> <input name="igraci[]" type="text" size="20%" /><br /> <input name="lider" type="radio" value="5" /> <input name="igraci[]" type="text" size="20%" /> <label><i>(obelezi lidera klana)</i></label> <br /><br /> <input class="button" type="submit" name="submit" value="Dodaj" /> </p> </form> Now i wonna save this igraci[] array in mysql, i tried like this but it doesn't work: $igraci = $_POST['igraci']; $query = "INSERT INTO klanovi (naziv, website, email, igraci) VALUES ('{$naziv}', '{$website}', '{$email}', '{$igraci}')"; $result = mysql_query($query, $connection); How can i do this? Thanks.. Hello, I have a form for uploading CV files into a CV database. Once the files are uploaded to their directory (e.g. www.jobsboard.com/cvdatabase/) please could someone tell me how to restrict access to users? e.g. once a user logs into their userpanel they should be able to click on a hyperlink to download a CV e.g. (www.jobsboard.com/cvdatabase/CV1.doc) but a user who isn't logged in shouldn't be able to access www.jobsboard.com/cvdatabase/CV1.doc Please could you tell me whether this is possible? Many thanks, Stu Data siphoning is becoming more common every day,
Data siphoning is when you intercept the data and sniff between a client and a host, also known as sniffing a connection. ( i am focusing on session hijack)
To protect clients I've decided to write an MD5 calculation function which changes a secure string (such as a password) to plain MD5
Then once the MD5_password reaches PHP i BCRYPT with cost 20 using password_hash
_
MD5 is not ideal at all and i would like to write a better encryption but i only know how to do MD5 for java script, but i really don't need that much security here.
the purpose is to not show sensitive information, that's going to be hashed on the server, during a data siphon attack.
_
Data siphoning can not be protected against on the host server, the siphoning happens on the clients side usually when they don't have a strong firewall or such.
What are some good techniques you would practice to protect from data siphoning?
Before added security i was able to siphon this:
Username: Richard
Password: mypassword
After added security i was able to siphon this:
Username: 6ae199a93c381bf6d5de27491139d3f9
Password: 5f4dcc3b5aa765d61d8327deb882cf99
Now the only vulnerability between the client and server is if the hacker dns hacks the client which could redirect them to a website that looks like mine with the same EXACT url. which i can't help.
The real username can be retrieved in a session on login.
The real username and password can be found if a hacker injects js to remove the MD5 function, so if you know how to detect JavaScript injection i would like to know that as well.
______
Pretty much it looks like this..
Form -> Send md5(username) & md5(password) -> Server check if match in datbase -> If so login.
^ cypher ^cypher (session)
Edited by Richard_Grant, 12 September 2014 - 03:27 AM. Hi All, I'm trying to secure my web app which is currently in development, and came across this issue. I have a header.php and footer.php page which are included to every page, with the content in the middle. The problem is, if you visit header.php then it displays the header, with some blank text. What is the best way to protect this - i.e., if visited directly, it re-directs to index.php etc. My initial thought is to set a $happylink on each page and in the header and footer, checking basically doing the following if (isset($happylink) && !empty($happylink)) { blah blah; } else { Header("Location: index.php"); } Would that be the best way? Is there something easier? Hi, I was asked to create an app, wherein, the user may enter the email addresses of people manually, and it auto generates a random key. now this key will be used access such pages e.g proposal.test.com/ppc proposal.test.com/seo proposal.test.com/design so using the key for example => Sa22asdf it should appear like this proposal.test.com/ppc/Sa22asdf proposal.test.com/seo/Sa22asdf proposal.test.com/design/Sa22asdf without the unique key generated during the input of email address, the URL mentioned shouldn't be accessed by anyone.. now my question is, how to approach this thing in PHP ? I have done the input for email address and generation of random keys., but i don't know yet what to do or how to do the securing of pages using those keys ?
I have a script that runs periodically by a launchd timer. I give the script a very tight timeout ( set_time_limit(120); ). I been wondering how to protect all the files that contain classes, functions and forms in php to prevent direct access to something that the user shouldnt be able to without the proper check's (typing http://server/inc/login.php insteand of http://server/), and i came to this small idea of checking if an object is set or not but i m wondering if this is really the best idea here's what i have (the case bellow will protect an login form to be accessed directly): Code: [Select] <?php if(!isset($mysqlobj)) die(); if( isset( $_POST['username'] ) && isset( $_POST['password'] ) ){ $login = authentication::login( $_POST['username'], $_POST['password'] ); if( $login == true ){ header( 'location:?go=home' ); }else{ $_SESSION['message'] = 'loginfailed'; header( 'location:?go=login' ); } }else{ if( !empty($_SESSION['logged'] ) && $_SESSION['logged'] == true ){ header( 'location:?go=home' ); }else{ ?> <div id="loginform"> <form action="?go=login" method="post"> <table align="center"> <tr> <td><font size="2">Username</font></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><font size="2">Password</font></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="center"><input type="submit" value="Login" /></td> </tr> </table> </form> </div> <?php } } ?> Just looking for an "best practice" i tried google for it but i couldnt get to an straight awnser any enlightment is appreciated. I have had a customer want to run my application (PHP/APACHE/MYSQL) on their server rather than a commercial hosting offering (JUSTHOST/GODADDY)
I am reluctant, as it means giving them access to my PHP code which could possibly be copied or distributed.
Can I protect against this?
Hi all, I'm working on this site which I'll soon ask the guys in the testing forum to have a peek at. It's essentially an online community that was a uni project that has spiraled and grown exponetially. I've spent many many hours in front of books and tutorals etc to put it together and as far as scripting goes, it seems to be fine. The problem i'm having...The tut's that I read / watched were using eregi_replace to protect text fields and this is now unsuported. I want my site to be as secure as it can be, within reason. I've tried using preg_replace instead and have searched for the syntax but i keep getting strang results. I'm working on the "bio" field at the moment and then when that works I can move on and a-ply the same idea to the other fields. This si what I have and what I've changed. if ($_POST['parse_var'] == "bio"){ $bio_body = $_POST['bio_body']; //$bio_body = str_replace("'", "'", $bio_body); (WAS TESTING THIS BUT NO JOY) //$bio_body = str_replace("`", "'", $bio_body); $bio_body = mysql_real_escape_string($bio_body); $bio_body = nl2br(htmlspecialchars($bio_body)); $bio = $_POST['bio']; $bio = eregi_replace("'", "'", $bio); (This works but is not as secure) $bio = eregi_replace("`", "'", $bio); $bio = mysql_real_escape_string($bio); $bio = nl2br(htmlspecialchars($_POST['bio'])); $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'"); and so on....} When I change it to str_replace if I type in don't the whole word is deleted. when I type in preg I get an error. Can someone please give me the correct code / syntax for getting the result I want. I just want to make sure that every single field that has a user input is protected against any malicious attacks. Thanks. |
|||||||