Below is an example of validation for user input from a form of a first name.
First name is Craig and must be max 40 characters.
// Check if not empty, type and not numeric
if (!empty($firstName) && is_string($firstName) && !is_numeric($firstName)) {
echo 'in fn passed 1 ' . '<hr />';
}
else {
echo 'in fn failed 1 ' . '<hr />';
}
// Check length
if ((strlen($firstName) > 1) && (strlen($firstName) < 41)) {
echo 'in fn passed 2 ' . '<hr />';
}
else {
echo 'in fn failed 2 ' . '<hr />';
}
// Accepts anything as long as it has a letter even if it contains < INJECTION RISK
if (preg_match('/[a-z]/', $firstName)) {
echo 'in fn passed 3 ' . '<hr />';
}
else {
echo 'in fn failed 4 ' . '<hr />';
}
My question is if I use the above for user input from a form should I have the same validation for database data and session data or am I over doing it.
From what I know it's all external data so the same would apply but I've seen so many examples where database and session data are treated differently I have a doubt.
Could someone please let me know what would be considered an adequate secure method of validating this first name from a form and if the same method should be used on database and session data.
Many thanks.
Craig.
Related
I made a card game with PHP but there I'm facing some issue.
if ($_SESSION["bet"] != NULL)
{
echo "Your starting bankroll is: " . $_SESSION["bankroll"] . "<br>";
echo "Your bet is: " . $_SESSION["bet"] . "<br>";
}
I'm getting an input from the user. The problem is, when the game loads at first, and the user enters an input and clicks submit, the game won't work. The condition ($_SESSION["bet"] != NULL) is giving true and bankroll is not defined.
Is there a way I can set this up properly? Is there some PHP method that can initialize the variable once then only works it on session start, then the rest of the code can take care of how that variable gets updated? The bankroll variable gets initialized if the user clicks submit without anything in it right now, so the game still works but it starts improperly.
if ($_SESSION["bet"] == NULL)
{
$_SESSION["bankroll"] = 1000;
}
The bankroll variable gets initialized to 1000 every time user submits a NULL input. I want to change this.
More code... Updating...
session_start();
$_SESSION["bet"] = $_POST["bet"];
echo "<br>";
//print_r($_SESSION);
if ($_SESSION["bet"] != NULL)
{
echo "Your starting bankroll is: " . $_SESSION["bankroll"] . "<br>";
echo "Your bet is: " . $_SESSION["bet"] . "<br>";
}
if ($_SESSION["bet"] == NULL)
{
$_SESSION["bankroll"] = 1000;
}
else if ($_SESSION["bet"] > 1000 || $_SESSION["bet"] < 0)
{
echo " Please enter between 0 and 1000.";
}
else if ($_SESSION["bet"] > $_SESSION["bankroll"])
{
echo "You can't enter more than what you have.";
}
else
{
$deck = array();
for($x = 0; $x < 54; $x++) {
$deck[$x] = $x;
}
shuffle($deck);
//Then more stuff. This one for example...
if(($houseSuits[0] == -100) || ($houseSuits[1] == -100) || ($houseSuits[2] == -100) || ($houseSuits[3] == -100))
{
echo "<br>";
echo '<center> PLAYER WINS! (HOUSE HAS JOKER) </center>';
echo "<br>";
$_SESSION["bankroll"] = $_SESSION["bankroll"] + $_SESSION["bet"]; //THESE NEED TO BE ADDRESSED.
}
I JUST WANT TO FIND A WAY TO INITIALIZE BANKROLL TO 1000 AT START. THE WAY I'M DOING IT IS BY SUBMITTING A NULL VALUE THEN ASSUMING USER NEVER SUBMITS NULL VALUE AGAIN.
I WOULD LIKE BANKROLL TO BE INITIALIZED TO 1000, THEN FOR THE GAME TO TAKE CARE OF HOW BANKROLL GETS UPDATED.
I FOUND A WAY TO DO IT BUT IT'S NOT A PROPER WAY SO THAT'S WHY I'M ASKING FOR HELP.
THANK YOU.
Ok try this.
So if the bankroll is not set, then set it, once it's set it wont get set again because it's set.
Then any conditions after are fine.
session_start();
// Initialise bankroll if not already
if (!isset($_SESSION['bankroll'])) {
$_SESSION['bankroll'] = 1000;
echo "Your starting bankroll is: " . $_SESSION["bankroll"] . "<br>";
}
$_SESSION['bet'] = $_POST['bet'];
if ($_SESSION['bet'] != NULL) {
echo "Your bet is: " . $_SESSION['bet'] . "<br>";
}
if ($_SESSION['bet'] > 1000 || $_SESSION['bet'] < 0) {
echo " Please enter between 0 and 1000.";
} elseif ($_SESSION['bet'] > $_SESSION['bankroll']) {
echo "You can't enter more than what you have.";
} else {
// Your card game stuff
}
Notes: you may have issues with using session as it'll store their bet wherever they are, so issuing a bet sets the session, then navigate elsewhere and come back and their bet will still be as before. Maybe this doesn't matter.
You also might not want to check if the bet is null, more perhaps empty or whatever. Test either way to be sure.
$street_address = NULL;
$price = NULL;
$number_bedrooms = NULL;
$number_baths = NULL;
$sq_ft = NULL;
$year_built = NULL;
$featured = NULL;
$pImage = NULL;
//create storage for the checkbox values for featured house items.
$pool = 0;
$finished_basement = 0;
$fenced_yard = 0;
if (isset($_POST['submit'])) {//checks to see if the user submit the form.
// print_r ($_POST); // This will show you what array information is being sent to post on the screen
//print_r ($_FILES); //can be used to view the contents of an array
// Gather the home listing data from the POST
if(isset($_POST['pImage'])) {
$pImage = $_POST['pImage'];
}
$street_address = $_POST['street_address'];
$price = $_POST['price'];
$number_bedrooms = $_POST['number_bedrooms'];
$number_baths = $_POST['number_baths'];
$sq_ft = $_POST['sq_ft'];
$year_built = $_POST['year_built'];
$pDesc = $_POST['pDesc'];
if (isset($_POST['featured']) ) { //used to check whether the user selected if the home was selected as featured. If they didn't the item is not passed to the POST.
$featured = $_POST['featured'];
} else {
$featured = NULL;
}
if (isset($_POST['pool']) ) {
$pool = $_POST['pool'];
} else {
$pool = 0;
} // this end bracket is "attached" to the process checking to see if the checkbox was 'ticked'.
//process checked finished basement box.
if (isset($_POST['finished_basement']) ) {
$finished_basement = $_POST['finished_basement'];
} else {
$finished_basement = 0;
} // end of finished_basement checkbox check
//process checked fenced yard box.
if (isset($_POST['fenced_yard']) ) { // Fenced Yard Checkbox Process Check
$fenced_yard = $_POST['fenced_yard'];
} else {
$fenced_yard = 0;
} // end of finished_basement checkbox check
} // end of $_POST submission check (starts on line #40)
// Street Address Validation Check - See if address was entered into the form.
if (empty($street_address)) {
echo "You didn't fill in a streetaddress. <br />";
$output_form = true; // will print form.
} // end of street_address check
// Image , Price & Image validation check
// Price Validation Check - See if Price was entered into the form as a number.
if (!is_numeric($price)) { //is not a number function.
echo "You didn't fill in price as a number.";
$output_form = true; // will print form.
}
// Used to store information for uploading images associative array.
$pImage = $_FILES['pImage']['name']; //array variable. Code pulled from 02fileglobaladd.txt document. $_FILES used to store file information from uploa
$pImage_type = $_FILES['pImage']['type'];
$pImage_size = $_FILES['pImage']['size'];
// Image File Size Validation check -- checks to be sure that the uploaded image is no larger than 1 MB
if (!empty($pImage)) { // empty is for name of file.
if ((($pImage_type == 'image/gif') || ($pImage_type == 'image/jpeg') || ($pImage_type == 'image/pjpeg') || ($pImage_type == 'image/png'))
&& ($pImage_size > 0) && ($pImage_size <= GW_MAXFILESIZE)) { // check to make sure that the file type is valid and that the file is larger than 0 but less than 1meg
if ($_FILES['pImage']['error'] == 0) { // test to be sure file gets uploaded.
$target = GW_UPLOADPATH . $pImage; // try to move file to images folder // FILE UNIQUE time function added from book (page 252) that duplicates and chages file name if there
// is more than one version
if (move_uploaded_file($_FILES['pImage']['tmp_name'], $target)) {
// Connect to the database
$dbc = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
// Write the data to the database
$query = "INSERT INTO homes ( street_address, price, number_bedrooms, number_baths, sq_ft, year_built, pool, finished_basement, fenced_yard, featured, pDesc, pImage ) " .
"VALUES ('$street_address', '$price', '$number_bedrooms', '$number_baths', '$sq_ft', '$year_built', '$pool', '$finished_basement', '$fenced_yard', '$featured', '$pDesc','$pImage')";
$result = mysqli_query($dbc, $query)
or die('Error querying database.');
/* Testing echos
echo $query;
echo '<br />'
/**/
// Confirmation for the user that will be displayed once the user clicks the submit button (As long as there are no errors with the PHP code)
echo '<p>Thank you for Your Submission. The home has been added to the database.</p>';
echo 'Street Address: ' . $street_address . '<br />';
echo 'Price: ' . $price . '<br />';
echo 'Number of Bedrooms: ' . $number_bedrooms . '<br />';
echo 'Number of Baths: ' . $number_baths . '<br />';
echo 'Square Feet: ' . $sq_ft . '<br />';
echo 'Year Built: ' . $year_built . '<br />';
// featured if statement
echo 'Featured:' ;
if ($featured = 1) {echo ' Yes <br />'; } else {echo ' No <br /> ';}
//example of using ternary format of if/else -- additional items of home (pool, finished basement, fenced in yard ) checkboxes
echo 'Pool: ' . (($pool) ? 'YES' : 'NO' ). '<br />' ;
echo 'Finished Basement: ' . (($finished_basement) ? 'YES' : 'NO' ). '<br />' ;
echo 'Fenced Yard: ' . (($fenced_yard) ? 'YES' : 'NO' ). '<br />' ;
echo 'Desc:<span class="desc"> ' . ($pDesc). '</span><br />';
echo 'Image File: ';
echo '<img src= " ' . GW_UPLOADPATH . $pImage . ' " alt="Homes Image" /></p>';
echo '<p><< Back to Listings Page.</p>';
// Clear the data in the form
$street_address = "";
$price = "";
$number_bedrooms = "";
$number_baths = "";
$sq_ft = "";
$year_built = "";
$pool = "";
$finished_basement = "";
$featured = "";
$pImage = "";
$pDesc ="";
mysqli_close($dbc);
} //movefile worked....
else { //movefile didn't work... error message is printed out
echo '<p class="error">Sorry, there was a problem loading your product image.</p>';
}
}
} // no file type or size error / ENDING BRACKET
else { // there was a file type or size error / ENDING BRACKET
echo '<p class="error">The screen shot must be a GIF, JPEG, or PNG image file no greater than ' . (GW_MAXFILESIZE / 1024) . ' KB in size.</p>';
} // type size error message printed. / ENDING BRACKET
#unlink($_FILES['pImage']['tmp_name']); // unlink is php command to delete the file. Its getting rid of the temporary file. # symbol ignores any error message.
} // data validated
else { // data didn't validate, show error message.
echo '<p class="error">Please enter all the required product information.</p>';
}
?>
I added an if isset command to both the GET & POST statements, can someone help me. I know I have to fix up my code alot after fixing this issue. My professor mentioned about using the print-r statements...
Thank you for any help... I'm a newbie to PHP
The problem lies in this statement:
if(isset($_POST['pImage'])) {
$pImage = $_POST['pImage'];
}
As $_POST['pImage'] is a image, you cannot use $_POST. To check is it's uploaded, simply use:
if($_FILES['pImage']['name') {
This will check for the name of the image, will return true when available.
This statement is wrong:
if ($featured = 1) {echo ' Yes <br />'; } else {echo ' No <br /> ';}
As you are comparing if $featured is equals to 1, you'll need to use PHP's comparison operator ==. = is used for assigning.
Thus, it should be:
if ($featured == 1) {echo ' Yes <br />'; } else {echo ' No <br /> ';}
More information on PHP Operators: http://php.net/manual/en/language.operators.comparison.php.
Also, you shouldn't suppress error messages:
#unlink($_FILES['pImage']['tmp_name']);
Remove # to enable error reporting. It's very useful in diagnosing syntax errors.
What I have is a reply script, and I need the page to only use the username echo'd in for a variable, like if Meap sends me a PM and I want to reply to it, when I hit the reply link I need it to use his name, and not another name from the page. Currently it is using the first name on the page instead of the one that the reply link is for
Here's the code;
while ($row = mysqli_fetch_array($data)) {
session_start();
$reply = $row['from'];
echo '<div class="viewpost">';
echo '<div class="vpside">';
if(!empty($row['picture'])) {
echo '<img class="pictest" src="' . MM_UPLOADPATH . $row['picture'] . '" alt="' . MM_UPLOADPATH . 'nopic.png' . '" />';
}
if(!empty($row['from'])) {
echo '<p>From:<br />' . $row['from'] . '</p>';
$_SESSION['reply'] = $row['from'];
echo 'Reply';
}
if(!empty($row['rank'])) {
echo '<p>Rank:<br />' . $row['rank'] . '</p>';
}
if(!empty($row['gender'])){
echo '<p>Gender:<br /> ' . $row['gender'] . '</p>';
}
echo '</div>';
if(!empty($row['title'])) {
echo'<h4><u>' .$row['title']. '</u></h4>';
}
if(!empty($row['msg'])) {
echo '<p class="">' . $row['msg'] . '</p>';
}
echo '<div class="sig">';
if(!empty($row['bio'])) {
echo '<p>' . $row['bio'] . '</p>';
}
echo '</div>';
echo '</div><br />';
}
Here's a picture of what it looks like when you get a Private Message;
Evidently you have to be specific down to the last detail on here, the question - or rather the problem - is that it is not using the correct recipient for the reply. Say I click reply under Meaps name, it will use Lilpunish instead. Basically it will use the first one loaded, and I need it to use the correct username. How would I do this.?
Here's your problem:
$_SESSION['reply'] = $row['from'];
echo 'Reply';
Consider what is happening when this code is run multiple times. The first time, it sets the session variable reply to Meap. The next time, when the second message is printed, it sets it to another value.
What you actually want is to pass who to reply as a part of the link, e.g.
echo 'Reply';
And then not retrieve the reply-to from $_SESSION. Session variables are not really supposed to be used like this.
Basically I need to call a field (wrapped in a div) if the field has a value. I do not want the field or div to display if the field has no value. My PHP knowledge is dire but here is what I have to work with.
Here are instructions provided to me on how to call a custom field by ID:
$cust_1 = $this->fields->getFieldByCaption('Custom Text'); // getFieldByCaption() allow you to get the field by the Caption. This is not the best way to get a field since changing the caption in the back-end will break the reference.
echo '<br />Field ID: ' . $cust_1->getId();
$cust_2 = $this->fields->getFieldById(29); // getFieldById() is the ideal way of getting a field. The ID can be found at 'Custom Fields' section in Mosets Tree's back-end.
echo '<br />Name: ' . $cust_2->getName();
echo '<br />Has Caption? ' . (($cust_2->hasCaption()) ? 'Yes' : 'No');
echo '<br />Caption: ' . $cust_1->getCaption();
echo '<br />Value: ' . $cust_2->getValue();
echo '<br />Output: ' . $cust_2->getOutput(1);
echo '<hr />';
$this->fields->resetPointer();
while( $this->fields->hasNext() ) {
$field = $this->fields->getField();
echo '<br /><strong>' . $field->getCaption() . '</strong>';
echo ': ';
echo $field->getOutput(1); // getOutput() returns the formatted value of the field. ie: For a youtube video, the youtube player will be loaded
// echo $field->getValue(); // getValue() returns the raw value without additional formatting. ie: When getting value from a Online Video field type, it will return the URL.
$this->fields->next();
}
Here is the code I am working with and need help to try and do what I need it to as detailed above:
<?php
if( !is_null($this->fields->getFieldById(35)) ) {
$value = $field->getValue();
$hasValue = $field->hasValue();
$field = $this->fields->getField();
if( $hasValue )
{
echo '<div class="lin" id="lphn">'; {
echo $cust_2 = $this->fields->getFieldById(35);
echo $cust_2->getOutput(1);
echo '</div>';
}
else {
// Print nothing.
}
}
}
?>
Sorry for the huge ignorance on the topic, but I really have no idea where to look other than this website when I come into trouble with my PHP.
What I'm trying to do here is use pre-designated IDs to call particular movies from a database. But all I get is an 'Invalid argument supplied for foreach()' message on the second and third foreach's below.
Here's my code in the head:
//Custom lists of movies to bring in
//New Releases list
$films_new_releases = array(40805, 46705, 41630, 44564, 39451, 20352, 43933, 49009, 49797, 42194);
//Most Popular list
$films_most_popular = array(27205, 16290, 10138, 41733, 37799, 18785, 19995, 17654, 10140, 12162);
//Get information from address bar
$list = $_GET['l'];
if ($list == 'new releases') {
$list_chosen = $films_new_releases;
}
elseif ($list == 'most popular') {
$list_chosen = $films_most_popular;
}
else {
$list_chosen = $films_new_releases;
}
And in amongst the body:
// Loop through each film returned
foreach ($list_chosen as $list_chosen_film) {
$films_result = $tmdb->getMovie($list_chosen_film);
$film = json_decode($films_result);
// Set default poster image to use if film doesn't have one
$backdrop_url = 'images/placeholder-film.gif';
// Loop through each poster for current film
foreach($film->backdrops as $backdrop) {
if ($backdrop->image->size == 'poster') {
$backdrop_url = $backdrop->image->url;
}
}
echo '<div class="view-films-film">
<img src="' . $backdrop_url . '" alt="' . $film->name . '" />
<div class="view-films-film-snippet">
<h2>' . $film->name . '</h2>';
if ($film->certification != null) {
echo '<img src="images/bbfc-' . strtolower($film->certification) . '.png" alt="" />';
}
echo ' <h3>Starring</h3>
<p>';
$num_actors = 0;
foreach ($film->cast as $cast) {
if ($cast->job == 'Actor') {
echo '' . $cast->name . ' ';
$num_actors++;
if ($num_actors == 5)
break;
}
echo ' </p>
<h3>Director</h3>
<p>';
foreach ($film->cast as $cast) {
if ($cast->job == 'Director') {
echo '' . $cast->name . ' ';
}
}
echo ' </p>
</div>
</div>';
}
// End films
}
The little testing I've done is checking what $list_chosen, $list_chosen_film, $films_result and $film actually contain by printing them at the bottom of the page.
$list_chosen shows - Array, $list_chosen_film shows - 42194, $films_result shows the entire JSON string, $film shows - Array.
Try adding:
print_r($film->backdrop);
before the second foreach() loop. Before the error message it won't be an array or it will contain zero elements (not allowed). If you also add:
echo $films_result;
you will be able to debug it and fully understand what is wrong. If not, post the whole output in your question.
This happens, because - as error displayed by PHP informed you - you have provided wrong parameter to foreach loop, probably null or some other value. Make sure you are providing array to foreach.
Also, every time you use foreach, do it like that:
if (count($some_list) > 0) {
foreach ($some_list as $list_item) {
// code for each item on the list
}
} else {
// code when there is nothing on the list
}
This will ensure you will not see errors just because there is nothing on the list.
EDIT:
On the documentation page you can find some tip how to avoid such errors if the collection you are trying to iterate through is empty. Just cast the collection to array type:
foreach ((array) $some_list as $list_item) {
// code for each item on the list
}
Can you provide a dump of $film? The error is telling you that you are pointing to an object that cannot be iterated through (most likely null).