I use php to manage html and now I have problem with input date in mysql.
All with my input in MySQL or update or delete in MySQL is ok but how I can make security for input data in mysql because if some one open to see my html source code with browser he can see my predefined inputs and he can change thats in html and after that enter wronk inputs in mysql.
This is my code:
Options Value: <select name="extend">
<option value="<?php $_end1;$newDate = date('Y-m-d', strtotime($_end. " + 1 month"));echo $newDate;?>">1 Month</option>
Now when if someone open browser and see my code he can replease 1 month with several month and that in MySQL.
How can I this secure and or hide that in HTML.
Thx
If you're wanting to have fields or input that can't be edited by the user, such as the current date that the form was submitted on or something along the lines of that, you need to do do all of that on the server side (not the client side). Any data that is submitted from the client side can (and you should treat it like it will) be changed.
Instead of having form fields with preset values, fields that are hidden, fields that are disabled, data that is rendered with JavaScript, or any other way you could think of storing data on the client side, do those things on the server side. You can use a PHP script to do this, seeing as you're already making use of PHP. When you submit the form it has to go to some sort of a server side script, do that logic there and submit that logic to a database.
filter all your received user input. This might be clear for free text inputs, but should be done as well for predefined values.
Easiest for extending might be to only accept a certain number. For example 1, 2 or 3.
$extend = filter_input(INPUT_POST, 'extend', FILTER_VALIDATE_INT); is the first step, but you should also check if $extend is not equal to an illegal number.
if(in_array($extend, range(1,3)){ }
input like numbers is a lot more simple to check than a range of dates.
But even when that would be needed: it is possible to make your own validation function.
It is not possible to limit the browser or the user to only send certain data in a form. Either they could use a tool in the browser to change the habits of a form element, or they could rebuild the form completely in their own htmlpage or other tool
There is very simple answer to your question - you can NOT secure html and you should not even try. Every browser is equipped with developer tools and even without browser anyone can send to your server whatever they want. This is how Internet works.
What you SHOULD do is to verify your input data on server side where user has no access. In your case you should have array of allowed inputs or function assessing if input from user is valid.
More, if you know what will be the algorithm eg. ($_end + 1month) than you do not need to get from user result but only value of $_end. You can calculate $newDate just before inserting data to database - this way user will have no way of changing it.
First of all, please be carefull with your writing, it is pretty hard to understand your problem.
Secondly, if you want to "hide" PHP code to the user, you could write your code in a different way :
You create a form in which users will be able to fill some informations, and for example a date, like in your example. If this date is an option, it can have some value, as the one you show.
Then when the user submit the file, you make a checking on the variables. If you want this form to show a price, to add some data to a database, or whatever, you do some checking to be sure that the values are correct. For example, if you want to calculate a price, you will check the date the user selected, and calculate the price from this date. With this method, even if user changed the code, they will not be able to change the checking (at least not easily).
And to conclude you show a page asking the user for confirmation. This way, he will check if the informations are correct, and you can ask to re-fill some fields if you detected some invalids values
That's hard to show some concrete code, since I don't really know what you want to do, but I hope this explanation was clear. Don't hesitate to ask some questions, I'll try to answer.
darling brother:
you have 3 method:
1: define a variables instead of 1 month
2: use encryption method for php enciding that provide encryption php cides to unformatted charachters (ionCube )
3: usin my sql encryption : MD5
Related
I validate and sanitize all my data before inserting it into the database. Would it be considered a good or a redundant pactice to validate it when pulling it form the database before displaying it?
This boils down to how much to trust your own code. On one extreme, I could forgo the validation completely if I knew that onlyI would use the client-side interface and would never make a mistake. On the other, I could validate data in every class in case I'm working with others and they forgot to properly do their job. But what's a generally good practice in this particular case?
Input validation should be a yes/no proposition. You should not modify input and save it.
You should use Htmlentities after pulling from the DB and before showing. This is because it's better to clean data just before using it at the point of failure. This is why prepared statements work so well, because there is no external code you rely on.
Say you forget to sanitize 1 field in 1 form, then when you ouput that data to other users you have no way to see that mistake from the code that does the output (assuming its not in the same file).
The less code between the sanitizing and the end result is better.
Now that is not to say save everything and validate it later. Take an email for example, you should validate that for the proper format before saving.
But for other things you don't want to modify user input. Take a file upload. Some people will change the filename to sanitize it, replace spaces etc. This is good but I prefer to create my own filename, and then show them the origainal file name, while the one I use on the server is a hash of their username and the name of the file. They never know this, and I get clean filenames.
You start modifying user data, and it becomes a chore to maintain it. You may have to un-modify it so they can make edits to it... etc. Which means you are then doing way more work then if you just clean it when outputting it.
Take for example the simple act of replacing a users \n line returns with a <br> tag. User inputs into a text field then you change it to html and save it. (besides security reasons not to do this) when user wants to edit the data, you would have to take the <br> and replace them with \n so they can edit it. Security reasons being now you have decided that raw HTML in that field is ok and will just output the raw field, allowing someone a possibility to add their own HTML. So by modifying user data we have created more work for yourself, and we have made assumptions that the data is clean before inserting it when we output it. And we cannot see how it was cleaned when we output it.
So the answer is it depends on the data and what sanitation you are doing.
Hope that makes sense.
I guess there is not need of validating or sanitizing the data from the db as you are doing it before inserting
A attacker always plays with the data which he is sending to the server and just analyis the data coming as a response . They plays with input not with the output.So just secure your data before sending it to server or db .
I'm trying to create an system that can calculate all input given for invoice related calculating.
What I'm trying to achieve is when I have multiple text fields (Yes I want to use text fields otherwise I would have used the build in validator for the number field)
So when I click out of a text box it needs to validate live if the input is numeric. and when its not it should show some message above it that it isn't and make the field red like an error. BEFORE submitting the form
And yes I know this is easily done with jQuery/ajax/php setups but I want to only use PHP. So IS there some kind of way to do this pure PHP or not because I can't seem to find some way or tutorial that does this.
Sorry if this question is shit but I'm at wits end now searched for 2 hours straight and cant even come close to finding some way that uses only PHP.
I'm using an hidden div and going to use style tags that only show when input is wrong so the errors/red colors are already done now I just need some kind of validator
Thanks in advance and again I'm sorry if this is a shitty question
If you want the validation on server-side in PHP you need to use either a ajax request on each click and send the data, or do the following before you echo or output anything, for example if your model or controller...Iterate on your data and run this regex rule on each of your values:
if( preg_match('/^[1-9]\d*(\,\d+)?$/', $inputValue ) ) {
// It is numeric
}
else{
// It is not numeric
}
I assume you use . as your decimal operator? If no, the rule should be:
preg_match(^[1-9]\d*(\,\d+)?$)
This will tell you if it's numeric.
Note that the $inputValue is the variable you are testing.
Because you want to validate a text box live on the browser (which is the client side), you cannot use PHP which is server side language to accomplish this. Sorry but you cannot.
I have a form (right now only one, but there will be more with similar parameters) and I validate it using jQuery Validation (it is too big word, I validate only one field using jQV), this form is send using AJAX. I have in this form 5 inputs:
text input: username, which is validated by separate PHP script remotely - it checks if this user exists in database of different site and if so, also checks if this user has some specified data, but this is not really important
2 times radio buttons (i mean 2x 2 radio buttons) which are validated in PHP (code later)
2 times PickAColor forms, which are also validated using PHP only with regexp for hexcolors
And I have a question. Is there any way to check this data in PHP in more, well, sophisticated way? Because, as I said, I validate them in similar way:
if($period != "3month" && $period != "7day") {
echo '<div class="alert">Wrong period!</div>';
exit;
}
Actually this form I am writing right now is rather short, but I also have some really big ones, and if's like this one above can take even 50 lines, and that pretty sucks. Most of them has similar expressions inside if, which means that I check if value sent by form is on the list of possible options provided by form (someone can change value parameters in Firebug and call himself hacker...). It's complicated and I don't know how to said that, but I think you understand me. So, once again - is there any sense to validate it in PHP and if so, is there any better way to validate it? Or maybe you have some other suggestions? Thanks a lot for your help.
Man you have to think your users can submit anything there, and to make the code clearer and more MVC oriented (and reusable) you need your validations in the app side, and generic functions in jQuery to just display errors to your users, so I would recommend you to do ajax post with the form sent to your php application, to an api controller that recives the form values, validates using the model and returns the object with the jew form values (if you need to clean up) and any error per field, then you just output in json :
{
errors: {
name: "Already used name",
field2: "Some bad text provided"
}
}
Then you just loop through the errors and set to the already existent placeholder of each error text like
<spam id="name-error" class="error"></spam>
<input type="text" name="name" value=""/>
Then you have a validation code that you can reuse when the form is submitted.
Okay. So I don't have any example code to show, but after doing a bit of research and learning the basics of PHP, I think the answer to my question should be pretty simple.
Here is the scenario, as I would like it to be:
On the homepage there will be several team names, with scores next to them. Like "house-points" in Harry Potter.
Below the score is a small text-field. Below that is a submit button.
The user will put a number in the text-field, press submit, and that number will be added to the team's total score.
NOW. I know how to achieve all of that with JavaScript. Easy. What I want to know IS:
How do I make that new number (the new score total) STAY there. I need to permanently alter the HTML when that submit button is pressed.
All I know is that I need to use PHP. I know the basics of PHP, so whatever the answer is, just throw it at me and I'll figure it out.
Sounds like what you want to do is submitting forms. First drop the JavaScript, you won't need it. What you need is to put your text fields in a form and when you submit you can fetch your values with $_<GET|POST|REQUEST>['<name_of_field>'].
Then you will need to store it somehow. The best way to do it is to use a database like MySQL or MongoDB to store it, but it could be a bit tricky if you are just learning this, so maybe you would like to stick to files. You could do this with INI files and PHP's INI functions.
Lastly you will need to print out the correct values to the website. Now this is easy: Just edit your HTML file to do something like
<?php echo $score['team1']; ?>
for each team after retrieving the correct values at the top or something. (Don't forget to rename the HTML file to .php as well).
Now you should be all set to save your scores. =)
If you mean really permanent you'll have to send it to a database via Ajax (combination of PHP and Javascript). OR write it to a text-document, which is less good.
I have a PHP form which lists all the people who will share the cost of an item. Next to each person, there is a blank field which you type the percentage of ownership. Currently, I have no mechanism to prevent you from allocating more than or less than 100%. For example:
Joe - 40%
Jill - 40%
Jane - 40%
The above scenario is currently possible and will break the math. Before submitting the form, I would like to verify that the entered percentages total 100. It would be nice if I could do this in real time (before submitting) but upon submit is okay too.
These values get entered into a MySQL DB.
Thank you!
Here is a javascript demo I made for you:
http://jonathancross.com/projects/form-validation.html
Code is not 100% complete, but should get you most of the way there. Would suggest adding support for up and down arrows on keyboard and of course a submit button :-)
Note about validation:
You will also need to validate the values on the server-side (php) to be sure they work before storing in the database. Javascript is great for immediate feedback, but is easy to circumvent (if someone wanted to break your app). It is also possible that users might disable javascript or use a browser which does not support it so beware and always validate on the server side.