I'm building a business planner based on a blog model. I can't however do it over multiple pages. On page 1, when the user clicks "Next", it's like clicking "Post". The data is stored and added to the list of other business plans, or "posts". One the first page, the data is stored by "Insert"ing it into the database. I thought maybe I could simply "Update" the database on page 2 and so on to eliminate multiple listed "posts" or business plans. The data is being stored from the first page, but not the second page. If I add the data for each page using "INSERT INTO..." that works, but each pages is collected as a separate business plan, or multiple posts. Any advice is appreciated.
Here's Page 1:
<?php
session_start();
include_once("db.php");
if(isset($_POST['post'])) {
$title = strip_tags($_POST['title']);
$compName = strip_tags($_POST['compName']);
$createdBy = strip_tags($_POST['createdBy']);
$phone = strip_tags($_POST['phone']);
$title = mysqli_real_escape_string($db,$title);
$compName = mysqli_real_escape_string($db,$compName);
$createdBy = mysqli_real_escape_string($db,$createdBy);
$phone = mysqli_real_escape_string($db,$phone);
$date = date('l jS \of F Y h:i A');
$sql = "INSERT INTO plans (title, date, compName, createdBy, phone) VALUES('$title', '$date', '$compName', '$createdBy', '$phone')";
mysqli_query($db, $sql);
header("Location: post2.php");
}
?>
<!DOCTYPE html>
<html lang="en">
<div class="container">
<head>
<title>Create Business Plan</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></script>
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
</head>
<body>
<h2>Create a new business plan</h2>
<form action="post1.php" method="post" enctype="multipart/form-data">
<br /><br />
<p>Plan Title: <input name="title" type="text" autofocus size="48"></p>
<p>Company Name: <input name="compName" type="text" autofocus size="48"></p>
<p>Business Type: <input placeholder="Ie. Inc. (USA) or Oy (Finland)" name="bizType" type="text" autofocus size="48"></p>
<p>Created By: <input name="createdBy" type="text" autofocus size="48"></p>
<p>Phone: <input name="phone" type="text" autofocus size="48"></p>
<br /><br />
<form action="<?php 'post2.php=?pid=$id'; ?>">
<input name="post" type="submit" value="Next">
</form>
<br /><br />
</form>
</body>
</div>
</html>
Here's Page 2:
<?php
session_start();
include_once("db.php");
if(isset($_POST['post'])) {
$marketPlan = strip_tags($_POST['marketPlan']);
$economics = strip_tags($_POST['economics']);
$products = strip_tags($_POST['products']);
$customers = strip_tags($_POST['customers']);
$marketPlan = mysqli_real_escape_string($db,$marketPlan);
$economics = mysqli_real_escape_string($db,$economics);
$products = mysqli_real_escape_string($db,$products);
$customers = mysqli_real_escape_string($db,$customers);
$date = date('l jS \of F Y h:i A');
$sql = "UPDATE plans SET marketPlan='$marketPlan', economics='$economics', products='$products', customers='$customers' WHERE id=$pid";
mysqli_query($db, $sql);
header("Location: post3.php"); //CHANGE LOCATION FOR NEXT PAGE
}
?>
<!DOCTYPE html>
<html lang="en">
<div class="container">
<head>
<title>Create Business Plan</title>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></script>
<script src="http://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/js/bootstrap.min.js"></script>
</head>
<body>
<h2>The Marketing Plan</h2>
<form action="post2.php" method="post" enctype="multipart/form-data">
<br /><br />
<h4>Market Research</h4>
<p>The marketing plan requires intensive research for the type of industry your business wants to enter. It is very dangerous to assume that you are already well informed about your intended market. Market research is vital to make sure you are up to date. Use the business planning process as your opportunity to uncover data and to question your marketing efforts.</p>
<textarea name="marketPlan" rows="15" cols="100"></textarea></p><hr />
<h4>Economics</h4>
<p>What is the total size of your market? What percent of market share will you have? (This is important only if you think you will be a major factor in the market.) What is currently in demand in your target market? What are the trends in target market—growth, consumer preferences, and in product development? Growth potential and opportunity for a business of your size.
<textarea name="economics" rows="15" cols="100"></textarea><hr />
<h4>Products</h4>
<p>In the <i>Products and Services</i> section, you described your products and services from your point of view. Now describe them from how your customers see them.</p><br /><textarea name="products" rows="15" cols="100"></textarea></p><hr />
<h4>Customers</h4>
<p>Identify your targeted customers, their characteristics, and their geographical location. This is known as customer demographics.</p>
<textarea name="customers" rows="15" cols="100"></textarea></p>
<input name="post" type="submit" value="Next">
</form>
</body>
</div>
</html>
do some thing like this, rather than inserting and updating the data to database, store the values in session variables, i mean
example :
$_SESSION["title"] = strip_tags($_POST['title']);
store every option in session variable like this until you reach the last page.
finally in the last page
insert it to the db. like this,
insert into table ('title',.....) values ($_SESSION["title"],....);
always use sessions when you want to pass data across multiple pages.
I think you are doing right only. First post have to insert those details in table, next post update what are fields you want to update.
in second page you have to get the id from your url
if (isset($_GET['pid']))
$pid = $_GET['pid'];
as you try to update an id that doesnt is defined
You must pass the ID of the newly created record to the next page; the most secure way is probably to store it in the session. So, on page one, change this:
mysqli_query($db, $sql);
To
$query = mysqli_query($db, $sql);
$_SESSION['new_plan_id'] = $query->insert_id;
Then, in your second page query the ID again
if (isset($_SESSION['new_plan_id']))
{
$pid = $_SESSION['new_plan_id'];
}
else
{
die('No valid session');
}
After a user finished his or her plan, remove the new_plan_id from the session. You may also want to add session_start() to a global include so it is always enabled.
Related
I'm super new to PHP and I recently tried to create a "system" that adds customers to the SQLite database and displays them in a table. Well, every time I navigate to the HTML page in order to add a new customer, the script runs itself creating empty values within the database. When I click submit after filling the values it just works properly. Below I attach my code for this specific part of the "system".
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>New Customer</title>
<style>
form {
display:flex;
flex-direction:column;
width:65%;
max-width:75%;
margin:0 auto;
}
</style>
</head>
<body>
<form action="" method="POST">
<h1>Insert a new customer</h1>
<label for="id">Customer Id</label>
<input type="text" name="id" id="id">
<label for="name">Customer Name</label>
<input type="text" name="name" id="name">
<label for="age">Customer Age</label>
<input type="number" name="age" id="age">
<label for="address">Customer Address</label>
<input type="text" name="address" id="address">
<button type="submit">Submit</button>
</form>
<?php
class COMPANY extends SQLite3 {
function __construct() {
$this->open('customers.db');
}
}
$database = new COMPANY();
if (!$database) {
echo $database->lastErrorMsg();
} else {
echo "Database accessed!\n";
}
$insert ="INSERT INTO CUSTOMERS (ID, NAME, AGE, ADDRESS) VALUES ('".$_POST["id"]."', '".$_POST["name"]."', '".$_POST["age"]."','".$_POST["address"]."');";
$result = $database->exec($insert);
if(!$result) {
echo $database->lastErrorMsg();
} else {
echo "Records added successfully!\n";
}
$database->close();
?>
</body>
</html>
You need to use isset() and check if the form has actually posted the values. In your code, the page loads and PHP code executes without checking if the form has submitted and the blanks are inserted in the database
if(isset($_POST['id'],isset($_POST['name'],isset($_POST['age'], isset($_POST['address']) {
.. your code
}
PS: this doesn't include sanitization and validation of fields, please add them as you wish
There should be validation, values should not be empty.
Update: I changed my payload to "<img src="fake.jpg" onerror="alert()"> and the XSS worked so I still don't know why the won't work but at least my stored XSS is working right now.
Thanks for everyone helping.
I downloaded a code from GitHub that is a chat, the code is written in PHP and MYSQL I want to make that chat vulnerable to stored XSS, and I quite can't figure why it's not.
Of course, everything is stored inside the database but whenever I try to inject XSS the tags or the content of the tags aren't showing, but in the database, I see the alert() it's just not letting me see it on the website itself...
Does anyone know what might cause the problem?
Here's the index.php:
<?php
include 'db.php';
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>::Message::</title>
<link rel="stylesheet" href="style.css">
<script>
function ajax() {
var req = new XMLHttpRequest();
req.onreadystatechange = function() {
if (req.readyState == 4 && req.status == 200) {
document.getElementById('chat').innerHTML = req.responseText;
}
}
req.open('GET','chat.php', true);
req.send();
}
setInterval(function(){ajax()},1000);
</script>
</head>
<body onload="ajax();">
<div class="page">
<div class="display-box">
<div id="chat"></div>
</div>
<div class="form">
<form action="" method="post">
<label for="name">Name:</label><br>
<input type="text" name="name" placeholder="Your name"><br>
<label for="message">Write some thing:</label><br>
<textarea name="message" id="message-write" cols="30" rows="3"></textarea><br>
<input type="submit" name="submit" value="Send">
</form>
<?php
if (isset($_POST['submit'])) {
$name = $_POST['name'];
$message = $_POST['message'];
$query = "INSERT INTO tbl_chat (name, message) VALUES ('$name','$message')";
$run = $con->query($query);
}
?>
</div>
</div>
</body>
</html>
and here is the chat:
<?php
include 'db.php';
$query = "SELECT * FROM `tbl_chat` ORDER BY id DESC";
$run = $con->query($query);
while($row = $run->fetch_array()):
?>
<div class="chating_data">
<span id="name"><?php echo $row['name'];?></span><br>
<span id="message"><?php echo $row['message'];?></span>
</div>
<?php endwhile; ?>
I think you might be using a modern browser that prevents the exploit for you. That does not mean the application is not vulnerable, it only means it is so straightforwardly vulnerable that even the browser can detect an exploit automatically.
Try sending the following response header:
X-XSS-Protection: 0
You can do so with something like header('X-XSS-Protection: 0'); and see if that allows you to try XSS. Also you can display XSS messages in this chat not in a response to your "malicious" request but afterwards - it should then work because the browser will have no way to associate your request with the response.
I have a form I made using HTML/PHP, And I would like it to submit to the database; I have a movies website and I am currently working on the admin panel, I want it to have a form that adds new movies to the site, I tried out my form, but nothing goes to the database. The connection with the database is fine and the queries look fine to me, I honestly do not know what the problem is.
P.S. I am making it in Arabic, the Arabic writing does not mean anything..
PHP/HTML code:
<?php
session_start();
include('php/config.php');
if($_SESSION['username'] != true){
header('Location: http://www.domain.com/');
}
//this form allows to choose what to do (e.g. add new movie)...
else{
echo'
<head>
<link rel="stylesheet" href="css/main.css" />
<link rel="stylesheet" href="css/admin.css" />
<meta charset="utf-8"/>
<title>Admin Panel v1.0</title>
</head>
<ul class="management-b">
<li>إضافة فيلم جديد</li>
<li>إضافة مسلسل جديد</li>
<li>مسح فيلم/مسلسل</li>
</ul>
';
}
//this form adds new movies...
connectDB();
$genreQuery = mysql_query("SELECT genre FROM Genres");
echo'
<head>
<link rel="stylesheet" href="css/main.css"/>
<link rel="stylesheet" href="css/admin.css"/>
<meta charset="utf-8" />
</head>
<form method="post" id="new-movie">
عنوان الفيلم:<input type="text" class="new-movie-title" name="new-movie-title" /><br/><br/>
وصف الفيلم:<textarea class="new-movie-desc" name="new-movie-desc" cols="50" rows="7"></textarea><br/><br/>
نوع الفيلم:<select class="new-movie-genre" name="new-movie-genre">';
while($options = mysql_fetch_array($genreQuery, MYSQL_ASSOC)){
echo '<option>'.$options["genre"].'</option>';
}
echo'</select><br/><br/>
تاريخ الفيلم:<select class="new-movie-year" name="new-movie-year">';
for($years = 1995; $years<2017; $years++){
echo '<option>'.$years.'</option>';
}
echo'
</select><br/><br/>
رابط الفيلم:<input type="text" name="new-movie-link" class="new-movie-link"/><br/><br/>
صورة الفيلم:<input type="text" name="new-movie-img" class="new-movie-img" /><br/><br/>
تقييم imDB:<input type="text" name="new-movie-imdb" class="new-movie-imdb"/><br/><br/>
<input type="submit" name="new-movie-submit" class="new-movie-submit" value="إضافة الفيلم" />
</form>
';
if(isset($_POST['new-movie-submit'])){
connectDB();
$mNewTitle= $_POST['new-movie-title'];
$mNewDesc= $_POST['new-movie-desc'];
$mNewGenre= $_POST['new-movie-genre'];
$mNewYear= $_POST['new-movie-year'];
$mNewURL= $_POST['new-movie-link'];
$mNewIMG= $_POST['new-movie-img'];
$mNewIMDB= $_POST['new-movie-imdb'];
mysql_query("INSERT INTO Movies(title, description, genre, url, image, imdb, release-year) VALUES('$mNewTitle', '$mNewDesc', '$mNewGenre', '$mNewURL', '$mNewIMG', '$mNewIMDB', '$mNewYear'");
closeDB();
}
?>
If you checked for errors MySQL would tell you that you don't have a column identifier named year as release-year contains a dash in it which makes MySQL think you are subtracting the column identifier year from release. Wrap that column name in ticks to resolve this.
mysql_query("INSERT INTO Movies(title, description, genre, url, image, imdb, `release-year`) VALUES('$mNewTitle', '$mNewDesc', '$mNewGenre', '$mNewURL', '$mNewIMG', '$mNewIMDB', '$mNewYear'");
As mentioned in comments you are using an obsolete API as the mysql_* functions have all been removed from PHP in PHP 7 and you are wide open to SQL injections which is the most common form of web based attacks.
And as I mentioned before, you don't check for or handle errors. You would have caught this error quickly with basic error checking. You also need to be prepared for when errors happen or else your users will have a bad experience when an error occurs.
I really don't know how to describes this, but here goes. I'm trying to make a Login for an online multiplayer game (cluedo to be exact) that is written using mainly the LAMP stack (php,js,etc), and creating a session when someone logs in/registers works for me and all and I even save it to a sql database, but it seems that as soon as a next user Logs in/registers the session id to the previous user is overridden to the new ones details. In other words they both now have the same session for some reason.
My Game LogIn basically:
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="StyleSheet.css">
<meta charset="UTF-8">
<title>Game Setup</title>
</head>
<body>
<header>
<h1>Game Setup</h1>
</header>
//My form for user details and character select
<form name="Registration" id=Form1 action="Lobby.php" method="POST">
<fieldset>
<legend>Player information:</legend>
<label for="Pid">Player Name(required): </label><br>
<input autofocus type="text" id="Pid" name="Pid" placeholder="Player ID" required><br>
<label for="Avatar">Character(required):</label><br>
<select name="Avatar">
<option value="Miss White">Miss White</option>
<option value="Col Mustard">Col Mustard</option>
<option value="Miss Scarlet">Miss Scarlet</option>
<option value="Mr Green">Mr Green</option>
<option value="Madame Plum">Madame Plum</option>
<option value="Benjamin Blue">Benjamin Blue</option>
</select><br><br>
<input type="submit" value="Register">
</fieldset>
</form>
</body>
and the lobby (where I wait for someone to press game start or for more people to register)
<?php
session_start() ;
session_regenerate_id();
$_SESSION["UserName"]=$_POST['Pid'];
$_SESSION["Avatar"]=$_POST['Avatar'];
?>
<?php require 'DatabaseConnect.php' ?>
<?php include 'Users.php' ?>
<?php
$PlayerID = mysqli_real_escape_string($conn, $_POST['Pid']);
$PlayerChar = mysqli_real_escape_string($conn, $_POST['Avatar']);
$SesID = session_id();
$sql = "INSERT INTO users (UserName, Avatar, sessionID)
VALUES ('$PlayerID', '$PlayerChar','$SesID')";
if ($conn->query($sql) === TRUE) {
echo "Welcome $PlayerID , currently in Lobby: <br>";
$User = new Users();
$User->setUserName($_SESSION['UserName']);
$User->setAvatar( $_SESSION['Avatar']);
$User->isPlaying = false;
$_SESSION['User'] = serialize($User);
?>
<html>
<body>
<div id="Players"> </div>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.0/jquery.min.js"></script>
<script src ="Display.js"></script>
</body>
</html>
<?php
}
else {
if($conn->errno == 1062){//when a userName or Character already in use
$sql = "SELECT * FROM users";
$result = $conn->query($sql);
$sql = "ALTER TABLE users AUTO_INCREMENT = ".$result->num_rows;
$conn->query($sql);
echo "<script type='text/javascript'>alert('ERROR :Username or Character already in use!')</script>";
echo" <script>
window.location = 'LogIn.php';
</script>";
}
}
?>
and then the Display.js runs in a loop until either 6 people connect or a user presses start. It also displays everyone currently waiting for a game by outputting the SQL database, but I don't think that code is necessary to add, but then when that's done I go to the Cluedo.php page and if I echo session_id() there on two different browsers(same machine) I get the same session_id()
<?php
session_start() ;
?>
<?php require 'DatabaseConnect.php' ?>
<?php include 'Users.php' ?>
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="StyleSheet.css">
<meta charset="UTF-8">
<title>Cluedo</title>
</head>
<body>
<?php
$User = unserialize($_SESSION['User']);
echo session_id();
?>
</body>
</html>
Also I'm using XAMPP and running it all locally at the moment so don't know if there's a problem there maybe?
Here's an example of my database with the saved values, the table saves unique sessions however when the session_id() is echoed at the Cluedo.php page it is always the last registered user:
UserTable
Hey guys I'm having some trouble with this code. It's for a website for class. When I try to insert data via php, 2 blank rows get inserted into the db. And when I want to redisplay it on the website nothing shows up. I was hoping someone could lend a helping hand.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Results</title>
<link href="styles/style_sheet.css" rel="stylesheet" type="text/css" />
<style type="text/css">
a:link {
color: #0F0;
}
a:visited {
color: #0F0;
}
</style>
</head>
<body>
<div id="main_container">
<div id="header">
</div><!--End of header-->
<div class="shadow">
<div id="navbar">Home Register Login / Logout Search <a href="CommentPage.php">Guest Book</div><!- -End of NavBar-->
</div><!--End of navbar shadow-->
<br />
<div class="shadow">
<div id="Content">
<h2> Results:</h2>
<p> </p>
<form action="" name="Movie_Search"method="get">
<p>
<?php
$dbread = mysql_connect("localhost","user","pw");
mysql_select_db("db", $dbread);
$id = $_GET['movie_name'];
$movie_results = mysql_query("SELECT MovieID, MovieName, Description, Genre, Rating FROM movie WHERE MovieName='$id'");
$movie_values = mysql_fetch_assoc($movie_results);
echo 'Title: ' . $movie_values['MovieName'] . '';
echo '<p>Genre: ' . $movie_values['Genre'] . '</p>';
echo '<p>Description: ' . $movie_values['Description'] . '</p>';
echo '<p>Rating: ' . $movie_values['Rating'] . '</p>';
$movieID=$movie_values['MovieID'];
$review_results = mysql_query("SELECT Name, Review FROM reviews WHERE MovieID='$movieID'");
$review_values =mysql_fetch_assoc($review_results);
echo '--------------------------------------------------------------------------------------------------------------'. '<br> <br>';
while ($review_values = mysql_fetch_assoc($review_results)) {
echo $review_values['Name'] . ' says:' . '<br />' . $review_values['Review'] . '<br /> <br />' . '<hr>';
}
$name = $_POST['name'];
$comments =$_POST['comments'];
$result=mysql_query("INSERT INTO reviews (Name, Review, MovieID)
VALUES ('$POST[$name]', '$_POST[$comments]', '$movieID')");
$result_values =mysql_fetch_assoc($result);
?>
</p>
</form>
<p> </p>
<form id="insert_comments" style="border:thin" name="insert_comments" method="POST">
<label>Name:</label>
<br />
<input type="text" name="name" id="name" />
<br>
<label for="desc">Comments:<br /></label>
<textarea name="comments" id="comments" cols="45" rows="5"></textarea>
</p>
<p>
<input type="submit" name="submit" id="submit" value="Submit" />
</p>
</form>
<p> </p>
<input name="" type="hidden" value="$movieID" />
<br />
</div>
<!--End of Contentr-->
</div><!--End of content shadow-->
<div class="footer">
<hr />© Nate Christensen<hr />
</div><!--End of footer-->
</div><!--End of Main Container-->
</body>
</html>
Your insert statement at line 59:
$result=mysql_query("INSERT INTO reviews (Name, Review, MovieID) VALUES ('$POST[$name]', '$_POST[$comments]', '$movieID')");
You cannot put $_POST inside strings directly.
Use the dot (.) PHP concat operator to insert variables in the middle.
You should do it like this:
$result=mysql_query("INSERT INTO reviews (Name, Review, MovieID) VALUES ('".$_POST[$name]."', '".$_POST[$comments]."', '".$movieID."')");
Oh and also, you already put $_POST name and comment into a variable so the most correct way is:
$result=mysql_query("INSERT INTO reviews (Name, Review, MovieID) VALUES ('$name', '$comments', '$movieID')");
Also if movie ID is an INT type you shouldn't put apostrophe
It is inserting twice because you did not put an IF statement to detect if be already submitted. On your first load of the page, it inserts, once submitted, another insert. you should put:
if($_POST['submit']){
// all php codes
}
One more thing, fix your comment in:
<!- -End of NavBar-->
(line 26)
I think the problem is you are using variables: $name, $comments as array keys.
$name = $_POST['name'];
$comments =$_POST['comments'];
Here you are reading $_POST values to $name and $commens.
$result=mysql_query("INSERT INTO reviews (Name, Review, MovieID)
VALUES ('$POST[$name]', '$_POST[$comments]', '$movieID')");
Yet you are using $POST[$name]
Nate, I know this is nitpicking, but why are you mixing a database call with display logic? The database call could easily be dumped into a separate class method (or at least a function call), which would clean up your code, make it easier to spot errors and make you look like a professional.
After looking at your code for a bit I noticed that one of your SQL query strings contains this: $POST[...] instead of $_POST[...], try adding the underscore in between the $ and POST.
Also don't forget to clean your input from the $_POST array by using mysql_escape_string(), or mysql_real_escape_string() NOTE: mysql_real_escape_string() can only be successfully called inside of an open mysql connection. If you don't clean your input you leave your database more or less open to SQL injection attacks.
I know you are a student and still learning, but it really is better to learn this now and develop good habits.
can you add this code or die(mysql_error()); in the end of this lines
$review_results = mysql_query("SELECT Name, Review FROM reviews WHERE MovieID='$movieID'");
AND
$movie_results = mysql_query("SELECT MovieID, MovieName, Description, Genre, Rating FROM movie WHERE MovieName='$id'");