I am trying to make a basic forum/board where anyone can simply post a message via a submit for. So far I've been able to send the text they've entered via POST and put it into a MySql table. I am wondering how I then can go and print on the webpage what was just submitted?
Well if it's on the same page / script as the MySQL insertion, then you can take it from post, however I suggest using htmlspecialchars() to remove any HTML that people could embed in to their data.
If it's not on the same page, as it won't always be, then use MySQL to retrieve the data with a SELECT query - See here for help: W3Schools - SELECT - and, again, use htmlspecialchars() on it and display it in your desired format.
This is a very vague question for StackOverflow, so I can't really give you much more information unless you give me something that you've already tried, something I can correct / alter.
Related
I'm currently developing a table layout.
The tables are using a paginator and a filter function in PHP.
All values are transmitted as GET parameters.
For example, the paginator will use &limit=20&page=5.
The filter is built upon a table row in thead as input fields.
What I mean is that each column has it's own input field.
Once the submit button is clicked, it will pass the data via GET to itself, so the next pageview will query/filter the data correctly.
For example, if I want to filter the postcode the url will be as following:
&limit=20&page=5&postcode=5
Because I'm allowing searches like %5% to show all postcodes where 5 where the result is not limited to 5 only. It will show all data which has a 5 at any spot of the value.
However, if I want to filter the postcodes showing all results with 58, I will type in %58%. As per URL encoding, unfortunately, the URL won't be &postcode=%58% as expected. It will be &postcode=X%.
The question is whether it is somehow possible to get the correct values into the URL?
The problem lays on browser level. If I would change the URL from &postcode=X% to &postcode=%58% directly and hit enter, Chrome would translate it straight away to X%.
Maybe it's possible somehow with meta tags, http headers, or Javascript, etc.
I'm doing it via GET instead of POST because it was - apparently - simpler to integrate with the paginator.
Sorry for my bad English. Any help would be much appreciated.
Thanks a lot.
You should escape the "%" sign itself (that would be "%25"). PHP should be smart enough to decode that automatically.
So &postcode=%58% should become &postcode=%2558%25, which PHP will decode so that $_GET['postcode'] is '%58%'.
You should urlencode your values before inserting them into the params.
Overall though, If you are using mysql I agree with billrichards.
Since you mention %% searches I assume you are using MySQL or another SQL back end to query for the data. In that case I would suggest leaving the querystring always formatted as postcode=58&page=1, and add some other parameter to indicate if it should be a %wildcard% search or exact match, and if the wildcard parameter is there, add the %% on the back end when performing the query.
I use php to manage html and now I have problem with input date in mysql.
All with my input in MySQL or update or delete in MySQL is ok but how I can make security for input data in mysql because if some one open to see my html source code with browser he can see my predefined inputs and he can change thats in html and after that enter wronk inputs in mysql.
This is my code:
Options Value: <select name="extend">
<option value="<?php $_end1;$newDate = date('Y-m-d', strtotime($_end. " + 1 month"));echo $newDate;?>">1 Month</option>
Now when if someone open browser and see my code he can replease 1 month with several month and that in MySQL.
How can I this secure and or hide that in HTML.
Thx
If you're wanting to have fields or input that can't be edited by the user, such as the current date that the form was submitted on or something along the lines of that, you need to do do all of that on the server side (not the client side). Any data that is submitted from the client side can (and you should treat it like it will) be changed.
Instead of having form fields with preset values, fields that are hidden, fields that are disabled, data that is rendered with JavaScript, or any other way you could think of storing data on the client side, do those things on the server side. You can use a PHP script to do this, seeing as you're already making use of PHP. When you submit the form it has to go to some sort of a server side script, do that logic there and submit that logic to a database.
filter all your received user input. This might be clear for free text inputs, but should be done as well for predefined values.
Easiest for extending might be to only accept a certain number. For example 1, 2 or 3.
$extend = filter_input(INPUT_POST, 'extend', FILTER_VALIDATE_INT); is the first step, but you should also check if $extend is not equal to an illegal number.
if(in_array($extend, range(1,3)){ }
input like numbers is a lot more simple to check than a range of dates.
But even when that would be needed: it is possible to make your own validation function.
It is not possible to limit the browser or the user to only send certain data in a form. Either they could use a tool in the browser to change the habits of a form element, or they could rebuild the form completely in their own htmlpage or other tool
There is very simple answer to your question - you can NOT secure html and you should not even try. Every browser is equipped with developer tools and even without browser anyone can send to your server whatever they want. This is how Internet works.
What you SHOULD do is to verify your input data on server side where user has no access. In your case you should have array of allowed inputs or function assessing if input from user is valid.
More, if you know what will be the algorithm eg. ($_end + 1month) than you do not need to get from user result but only value of $_end. You can calculate $newDate just before inserting data to database - this way user will have no way of changing it.
First of all, please be carefull with your writing, it is pretty hard to understand your problem.
Secondly, if you want to "hide" PHP code to the user, you could write your code in a different way :
You create a form in which users will be able to fill some informations, and for example a date, like in your example. If this date is an option, it can have some value, as the one you show.
Then when the user submit the file, you make a checking on the variables. If you want this form to show a price, to add some data to a database, or whatever, you do some checking to be sure that the values are correct. For example, if you want to calculate a price, you will check the date the user selected, and calculate the price from this date. With this method, even if user changed the code, they will not be able to change the checking (at least not easily).
And to conclude you show a page asking the user for confirmation. This way, he will check if the informations are correct, and you can ask to re-fill some fields if you detected some invalids values
That's hard to show some concrete code, since I don't really know what you want to do, but I hope this explanation was clear. Don't hesitate to ask some questions, I'll try to answer.
darling brother:
you have 3 method:
1: define a variables instead of 1 month
2: use encryption method for php enciding that provide encryption php cides to unformatted charachters (ionCube )
3: usin my sql encryption : MD5
I am trying to create a forum on my page. I need some advice. I have MySQL database and I am able to to work with it. Yet as far as I can make is playing with POST. I mean on click submit a $_POST['submit']) becomes set and so on. Then connect to database, get info and display.This way of making a forum is bad, because it all happens on a single page. As far as I seen any other forum when entering one and so on has it's unique Uri (what comes after domain.com/) so you can simply send someone full url and they are in that thread (unlike if you play with $_POST['submit']).
Sorry if my question is not accurate and I am not asking to write me code. I just need someone to direct me to the right place and any advice would be helpful. Thanks !
Your question is difficult to understand, but I think you are confused about how data and pages are dynamic using GET/POST.
The URLS with different IDs are like an illusion. Really, its the same page, however the page is dynamically taking that ID from the URL, and using it to output certain data.
For example, say we habe the URL: www.example.com/show_thread.php?thread=3
The php would look like
if(isset($_GET['thread'])){
$data = $db>query("SELECT thread_title,thread_text FROM threads WHERE thread_id = $_GET['thread']");
print($data);
}
*Warning: do not use this exact code, it is an example, not secure, etc
Then the database would look like
thread_id thread_title thread_text
1 kngwihywoihwy kngwihywoihwykngwihywoihwy
2 vyfngoieyoiehyon ieonuwrtoi hunwrmt jirwyji
3 nuoaiefguneoihn eoithneiotheo
and the page would show
nuoaiefguneoihn eoithneiotheo
POSTing data is for sending it to the server, and doing something with it. Just like GET. However, GET is helpful for passing things around as they are accessible in links. Like this example.
I have an HTML table with contents, I would like to have an feature of Edit/Delete to that table. How do I do it with PHP?
I actually think that this sounds more like a job for JavaScript, which can edit/remove rows on-the-fly and with much less code. (Implement some AJAX too, and you can edit/remove rows in database too).
But if you insist on using PHP, you might just want to add some GET parameters to the Edit/Delete links that would delete or edit those rows.
Well, there is a pure PHP way to do it, and then there is a combination of Javascript and PHP. You must use PHP one way or another if you want your changes to the database to be permanent as that is your gateway to communicating with the database (as far as I know you cannot do that with Javascript as that is client-based and runs entirely in your web browser).
If using just PHP, you must generate HTML documents for each change. E.g., you click on one cell in the table and that gets you to a new HTML page where the field is editable through an input element; or you can list all fields at once for that row and edit them all at the same time. The fields are then posted in a form to a PHP page which will take the new values and update the database (or insert new values or however you wish it to behave). Here's a tutorial for how to do this:
http://www.freewebmasterhelp.com/tutorials/phpmysql/1
You can also mix in some Javascript which allows a more interactive interface to modifying the values in a cell. However, this obviously requires more code and may be overkill for what you're trying to do. Nonetheless, here is a link which demonstrates just that and also shows the code:
http://www.java2s.com/Code/JavaScript/GUI-Components/Editabletablecell.htm
Hope this is what you're looking for.
EDIT:
Forgot that you also wished to delete content in the table. That is also explained in the first link.
If you intend to work with databases, and it seems like you have little understanding of how they work, pick up a good book like: SQL - The Complete Reference. When you have enough knowledge of SQL, look at PHP's PDO extension: http://php.net/manual/en/book.pdo.php
EDIT: I solved it seconds after posting the question (sorry!) but can't accept an answer yet.
Hi folks,
Just a quick one. I have a PHP/CodeIgniter site and the user can edit their profile. I'm using CI's XSS Filtering and Active Record-based Models, so the data is escaped automatically.
It naturally displays fine on the profile page view, text such as "We'll see if this works" (the apostrophe in the we'll). However when the user goes to the Edit page, the input box (filled with the data in the DB) displays:
We'll see if this works
I thought I could get around it by setting the value of the input box to html_entity_decode($query->row('example_database_row')) but it still doesn't work. Am I misunderstanding something here?
Thanks!
Jack
You can use html_entity_decode($query->row('example_database_row'), ENT_QUOTES).
However, I would advise against HTML encoding before you insert it into the database. Just encode it when you output it. It's better just storing the raw data in the database.