This question already has answers here:
Prevent user from editing checkbox value with something like FireBug?
(2 answers)
Can HTML checkboxes be set to readonly?
(48 answers)
Closed 7 years ago.
As I've found no other answer over the web, I'm asking here :
I'd like to find a way to prevent people from changing the checkboxes' values.
I'm using serialize() and unserialize() to set and get checkboxes data over my database, and the problem is if someone changes the value of the checkbox (using Chrome or Firefox dev tools by exemple) it messes my retrieved values. So I'd like to know if it is possible via PHP.
It is a bit unclear what you ask: php can only handle data on the server side. If you do not want some specific attribute of a dataset you read / write to / from a database to be modified, then just don't do it. No one forces you to consider data you get, for example inside the $_POST values you get from a form submission.
However the checkboxes themselves are only presented at the client side. Only there users can modify the values. php does not have any control over that, since it is running on the server side.
What you could do is try to prevent changes to the checkboxes by means of javascript which can be used on the client side. This works by suppressing or better swallowing the click events raised by the user. But actually there is no need for that: html itself allows to declare a checkbox as disabled which prevents any modification.
If that is not what you looking for, maybe because of optical reasons, you might want to overwrite the value of the checkboxes on html level by adding a hidden field holding the same name and value. That way it is irrelevant what modifications users make.
Related
This question already has answers here:
How do I execute PHP that is stored in a MySQL database?
(7 answers)
Closed 3 years ago.
My first post, and i am a little lost on how to get my question across to get to the solution i desire. so here goes nothing...
I have a content management site i am currently working on. This uses PHP to create pages and store the page contents in MySQL to be called back on the user facing site. A couple of things have come up that i require to use PHP to do within the page contents.
Is there a way i can use PHP to find the page content i have in the SQL database, and execute more PHP that is in that fetched page contents? or this just something i wish i could do and require another way round it?
My main thing is to create a "contact us" page that redirects to itself after sending the enquiry. the html content for the contact us form is kept in the database, and is found using page id's in GET requests.
i have tried to just adding the extra php code to the sql page content, however it just doesnt display anything inside the tags.
It is not recommended but you can use eval() to execute PHP from a string.
Let's assume you get an answer $response from your db, containing the code to execute.
$response = $db->execute($query);
var_dump(eval($response));
This will dump the return value of the executed code (stored in $response).
It is not recommended to use it because it exposes your application to arbitrary code execution. you will need to (at least) sanitize $response's content.
I use php to manage html and now I have problem with input date in mysql.
All with my input in MySQL or update or delete in MySQL is ok but how I can make security for input data in mysql because if some one open to see my html source code with browser he can see my predefined inputs and he can change thats in html and after that enter wronk inputs in mysql.
This is my code:
Options Value: <select name="extend">
<option value="<?php $_end1;$newDate = date('Y-m-d', strtotime($_end. " + 1 month"));echo $newDate;?>">1 Month</option>
Now when if someone open browser and see my code he can replease 1 month with several month and that in MySQL.
How can I this secure and or hide that in HTML.
Thx
If you're wanting to have fields or input that can't be edited by the user, such as the current date that the form was submitted on or something along the lines of that, you need to do do all of that on the server side (not the client side). Any data that is submitted from the client side can (and you should treat it like it will) be changed.
Instead of having form fields with preset values, fields that are hidden, fields that are disabled, data that is rendered with JavaScript, or any other way you could think of storing data on the client side, do those things on the server side. You can use a PHP script to do this, seeing as you're already making use of PHP. When you submit the form it has to go to some sort of a server side script, do that logic there and submit that logic to a database.
filter all your received user input. This might be clear for free text inputs, but should be done as well for predefined values.
Easiest for extending might be to only accept a certain number. For example 1, 2 or 3.
$extend = filter_input(INPUT_POST, 'extend', FILTER_VALIDATE_INT); is the first step, but you should also check if $extend is not equal to an illegal number.
if(in_array($extend, range(1,3)){ }
input like numbers is a lot more simple to check than a range of dates.
But even when that would be needed: it is possible to make your own validation function.
It is not possible to limit the browser or the user to only send certain data in a form. Either they could use a tool in the browser to change the habits of a form element, or they could rebuild the form completely in their own htmlpage or other tool
There is very simple answer to your question - you can NOT secure html and you should not even try. Every browser is equipped with developer tools and even without browser anyone can send to your server whatever they want. This is how Internet works.
What you SHOULD do is to verify your input data on server side where user has no access. In your case you should have array of allowed inputs or function assessing if input from user is valid.
More, if you know what will be the algorithm eg. ($_end + 1month) than you do not need to get from user result but only value of $_end. You can calculate $newDate just before inserting data to database - this way user will have no way of changing it.
First of all, please be carefull with your writing, it is pretty hard to understand your problem.
Secondly, if you want to "hide" PHP code to the user, you could write your code in a different way :
You create a form in which users will be able to fill some informations, and for example a date, like in your example. If this date is an option, it can have some value, as the one you show.
Then when the user submit the file, you make a checking on the variables. If you want this form to show a price, to add some data to a database, or whatever, you do some checking to be sure that the values are correct. For example, if you want to calculate a price, you will check the date the user selected, and calculate the price from this date. With this method, even if user changed the code, they will not be able to change the checking (at least not easily).
And to conclude you show a page asking the user for confirmation. This way, he will check if the informations are correct, and you can ask to re-fill some fields if you detected some invalids values
That's hard to show some concrete code, since I don't really know what you want to do, but I hope this explanation was clear. Don't hesitate to ask some questions, I'll try to answer.
darling brother:
you have 3 method:
1: define a variables instead of 1 month
2: use encryption method for php enciding that provide encryption php cides to unformatted charachters (ionCube )
3: usin my sql encryption : MD5
This question already has answers here:
What is the difference between client-side and server-side programming?
(3 answers)
Closed 6 years ago.
I want to fetch the list of transactions through jQuery/AJAX so it will update on any page I have that list on, when I update the content of this file I want to use. But I don't want to have the SQL queries in the file that I get through jQuery/AJAX since I use different queries for different pages on my website.
The file transactions.php contains all the SQL queries that I need. In that file, I also have this line: <div id="transactions"></div>.
The file fetch-transactions.php contains this list I want to show on the page. In it I have 2 globals (you know, global $thevariable) for 2 required variables ($count_transactions (to count the transactions) and $get_transactions (to loop the transactions into the list)) that can be found in transactions.php.
The javascripts.js contains all the needed JavaScript codes I have for my website, including this line: $.get(folder_name + 'ajax/fetch-transactions.php', function(s) { $('div#transactions').html(s); });
As you maybe already have figure out, s contains the content of fetch-transactions.php.
The thing is that none of the variables I have set globally in fetch-transactions.php have any data in them. The are empty! Why is that? Is it because they are not globally set? I don't want to use define as a variable. I don't think that is even possible for fetching data from the database :P
How can I fix this problem?
It looks like you're trying to read PHP variables in JavaScript. JavaScript is client-side and PHP is server side. The only way you can read the PHP variables into JavaScript is by outputting them within your fetch-transations.php file in some kind of format JavaScript can read.
There's a pretty decent Stack Overflow resource for this which you should read.
Following situation: I have a form with mostly dropdown lists which I populate from a database. There's also a text input field. The form is sent via POST.
What I'm wondering is, is it really necessary to sanitize the $_POST variables (besides the text input field, of course) before putting them in an sql query?
After all, it's not really user input if it came from a drop down list that I created. With $_GET I would understand the recommendation as it would be possible to manipulate the variables being sent. But AFAIK, that's not possible with POST.
Faking a POST is as easy as faking a GET. So, YES, input sanitation is needed.
You can fake using cURL (http://php.net/manual/en/intro.curl.php), but it is even insanely easier to just edit a simple html page, copy & paste your code in it, replace the values of the dropdown with whatever value you want but keeping the address in the action property of the form tag, and then that form will send all that garbage to your unprotected script.
Yes, it's possible, so you need to sanitize your database input.
With most browsers, it'll be difficult, but you can use tools like curl to simulate POST requests, where you have free control over the contents of the variables.
This question already has answers here:
Closed 10 years ago.
Possible Duplicate:
When the bots attack!
My free classified portal is coded in php. Now am facing sequence of ads which seems to be posted by tools like auto submitter. So I need to detect and avoid these type of ads by an automation which is done in any ways.
Have you considered using a "Captcha"?
http://www.captcha.net/
They are pretty easy to integrate and look like this:
There are several ways.
A simple one is to place a text box on the input form that says
Type the word "human": [ ]
If the trimmed uppercased version of that input != "HUMAN", then you either have a dumb human, or a dumb bot.
Obviously, this is super-easy for someone to defeat, but only if they take the time to code something for your site. In other words, it helps but is not foolproof.
On a more advanced level, integrate a recaptcha system, such as http://www.google.com/recaptcha
One of the simplest solutions would be honeypots, the idea is to include some fields with common names like email, address etc and hide them from user and use something less common for original names. If one of hidden fields aren't empty it was submitted by bot.
To make it more complicate you can dynamically encrypt every field names using md5 example:
$encodedFieldName = md5('email_address' . session_id());
Of course you need to create array with allowed fields and retrieve them back before submitting results to database.