This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
How to prevent XSS with HTML/PHP?
(9 answers)
Closed 17 days ago.
I have the following code:
<?php
/*
Template Name: trial_app_review
*/
get_header();
?>
<div class="form-container">
<form style="margin-top: 150px;" method="post">
<?php
// Connect to the MySQL database using the MySQLi object
$mysqli = new mysqli('host', 'user', 'password', 'db');
// Check for errors
if ($mysqli->connect_error) {
echo "Error: " . $mysqli->connect_error;
} else {
// Check if the button was clicked
if (isset($_POST['insert_btn'])) {
// Get the values of the row that the button belongs to
$WK = $_POST['WK']; $WK = mysqli_real_escape_string($mysqli, $WK);
$Trial_Year = $_POST['Trial_Year']; $Trial_Year = mysqli_real_escape_string($mysqli, $Trial_Year);
$Trial_Dates = $_POST['Trial_Dates'];$Trial_Dates = mysqli_real_escape_string($mysqli, $Trial_Dates);
$Trial_Club = $_POST['Trial_Club']; $Trial_Club = mysqli_real_escape_string($mysqli, $Trial_Club);
$Trial_Classes = $_POST['Trial_Classes']; $Trial_Classes = mysqli_real_escape_string($mysqli, $Trial_Classes);
$Ring_Width = $_POST['Ring_Width']; $Ring_Width = mysqli_real_escape_string($mysqli, $Ring_Width);
$Ring_Height = $_POST['Ring_Height']; $Ring_Height = mysqli_real_escape_string($mysqli, $Ring_Height);
$double_yes_no = $_POST['double_yes_no']; $double_yes_no = mysqli_real_escape_string($mysqli, $double_yes_no);
$FeePd = $_POST['FeePd']; $FeePd = mysqli_real_escape_string($mysqli, $FeePd);
$num_days = $_POST['num_days']; $num_days = mysqli_real_escape_string($mysqli, $num_days);
$start_date = $_POST['start_date']; $start_date = mysqli_real_escape_string($mysqli, $start_date);
$Trial_City = $_POST['Trial_City']; $Trial_City = mysqli_real_escape_string($mysqli, $Trial_City);
$Trial_St = $_POST['Trial_St']; $Trial_St = mysqli_real_escape_string($mysqli, $Trial_St);
$trial_sec = $_POST['trial_sec']; $trial_sec = mysqli_real_escape_string($mysqli, $trial_sec);
$Trial_Email = $_POST['Trial_Email']; $Trial_Email = mysqli_real_escape_string($mysqli, $Trial_Email);
$Trial_Website = $_POST['Trial_Website']; $Trial_Website = mysqli_real_escape_string($mysqli, $Trial_Website);
$end_date = $_POST['end_date']; $end_date = mysqli_real_escape_string($mysqli, $end_date);
$street_addr = $_POST['street_addr']; $street_addr = mysqli_real_escape_string($mysqli, $street_addr);
$distckwk = $_POST['distckwk']; $distckwk = mysqli_real_escape_string($mysqli, $distckwk);
$club_id = $_POST['club_id']; $club_id = mysqli_real_escape_string($mysqli, $club_id);
$pend_id = $_POST['ID']; $pend_id = mysqli_real_escape_string($mysqli, $pend_id);
$query = "INSERT INTO Calendar (pend_id, WK, Trial_Year, Trial_Dates, Trial_Club, Trial_City, Trial_St, Trial_Classes, Ring_Width, Ring_Height, double_yes_no, Trial_FName, Trial_Email,
Trial_Website, FeePd, start_date, end_date, street_addr, distckwk, club_id,Pend_Confirm)
VALUES ('$pend_id', '$WK', '$Trial_Year', '$Trial_Dates', '$Trial_Club', '$Trial_City', '$Trial_St', '$Trial_Classes', '$Ring_Width', '$Ring_Height', '$double_yes_no', '$trial_sec',
'$Trial_Email', '$Trial_Website', '$FeePd', '$start_date', '$end_date', '$street_addr','$distckwk', '$club_id',CONCAT('Confirmed-', CURRENT_DATE()))";
$result = $mysqli->query($query);
if ($result) {
$update = "UPDATE PendingCalendar SET Pend_Confirm = CONCAT('Confirmed-', CURRENT_DATE()) WHERE ID = '$pend_id'";
$update_result = $mysqli->query($update);if ($update_result) {
echo '<script>window.location.href = "https://nadac.com/success.php";</script>';
} else {
echo "Error: " . $mysqli->error;
}
} else {
echo "Error: " . $mysqli->error;
}
}
else {
// Execute a SELECT query and check for errors
$result = $mysqli->query("SELECT * FROM PendingCalendar WHERE Pend_Confirm IS NULL OR Pend_Confirm ='' ORDER BY WK DESC");
if (!$result) {
echo "Error: " . $mysqli->error;
} else {
// Add the stylesheet
echo "<style>
table {
border-collapse: collapse;
}
table, td, th {
border: 1px solid black;
padding: 5px;
}
</style>";
// Create the updated HTML table
echo "<table>\n";
echo " <tr>\n";
echo " <th>Action</th>\n";
echo " <th>WK</th>\n";
echo " <th>Trial_Year</th>\n";
echo " <th>Trial_Club</th>\n";
echo " <th>Trial_Classes</th>\n";
echo " <th>Ring_Width</th>\n";
echo " <th>Ring_Height</th>\n";
echo " <th>double_yes_no</th>\n";
echo " <th>Fee Pd</th>\n";
echo " <th>start_date</th>\n";
echo " <th>end_date</th>\n";
echo " </tr>\n";
// Iterate over the results and print each row
while ($row =
$result->fetch_assoc()) {
// Print the table row
echo " <tr>\n";
echo " <td>\n";
echo " <form method='post' >\n";
echo " <input type='hidden' name='ID' value='" . $row['ID'] . "'>\n";
echo " <input type='hidden' name='WK' value='" . $row['WK'] . "'>\n";
echo " <input type='hidden' name='Trial_Year' value='" . $row['Trial_Year'] . "'>\n";
echo " <input type='hidden' name='Trial_Club' value='" . $row['Trial_Club'] . "'>\n";
echo " <input type='hidden' name='Trial_Classes' value='" . $row['Trial_Classes'] . "'>\n";
echo " <input type='hidden' name='Ring_Width' value='" . $row['Ring_Width'] . "'>\n";
echo " <input type='hidden' name='Ring_Height' value='" . $row['Ring_Height'] . "'>\n";
echo " <input type='hidden' name='double_yes_no' value='" . $row['double_yes_no'] . "'>\n";
echo " <input type='hidden' name='FeePd' value='" . $row['FeePd'] . "'>\n";
echo " <input type='hidden' name='start_date' value='" . $row['start_date'] . "'>\n";
echo " <input type='hidden' name='end_date' value='" . $row['end_date'] . "'>\n";
echo " <input type='hidden' name='Trial_Dates' value='" . $row['Trial_Dates'] . "'>\n";
echo " <input type='hidden' name='Trial_City' value='" . $row['Trial_City'] . "'>\n";
echo " <input type='hidden' name='Trial_St' value='" . $row['Trial_St'] . "'>\n";
echo " <input type='hidden' name='Trial_Email' value='" . $row['Trial_Email'] . "'>\n";
echo " <input type='hidden' name='Trial_Website' value='" . $row['Trial_Website'] . "'>\n";
echo " <input type='hidden' name='street_addr' value='" . $row['street_addr'] . "'>\n";
echo " <input type='hidden' name='distckwk' value='" . $row['distckwk'] . "'>\n";
echo " <input type='hidden' name='club_id' value='" . $row['club_id'] . "'>\n";
echo " <input type='hidden' name='trial_sec' value='" . $row['trial_sec'] . "'>\n";
echo " <button type='submit' name='insert_btn'>Insert</button>\n";
echo " </form>\n";
echo " </td>\n";
echo " <td>" . $row['WK'] . "</td>\n";
echo " <td>" . $row['Trial_Year'] . "</td>\n";
echo " <td>" . $row['Trial_Club'] . "</td>\n";
echo " <td>" . $row['Trial_Classes'] . "</td>\n";
echo " <td>" . $row['Ring_Width'] . "</td>\n";
echo " <td>" . $row['Ring_Height'] . "</td>\n";
echo " <td>" . $row['double_yes_no'] . "</td>\n";
echo " <td>" . $row['FeePd'] . "</td>\n";
echo " <td>" . $row['start_date'] . "</td>\n";
echo " <td>" . $row['end_date'] . "</td>\n";
echo " </tr>\n";
} echo "</table>\n";
}
}
}
?>
</form>
</div>
And it works. But when a column has an apostrophe, it removes everything after the apostrophe.
I am definitely a beginner, but I thought the escape string would prevent that from happening?
I made a test record and using something like this: NADAC,Testing'testing"testing it gets shortened to: NADAC,Testing
What am I missing?
Please advice me as value for session data question_number not getting incremented and passed in Codeigniter project
The old value question_number of 1 is always passed as the question number
the code is supposed to set question_number as 1 initially and then when the user submits the form the first time, and the form data is processed by the same document, the question number is supposed to be incremented by one and passed to the same form below
but unfortunately, this new question number is not passed to the hidden input type
see the code below
$con = mysqli_connect($dbhost, $dbuser, $dbpass, $dbName);
if (!$this->session->userdata("user_id")) {
header("location:" . base_url() . "login");
}
$_SESSION['error'] = '';
$_SESSION['success'] = '';
// template methods start here ==========================================
if (isset($_POST["LaunchTest"])) {
$test_id = addslashes($_POST['id']);
echo("test_id: " . $test_id . "<br />");
$session_id = addslashes($_POST['session_id']);
echo("session_id: " . $session_id . "<br />");
$counter = addslashes($_POST['counter']);
echo("counter: " . $counter . "<br />");
$score = addslashes($_POST['score']);
echo("score: " . $score . "<br />");
$question_number = addslashes($_POST['question_number']);
echo("question_number: " . $question_number . "<br />");
$answer = addslashes($_POST['hidden_answer']);
echo("answer: " . $answer . "<br />");
$user_choice = addslashes($_POST['radio_choice']);
echo("user_choice: " . $user_choice . "<br />");
$start_id = addslashes($_POST['start_id']);
echo("start_id: " . $start_id . "<br />");
$end_id = addslashes($_POST['end_id']);
echo("end_id: " . $end_id . "<br />");
$current_question= $question_number;
if ($user_choice==$answer) {
$score++;
}
$preventRepeat = [];
$question_number = $question_number+1;
echo("new Question number: " . $question_number . "<br />");
$new_question = $question_number;
$_SESSION['question_number'] = $question_number;
$organisation = $_SESSION['organisation'];
date_default_timezone_set('Africa/Lagos');
$today = date('m/d/Y h:i:s a', time());
$sql_query = "UPDATE cbt_attempts_tbl SET "
. "currentQuestion ='"
. $current_question . "',"
. "score ='"
. $score . "',"
. "created_date ='"
. $today . "'"
. " WHERE session_id = '"
. $session_id .
"'";
; //$displayedRowCount = $rowCount;
echo $sql_query . "<br />";
$result = mysqli_query($con, $sql_query) or die("No data returned from DB Query");
//$candidate_quest_count++;
echo "database updated succesfully. <br />";
$current_question++;
if ($question_number > $_SESSION['total_questions']) {
//calculate score
$score_output = calculateScore($score, $_SESSION['total_questions']);
//end test
header("location:" . base_url() . "score?id=" . $test_id .
"&test_session=" . $session_id. "score=". $score_output);
} else {
// myRandomNum = generateSecondRandomNumber();
$myRandomNum = generateRandomNumber($start_id, $end_id);
echo("myRandomNum: " . $myRandomNum . "<br />");
//$myRandomNum = preventRepeatingQuestions($myRandomNum);
$quesionAtRand_str = getQuestionAtRandom($myRandomNum, $con);
$QuestData_arr = explode("~", $quesionAtRand_str);
//echo("QuestData_arr is: " . $QuestData_arr . "<br />");
$Question = $QuestData_arr[1];
//echo("Question is: " . $Question . "<br />");
$OptA = $QuestData_arr[2];
//echo("OptA is: " . $OptA . "<br />");
$OptB = $QuestData_arr[3];
//echo("OptB is: " . $OptB . "<br />");
$OptC = $QuestData_arr[4];
//echo("OptC is: " . $OptC . "<br />");
$OptD = $QuestData_arr[5];
//echo("OptD is: " . $OptD . "<br />");
$Answer = $QuestData_arr[6];
//echo("Answer is: " . $Answer . "<br />");
}
}
?>
<?php include('admin_block.php'); ?>
<br/>
<?php
if (!isset($_GET["id"])) {
$_SESSION['error'] = '<label class="text-danger">nothing selected.</label><br />';
header("location:" . base_url() . "launchtest");
exit();
}
$test_id = addslashes($_GET['id']);
//display deleted succesfully
//header return to update screen
$organisation = $_SESSION['organisation'];
$user_name = $_SESSION['user_name'];
// main start
//-----FIRST TIME RUN STARTS HERE---
if (!isset($test_session_id)) {
$arr_usr_choice = [];
$arr_correct_answer = [];
$arr_usr_choice[0] = "nothing";
$arr_correct_answer[0] = "nothing";
$candidate_quest_count = 1;
$question_number = 1;
$preventRepeat = [];
$counter = 1;
$current_question = 1;
$score = 0;
$_SESSION["score"] = 0;
$test_session_id = generateTestSessionId();
//echo("test_session_id is: " . $test_session_id . "<br />");
//gettestdetails from summary table
$testDetails = getTestDetailsFromSummary($con, $test_id);
//echo("testDetails: " . $testDetails . "<br />");
$dataFromSmryTble_arr = explode("~", $testDetails);
$test_name= $dataFromSmryTble_arr[2];
//echo("test_name: " . $test_name . "<br />");
$type = $dataFromSmryTble_arr[6];
//echo("type: " . $type . "<br />");
$subject = $dataFromSmryTble_arr[5];
//echo("subject: " . $subject . "<br />");
$total_questions = $dataFromSmryTble_arr[3];
//echo("total_questions: " . $total_questions . "<br />");
$start_id = $dataFromSmryTble_arr[0];
//echo("start_id: " . $start_id . "<br />");
$end_id = $dataFromSmryTble_arr[1];
//echo("end_id: " . $end_id . "<br />");
$_SESSION['total_questions'] = $total_questions;
loadDetailsToAttemptsTbl(
$con,
$test_id,
$test_session_id,
$test_name,
$type,
$subject,
$total_questions,
$start_id,
$end_id
);
//1. get test takers first name and lastname
if (!isset($_SESSION['firstname']) || !isset($_SESSION['lastname'])) {
header("location:" . base_url() . "enter_student_details?id=" . $test_id .
"&test_session=" . $test_session_id);
}
$firstname = $_SESSION['firstname'];
$lastname = $_SESSION['lastname'];
$output = displayFirstQuestion($con, $test_session_id); // duisplays one Question
//echo("output is: " . $output . "<br />");
$QuestData_arr = explode("~", $output);
//echo("output is: " . $output . "<br />");
$Question = $QuestData_arr[1];
//echo("Question is: " . $Question . "<br />");
$OptA = $QuestData_arr[2];
//echo("OptA is: " . $OptA . "<br />");
$OptB = $QuestData_arr[3];
//echo("OptB is: " . $OptB . "<br />");
$OptC = $QuestData_arr[4];
//echo("OptC is: " . $OptC . "<br />");
$OptD = $QuestData_arr[5];
//echo("OptD is: " . $OptD . "<br />");
$Answer = $QuestData_arr[6];
//echo("Answer is: " . $Answer . "<br />");
$_SESSION['question_number'] = $question_number;
}
//-----FIRST TIME RUN ENDS HERE---
echo '<form method="post" action="'. $_SERVER['PHP_SELF'].'?id=' . $test_id .
'&test_session=' . $test_session_id .'"';
echo '<h2 class="section-heading animated">'. $test_name .'</h2>';
echo '<TABLE class="my_style" border="0"><TR><TD>' . $firstname . " ". $lastname . '</TD></TR></TABLE>';
echo '<font color="#fff"><table class="my_style" border="0" cellpadding="2">';
echo '<tr >';
echo '<td valign="top" >' . $_SESSION["question_number"] . '</td>';
echo '<td valign="top" colspan="3" scope="col"><b>' . $Question . '</b></td>';
echo '</tr >';
echo '<tr >';
echo '<td></td><TD WIDTH="2%">A.</TD><td WIDTH="2%"><input name="radio_choice" type="radio" value="A" required /></td><td valign="top" >' . $OptA . '</td>';
echo '</tr >';
echo '<tr >';
echo '<td></td><TD WIDTH="2%">B.</TD><td WIDTH="2%"><input name="radio_choice" type="radio" value="B" /></td><td valign="top" >' . $OptB . '</td>';
echo '</tr >';
echo '<tr >';
echo '<td></td><TD WIDTH="2%">C.</TD><td WIDTH="2%"><input name="radio_choice" type="radio" value="C" /><td valign="top" >' . $OptC . '</td>';
echo '</tr >';
echo '<tr >';
echo '<td></td><TD WIDTH="2%">D.</TD><td WIDTH="2%"><input name="radio_choice" type="radio" value="D" /><td valign="top" >' . $OptD. '</td> <input type="hidden" value="'.$Answer.'" name="hidden_answer" /> ';
echo '</tr>';
echo '</tr >';
echo '<td colspan="4" ><input type="submit" style="background-color: #008CBA;" value="Next Question" name ="LaunchTest" onClick="checkRadios()"/>';
echo '<input type="hidden" name="id" value="'. $test_id.'"/>';
echo '<input type="hidden" name="question_number" value="'. $_SESSION["question_number"] .'"/>';
echo '<input type="hidden" name="session_id" value="'.$test_session_id.'"/>';
echo '<input type="hidden" name="counter" value="'.$counter.'"/>';
echo '<input type="hidden" name="score" value="'.$_SESSION["score"] .'"/>';
echo '<input type="hidden" name="start_id" value="'.$start_id.'"/>';
echo '<input type="hidden" name="end_id" value="'.$end_id.'"/>';
echo '</td>';
echo '</tr >';
echo '</table></font>';
echo '</form>';
// main end
?>
#Ynhockey was right. test_session_id was causing the issues
I have this form that I'm creating using PHP. The names of the form elements are a number
<form method="post" action="keywords.php">
<?php
echo $question
?>
</div>
<div class="panel-body">
<?php
foreach ($orderexplode as $o)
{
switch ($o) {
case 0:
print(" " . "<label>" . $presetwords[$i] . "</label>" . " ");
$i++;
break;
case 1:
print(" " . "<input type='text' class='form-control' name='$k' id ='$k'placeholder=" . $responsewords[$k] . ">" . " ");
$k++;
echo $k;
break;
}
}
?>
<br>
<button type='submit' class='btn btn-info'>Submit</button>
</form>
How would I go about getting the value of each input box I want to check if it matches $exploded string?
$string = "Hello How Are You"
$explodedstring = explode(" ",$string)
You are trying to use array indexes. You need to use indexes:
<?php
foreach ($orderexplode as $k => $o)
{
print(" " . "<label>" . $k . "</label>" . " ");
print(" " . "<input type='text' class='form-control' name='" . $k . "' id ='" . $k . "'placeholder=" . $o . ">" . " ");
}
?>
Hello I found a way to remove www https but now I need to remove anything after ".com" www.something.com/something/something I want to remove */something/something~ from the URL.
<form method="post" action="">
<label>URL adresa:</label><input type="text" placeholder= "URL" name="url" required /><br>
<label>Titulek odkazu:</label><input type="text" placeholder= "Titulek" name="titulek" required/><br>
<label>Otevření nového okna ANO</label><input type="checkbox" name="choice1" /><br>
<label>Barva odkazu:</label><input type="color" name="color" /><br>
<input type="submit" name="submit" />
</form>
<?php
$zakaz = array('www.', 'https://', 'http://' );
if(isset($_POST['url']) AND isset($_POST['titulek']) AND isset($_POST['color']) AND !isset($_POST['choice1'])){
$url = $_POST['url'];
$titulek = $_POST['titulek'];
$color = $_POST['color'];
echo "<a href='" . $url . "'title ='" . $titulek . "'style=' color:" . $color . "; text-decoration: none ;'>" . str_replace($zakaz, '', $url) . "</a>";
}elseif(isset($_POST['url']) AND isset($_POST['titulek']) AND isset($_POST['color']) AND isset($_POST['choice1'])){
$url = $_POST['url'];
$titulek = $_POST['titulek'];
$color = $_POST['color'];
echo "<a href='" . $url . "'title ='" . $titulek . "' target= '_blank' style=' color:" . $color . "; text-decoration: none ;'>" . str_replace($zakaz,'',$url ) . "</a>";
}
?>
You can use PHP's explode().
You can use:
$website = explode("/",$fullwebsite)[0]; //something.com
I am using Wordpress and phpBB with a plugin called wp-united. I am trying to have users redirected back to the homepage of my blog instead of the forum. I have tried making changes but have not been successful so I removed my changes.
Here is the current code:
get_currentuserinfo();
$loggedIn = $phpbbForum->user_logged_in();
$loginLang = ($loggedIn) ? sprintf($phpbbForum->lang['LOGOUT_USER'], $phpbbForum->get_username()) : $phpbbForum->lang['LOGIN'];
$loginAction = ($loggedIn) ? '?mode=logout' : '?mode=login';
if($loggedIn) {
$wpu_usr = get_wpu_phpbb_username();
$colour = $phpbbForum->get_userdata('user_colour');
$colour = ($colour) ? ' style="color: #' . $colour . '" ' : '';
$ret .= _wpu_add_class($before, 'wpu-widget-lu-avatar') . '<img src="' . get_avatar_reader() . '" alt="' . $phpbbForum->lang['USER_AVATAR'] . '" />' . $after;
$ret .= _wpu_add_class($before, 'wpu-widget-lu-username'). '<a href="' . $phpbbForum->get_board_url() . 'ucp.' . $phpEx . '" ' . $colour . '><strong>' . $wpu_usr . '</strong></a>' . $after;
if ( $showRankBlock ) {
$ret .= _wpu_add_class($before, 'wpu-widget-lu-rankblock') . get_wpu_phpbb_rankblock() . $after;
}
$ret .= _wpu_add_class($before, 'wpu-logout') . '' . $loginLang . '' . $after;
} else {
if ( $showLoginForm ) {
$redir = wpu_get_redirect_link();
$login_link = $phpbbForum->append_sid('ucp.'.$phpEx.'?mode=login') . '&redirect=' . $redir;
$ret .= '<form class="wpuloginform" method="post" action="' . $phpbbForum->get_board_url() . $login_link . '">';
$ret .= $before . '<label for="phpbb_username">' . $phpbbForum->lang['USERNAME'] . '</label> <input tabindex="1" class="inputbox autowidth" type="text" name="username" id="phpbb_username"/>' . $after;
$ret .= $before . '<label for="phpbb_password">' . $phpbbForum->lang['PASSWORD'] . '</label> <input tabindex="2" class="inputbox autowidth" type="password" name="password" id="phpbb_password" maxlength="32" />' . $after;
if ( $autoLogin ) {
$ret .= $before . '<input tabindex="3" type="checkbox" id="phpbb_autologin" name="autologin" /><label for="phpbb_autologin"> ' . __('Remember me', 'wp-united') . '</label>' . $after;
}
$ret .= $before . '<input type="submit" name="login" class="wpuloginsubmit" value="' . __('Login') . '" />' . $after;
$ret .= $before . '' . __('Register', 'wp-united') . '' . $after;
$ret .= $before . '' . __('Forgot Password?', 'wp-united') . '' . $after;
$ret .= '</form>';
} else {
$ret .= $before . '' . $loginLang . '';
}
}
/**
* Returns a URL suitable for sending as a redirect instruction to phpBB
* # since v0.8.1
*/
function wpu_get_redirect_link() {
global $phpbbForum;
if(!empty( $_SERVER['REQUEST_URI'])) {
$protocol = empty($_SERVER['HTTPS']) ? 'http:' : ((strtolower($_SERVER["HTTPS"]) == 'on') ? 'https:' : 'http:');
$protocol = ($_SERVER['SERVER_PORT'] == '80') ? $protocol : $protocol . $_SERVER['SERVER_PORT'];
$link = $protocol . '//' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
} else {
$link = get_option('home');
}
$fStateChanged = $phpbbForum->foreground();
$link = reapply_sid($link);
$phpbbForum->restore_state($fStateChanged);
return urlencode(esc_attr($link));
}