How to safely store users facebook profile link? PHP/SQL - php

I orignally posted asking how I can store a users facebook profile link, to use it on a profile page that I was creating on my website and didn't really get much of a response. After spending a lot of time I have a system in place that I feel should work but doesn't.
I'm not entirely comfortable with AJAX yet and have tried adapting code from Adam Khoury's Web Intersect 2.0 series to suit my project.
I've pasted my code over at Pastebin http://pastebin.com/u/lil_bugga test2.php being my main form with the Ajax and link_checker.php being my include file. Can someone help me to get this code working properly.
Its meant to take the user input, sanitize it and return 1 of 4 different result that I can then use to display appropriate messages to the user. The code seems to work fine until after the following line in test2.php
alert(params.join("&"));
Below is my orignal question for any interested parties.
"How can I safely collect and store links supplied by a site visitor as part of their profile, if they wish to provide it.
I know I don't want to store it without sanitization of some form but I would assume using something like the snippet below would leave me vulnerable to attack.
$username = preg_replace('#[^a-z0-9_/:]#i'
I also want to compare the supplied links against a url list i.e:
http:// www.facebook.com/userprofile
www.facebook.com/1234567890
Whats the best option here, as some people may submit with HTTP:// others with just WWW. and some even just facebook.com/ and then theres the (userprofile) name or the user id (1234567890)"

Related

How to retrieve an action out of a url in php

I'm making a site where you can book a cabin. One of the requirements was to make a reaction system where an admin gets an e-mail with a link. If he clicks this link, the reaction will be posted on the site. I'm almost done with this, I only have one question:
http://student.waerdenborch.nl/~groep45/site/index.php?reactie=f0357a3f154bc2ffe2bff55055457068
In this link, how can i retrieve the part behind ?reactie=?
I could only find how to retrieve more of the url, but I only want the md5.
Just retrieve it by using $_GET
$_GET['reactie']
Also read this: http://php.net/manual/en/reserved.variables.get.php

banning the user to visit a url before visiting a particular url?

I have made a quiz game using html & php and have URL as "localhost/game/ques1.php","localhost/game/ques2.php".
I have used sessions in it but a user can go the next question without answering question 1 by changing URL from localhost/game/ques1.php to localhost/game/ques2.php.
How to stop user doing that ??
Generally you'd do these things on a single page, but if you're sold on not doing it that way, you have a couple of options.
You could look into posting data to the questions as you go (include some hidden field that indicates the user started on question 1).
You could also include some dynamically generated token that you pass via query parameter to question 2.
You could use session variables to mark that each page was already requested, although I can imagine a number of ways that that could fail.
You could save cookies, although that's not a great way of doing it either.
I'd really look into just doing it all on one page. You don't have to show everything at once, I bet you could make the UI look very similar to what you've got now. But it'd be cleaner and probably load faster (since you wouldn't have to load all of your head and master page (or whatever) content for every question).

Implementing captcha only once for one session

I've been working on a website which contains alot of links. I want to protect those links from bots/crawlers by implementing a CAPTCHA. I've tried reCAPTCHA by Google but it doesn't suit my needs(complex specially when it comes to people who are poor in English :P) plus I just want to stop the new programmers or crawlers, I know it can easily be broken by experienced programmers. So I searched and found this one to be good.
http://www.hardcode.nl/subcategory_4/article_243-simple-php-captcha-script.htm
Downloaded it and its working like a charm but my problem is :
1. I can see the index.html files checks the entered code and if correct redirects to write.php where session is created and output is shown. I want this to be done on the same page. Like when user enters correct code, he should be able to view the view the links on the same page to save bandwidth (I'll fetch them from mysql server)
2. This is more important one, since I don't know anything about php sessions and php.net tutorials are just too short or next to nothing, can this be done that whenever a user input correct captcha once, he can see the links for rest of the time without captcha? And he will have to re-enter the captcha only when he closes the browser or after some interval like 10 minutes in case previous one can't be done.
Thank you
PS. I can use Javascript on my server but probably a php solution will be better since I'm also learning php
Use AJAX to pull the links and then replace the HTML in the page.
Store a variable in the session that determines whether or not they've entered a CAPTCHA, then just check that before deciding whether to show the CAPTCHA or the links.

Should I use sessions for "LOGINS" on my site?

I have a classifieds website, where anyone (no need for login currently) can post a classified. It is PHP based.
The procedure for posting is currently like this:
click on "New Classified" --->
fill in a form of all information and hit "View classified before publishing it" --->
the form submits to a "verify classifieds" page, where users verify their inputs --->
If everything is okay in the "verify" page, then the user hits OK and the classified is published.
The above procedure isn't exactly optimized. The first page (new_classified) where the form is, is pretty good, but the second page (verify) uses x number of hidden inputs in another form, used to contain the previous pages form inputs.
Now you know how it works on my site.
The issue today is that alot of companies want to publish their classifieds, and alot of classifieds at the same time. This means they have to fill out the form again and again currently.
I am thinking about creating a login, for companies only, so that their information is automatically inputted into the form, so all they would have to do is fill out the specific classified details like "headline" and "description" etc.
How should I do this in my case? Sessions?
This means I will have to create a new MySql table (I use MySql mainly) and store company-profiles there.
So do you think converting to sessions is alot of work? Worth it? More reliable?
I have never used sessions so I wouldn't know.
As a last note, you should know that I use a picture upload tool on the first page of "new_classified". When a user choses a file to upload, the page is automatically *refreshed*, and then the image is displayed on the same page under section "images uploaded". I hope the session wont interfere with this approach.
Thanks
I think it is worth your while to do logins, and even on a very basic level it will help you to identify who is using your site etc.
This is probably a big debate around developers, what is the best way to do a good login system, whether it's basic or not doesn't matter, I think the concepts still stay the same.
In your case I would suggest session cookies along with a login table consisting of user details. This would help you to verify the user on more than one occasion during his/her visit to the site.
A login is checked against a user entry in a table and then a session cookie is created. This session you can choose to never expire also.
You can then on every step check that the user is the user that is supposed to be logged in and get the companies details by checking the username. This would make for a better query in my opinion.
Sessions aren't a lot of work and it's relatively easy to learn.
http://www.php.net/manual/en/book.session.php
http://www.9lessons.info/2010/02/php-login-script-with-encryption.html is a good example of what you can do with this. Have a look around still. There are a bunch of these great tutorials on the web.

What's the safest way to remove data from mysql? (PHP/Mysql)

I want to allow users as well as me(the admin) to delete data in mysql.
I used to have remove.php that would get $_GETs from whatever that needed to be deleted such as... remove.php?action=post&posting_id=2. But I learned that anyone can simply abuse it and delete all my data.
So what's the safest way for users and me to delete information without getting all crazy and hard? I am only a beginner :)
I'm not sure if I can use POSTs because there is no forms and the data isn't changing.
Is sessions good? Or would there be too many with postings, user information, comments, etc.
Ex: James wants to delete one of his postings(it is posting_id=5). So he clicks the remove link and that takes him to remove.php?action=post&posting_id=5.
EDIT: Alright, so now I am a little confused. While I can't be 100% secure, how do I do this with $_POSTs?
SOO I should use GETs to get all the data to remove.php, THEN have a confirmation submit button and when users click on it, it put all the data into POSTs and delete from the dbc?
Deleting records is a kind of a scary practice. If you or someone makes a mistake there's no real recourse to resolve the issue. Expunged records are very hard to resurrect.
Instead of deleting records, you could add an "active" bit (e.g. Boolean) column that is toggled off when users "delete" records. Essentially your users would be suspending records by toggling them off and the records would be saved in case mistakes or abuse but appear "deleted" to the user. To make this work with your other queries, just add a where clause of active = 1.
You could then have a utility script that's run at some specific date interval that would clean out deprecated, past dated records. You'd also need some type of timestamp for this type of maintenance.
Just a thought. Take if for what it's worth.
I'll echo gurun8 in preferring to 'mark' records as deleted, instead of actually removing data. And then obviously, you'll need to check that the authenticated user has permission to delete the post.
However, it seems very important to mention that $_GET is not safe even with authentication because of cross-site request forgery.
Imagine if Amazon adding things to your cart based on a GET request. All I'd have to do is put an image on my page with that URL, and everyone who visited that page and logged into Amazon will have products added automatically.
To match your example, I don't like Jame's post, so i put an image on my site like this:
<img src='http://example.com/remove.php?action=post&posting_id=5'>
And I send him a link to my page, and ask him to check it out, hoping that at the time he's logged in to your site. Because, of course, he clicked that little 'keep me logged in' button.
So you are right to be concerned about using GET. If you don't want to litter pages with forms, then confirm the action by POST.
Well you have to start by authenticating the users with a login script.
If you want the simplest solution possible, then I'd suggest protecting the directory in which you have remove.php with a simple .htaccess username and password.
If different users have different rights for deleting database entries, then you probably should create a PHP login script and use PHP session.
Bonk me if I'm stupid, but I searched for quite some time for a simple PHP login tutorial that could be placed on a real site (doesn't use session_register(), uses mysql_real_escape_string(), htmlspecialchars() etc) and I simply couldn't find one!
Probably this one comes the closest, you just have to replace session_register() variables with $_SESSION ones for it to work without register_globals (default in PHP5).

Categories