I have mysql table members with columns id, user, password, and verified
When a user logs in, using user and password (compared against members-db) they are presented with a form. The form gathers info to be manually checked by an admin.
Upon submitting the form, it will send an email to admin with all the details to manually confirm.
The problem that I am hitting is that admin wants the email to contain a link that will enable him to update the verified field in members table upon clicking. I need to send a previously stored variable with the form to do so. That way I have a link to the members table.
For example, If I store $user_id as the id of whichever row I need to update, and I could send it forward with the form, then I could just use the UPDATE feature WHERE id = $user_id
Here is my form ...
<form method="post" name="verify_form" action="../includes/verify.php">
Website for Online Verification: <input type="text" name="webpage" id="webpage" /><br />
Identification Number: <input type="text" name="number" id="number" /><br />
Expiration Date: <input type="text" name="expire" id="expire" /><br />
<input type="submit" value="Verify Me!" onclick="return vformhash(this.form, this.form.webpage, this.form.number, this.form.expire);" />
<input type="reset" value="Clear Form" />
</form>
Is there a way to send my previously captured $user_id to the verify.php page when user submits?
You could use a hidden field:
<input type="hidden" name="userid" value="<?php echo $user_id; ?>" >
You can use:
<input type='hidden' name='user' value=<?php echo $user_id; ?>>
inside the form.
You could send it in url like
$url = "verify.php?user_id=" . $ user_id;
And access it in verify.php page by
$ user_id = $_GET ['user_id'];
You can use hidden fields: <input type="hidden"....
If the information is sensitive, you should not put it in those hidden fields, but rather store it in the session or otherwise on your server. You can then use a hidden field to store a key that you can use to find those values again later.
If you would use regular session variables, without a key in the form, you might get the issue of finding the wrong value if the user has multiple forms open in multiple tabs.
Two options:
Change your for tag to pass the ID as a GET param :
action="../includes/verify.php?user_id=123"
-or-
Add a hidden field :
<input type="hidden" name="user_id" id="user_id" value="123" />
You will be able to access this value with either $_GET['user_id'] for option #1, or $_POST['user_id'] for option #2 within your PHP script.
When the user logs in, save their ID in a session value such as $_SESSION["userID"]. Then in verify.php you can access $_SESSION["userID"]. It's cleaner than passing the ID back and forth as parameters.
Related
I try to design a save reset-password-page for my scripts. I got very far, but now I could need some help. What I got already:
user puts his mail into a form and the script is sending him a mail with a url the user have to open. parameters: usertype, userid, token.
if the users visits the url he will get to a page, with a form where the token is already inserted. he only needs to click "proceed".
third page shows a form to change the password.
Now I'm a little doubtful with the security of this script. Lets say the attacker knows the mail, the usertype and the userid (would only be people with login, but its possible to know all that). He can now send a password-reset-link to users mail. Not a problem so far.
But he knows that there is a token generated now and can try to brutforce it. For this he calls the 2nd or 3rd page with the known parameters and just trys every token.
To prevent this I put a captcha in the 2nd-page.
But now I need to protect the 3rd page/form. For now I give the token and check it a 2nd time. Thats not nice and makes the 1st-captcha just useless. Giving it another captcha would be possible, but not userfriendly. Checking the captcha after 3rd form is filled is also not userfriendly.
So how can I make sure, the users passed the token-page (with captcha) in my script. So that the user can not just send a POST (e.g. with curl) with input-data of my 3rd-form (the password-change-form).
Thank you in advance.
2nd-form
<form name="confirm" method="GET">
<p>
<label for="confirm">Token
<input type="text" name="confirm" id="confirm_code"
<?php
if(isset($_GET['confirm'])) echo ' value="'.$_GET['confirm'].'"';
?>
></label>
</p>
<p><div class="g-recaptcha" data-sitekey="X" data-callback="checked" data-size="invisible"></div></p>
<p style="text-align:center;">
<input type="submit" value="Proceed">
</p>
<?php
echo '<input type="hidden" name="usertype" value="'.$_GET['usertype'].'">';
echo '<input type="hidden" name="userid" value="'.$_GET['userid'].'">';
echo '</form>';
3rd-form
<form name="change" method="post">
<p>
<label for="pw">New pw
<input type="password" name="pw" id="pw"></label>
</p><p><label for="pw_repeat">Repeat
<input type="password" name="pw_r" id="pw_repeat"></label>
</p><p style="text-align:center;">
<input type="hidden" name="usertype" value="<?php echo $_GET['usertype']; ?>">
<input type="hidden" name="userid" value="<?php echo $_GET['userid']; ?>">
<input type="submit" name="change" value="Change now">
</p>
</form>
Hey I too am a programmer who is getting started and I work mostly on logins and stuff.
Here are my Suggestions:
Add an algorithm that generates some automatic key purely on random basis.
Produce a link based on that random piece of key and a specified set of values(keep that a secret) and also make sure the final generated link is pretty big.
At the second page make sure you ask for a key (You'd send this key straight to his email along with the page link) i.e., the random generated key and then the algorithm magically decrypts to see if the underlying data is the same based on some values attached to his account or something else.
Make sure the link expires in the time needed to brute force through the page
If you can make sure above steps are followed correctly, then even with a bit of discomfort to the user your security will be pretty good. What do you think?
Cheers,
Rj
So if I'm on the login page of my website, I type "Joe Bob" and "111" in the 'Name' and 'MNo' fields, made with with this code:
<form action="userLogin.php" method="post">
Name: <input type="text" name="name"><br><br>
Member Number: <input type="text" name="MNo"><br><br>
<input type="submit" value = "Sign in!">
</form>
On the next page I can take the name and member ID from the inputted field like this:
$name = $_POST["name"];
$MNo = $_POST["MNo"];
Now on that same page I want to have a button that Joe Bob can click that will display his user's history: I'll need his MNo to search the MySQL database, but when I go to the next page, using
<form action = "rentalHistory.php" method = "get">
<input type="submit" value="View my Rental History">
</form>
I'm no longer allowed to use
$MNo = $_POST["MNo"];
The error says "Notice: Undefined index: MNo", which means it is not saving the MNo variable from the previous page: how do I do this?
As you saw, it worked when I had the user input their member number, but I don't want to have to do this every time.
How do I make it so that the user enters the member number at the beginning, and then it can be used for MySQL queries on multiple pages after login?
There are multiple ways of having data follow a user around in php, the foremost I would recommend is using session_start() then assigning values to the session variables.
Another way, but one that I would not recommend is to have the user continue to the next page via a form with hidden attributes <input type="hidden name="MNo" value="value">.
<form action="rentalHistory.php" method="post">
<input type="hidden" name="MNo" value="$_POST[MNo]">
<input type="submit" value="View my Rental History">
</form>
When a $_POST variable is not available after a page load, that means that you have either posted a form that does not contain the variable with the name in it, or that you have done a GET request which will pass the user's name as a query string (This will still not work if no name input, hidden or otherwise, was included in the form).
Try $_GET['name'] first, if that does not work, you need to add to your rental history lookup form a hidden input with the name of name and make the value of it the previously posted $_POST['name'] value.
You can also store user data in the session if you need to access it often, make sure to destroy sessions when applicable!
Kinda strange...
I'm building a shopping cart. When the user types the quantity he wants and hits "add to cart", the <form> action should redirect them with a PHP $_SERVER['QUERY_STRING'] AND some other information (i.e. the product id, fetched in MySQL).
Here's my form, all in a PHP echo...
<?php
echo '<form method="GET" action="cart.php?'.$_SERVER['QUERY_STRING'].'&action=add&item_id='.$data->item_id.'">
<small>Quantity </small><input type="text" size="2" placeholder="1" name="add_quantity">
<input type="submit" name="add_clicked" class="button" value="Add to Cart">
</form>';
?>
Upon submission, the URL redirects to cart.php but only includes the query string, but leaves out the item id and the action=add.
Supposing I typed '2' in the quantity box, the URL looks like this cart.php?add_quantity=2 and nothing after that.
Would appreciate help!
Thanks!
When you submit a form via GET, the form data submission process will overwrite any existing query string that might be set in the address you put into the action attribute.
Use hidden form fields instead to transport your additional values.
(And as #Simon already said in his comment, go read up on what you have to do to prevent XSS when outputting data that was send from the client before.)
Submitting a form with GET will overwrite any query string you'd put in the url (I'm not sure what you wanted to do with your $_SERVER['QUERY_STRING'] though as that would give the query string used to access the page where your form is.
What you'll want to do is to use hidden input fields in your form for your action and item_id attributes.
<form method="GET" action="cart.php">
<input type="hidden" name="action" value="add"/>
<input type="hidden" name="item_id" value="<?=$data->item_id?>"/>
<small>Quantity </small><input type="text" size="2" placeholder="1" name="add_quantity">
<input type="submit" name="add_clicked" class="button" value="Add to Cart">
</form>
Upon submission this will go to the url cart.php?action=add&item_id=1234&add_quantity=2
Alternatively you could (and most likely should) submit the form via POST; then any data in the form will be sent as POST parameters and the query string parameters defined in your action will be kept.
Pass the info in the query strings via a hidden field. So let's assume you're passing the account number in the query string, it would look like this:
<input type="hidden" name="account_number" value="$account_number">
I'm trying to login to a site and from there i want to send a message with the form available there. It looks like
<form method="POST" action="pm.php">
To: <input type="text" name="user" />
<input type="hidden" name="pm_tid" value="ef0gjpmgwag5g21agjg" />
<input type="hidden" name="box" value="new" />
Subject: <input type="text" name="subject" />
message: <textarea name="text"></textarea>
<input type="submit" value="Send" />
</form>
I managed to enter the login and to the page where is the message send form but in that html code you can see that there is a hidden random hash value which changes after every reload. I want to get that correctly and post in the form. Only then my message will be sent. Please don't say that it's IMPOSSIBLE. It is possible. One of my classmate succeeded in it but he is not helping me.
Please try to help me.
This looks like CSRF protection. The usual implementation for this is to store the token in a cookie (or server session if a session token cookie is used) and then compare it to the token in the form.
You need to:
request the HTML document containing the form
store the cookies you get at the same time (assuming that they come with the form)
parse the html to get the token from the input
make the request to pm.php including the token and the cookie
Another lame question
So, I have a site that displays several students' requests to change advisors, with an Approve and Deny button for each student. Then I have a Javascript pop-up that confirms the decision when clicked on either button, and it will also e-mail the student about this decision. This should all be on one page as well.
How do I specify which student I will update and e-mail to? I know the query will be like $query = "UPDATE student set current_advisor = ".$requested_advisor." where SID = ".$sid, but how do I specify which student I'm doing this for?
I have only worked with php forms, where you have the user type in the information, but in this case, all the data is there already...
$sid is the id of the student you want to update... It depends how you're building the page. You can either insert a form for each student, as follows:
// for each student
<form method="post">
<input type="hidden" value="the-sid" name="SID"/>
<input type="submit" value="confirm" name="type" onclick="return confirm('Sure?');"/>
<input type="submit" value="deny" name="type" onclick="return confirm('Sure?');"/>
</form>
// end for each
Then when the user clicks either approve or deny, you're $_POST array in PHP will be filled with:
array("SID"=> $theSID, "type" => "confirm or deny");
You have a couple options for doing something like this.
If you want to do it with actual <form>s, then you'd do this by putting the information you need in "hidden" form fields. For example, you can have something like this in each form:
<input type="hidden" name="SID" value="4" />
And use PHP to fill in the value for each hidden field when you're generating the HTML.
Another option is to just have the buttons open a link, instead of submitting a form. In that case, you can pass the values you need as "GET" parameters on the URL, like this:
http://yoursite.com/change_advisor.php?SID=4&new_advisor=18
And then have the change_advisor.php file use the variables $_GET['SID'] and $_GET['new_advisor'] to do the query you need.
i'm not sure if this is what you want exactly, but if you wanted a list of advisors and the option to approve or deny each you could do for each advisor
<?php foreach($advisors as $advisor): ?>
<form method="post" action="somewhere">
<input type="hidden" name="id" value="<?php echo $advisor['id']; ?>" />
<input type="submit" name="result" value="Approve" onclick="return confirm('Are you sure you want to approve this advisor?')" />
<input type="submit" name="result" value="Deny" onclick="return confirm('Are you sure you wish to deny this advisor?')" />
</form>
<?php endforeach; ?>
Then that sends to your script a post array which should contain whether it was approved or denied, then you can handle it from there using the id variable to identify your record against your primary key.
Hope this helps :)