This question already has answers here:
How can I prevent SQL injection in PHP?
(27 answers)
Closed 9 years ago.
I'm currently developing a web interface in PHP/HTML for a Database course project.
Basically, there is an input field :
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
that allows one to search for things in my DB.
Yesterday evening, after uploading my new index.php, I refreshed the page and there was (was I though it was) some sort of Injection because my page was entirely filled with spam ("YO MAMAYO MAMAYO MAMA etc,").
I secured the form using the "htmlspecialchars()" php function. And once again, I just uploaded the new index.php just 10 mins ago and the page was filled with "YO MAMA" right after I refreshed.
Has anyone an idea about that ? And how can I check/secure my page ?
Thanks
EDIT : The code of the form is the following :
<div id="searchbox">
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
Query database : <input type="text" id="field" name="query">
<input type="submit" name="submit" value="Search!">
</form>
</div>
and I just secured with :
if(isset($_POST['query']) && !empty($_POST['query'])) {
$param = htmlspecialchars($_POST['query'], ENT_QUOTES);
...
The inputs I can give are anything, the goal is to search for people or events or etc.
I only have a database class file which I include in my index.php
EDIT2 :
Sql query is the following :
SELECT p.idParticipant As id, a.name AS name, c.countryName AS country,
count(g.idGame) AS countGames
FROM Athlete a, Country c, Game g, Participant p, Event e
WHERE a.idAthlete = p.fkAthlete
AND p.fkCountry = c.idCountry
AND p.fkGame = g.idGame
AND g.idGame = e.fkGame
AND a.name LIKE '%$param%'
GROUP BY a.name
ORDER BY a.name;
In addition to use real_escape_string function (with mysqli or PDO), I would change FTP password AND database user and password.
Whitelist you input let say if only string is allowed use is_string() to verify it.
Use PDO and parameterized queries. Stop creating queries by concatenating input.
And stop using the mysql_* set of functions. Right now. Every time you type it in a php source file, $deity kills a kitten. Stop this slaughter please.
Related
This question already has answers here:
JavaScript: client-side vs. server-side validation
(13 answers)
Closed 4 years ago.
Im currently working on a register form, and I decided to add some required fields, like email, password etc..
The only validation i want to do on the required fields is simply not null, so i used the required attribute inside of an input element.
Is this safe? Or do i need to use additional PHP validation?
A server side validation is better (if we can't even say needed), and it's really easy to make.
Here's an example if needed :
if(!empty($_POST['pseudo']) && !empty($_POST['password'])) {
//Prevent SQL injection (if you use DB here)
$pseudo = addslashes($_POST['pseudo']);
$password = addslashes($_POST['password']);
}
addslashes() isn't the best way but work on any DB engine, for example it's better to use mysql_real_escape_string() if you have a MySQL engine.
And the associated form :
<form method="post" action="#">
<label for="pseudo">Identifiant</label>
<input type="text" name="pseudo" required>
<label for="password">Mot de passe</label>
<input type="password" name="password">
<input type="submit" value="Connexion" required>
</form>
Using a webpage to send you a form is not the only way in form sending.
Someone can sends you forms with other devices or can skirt your required fields and send you empty data or undesirable data like PHP Injections.
You should make a server side validation.
It might be safe, as far as the most recent browser fully support the attribute. But I don't know what happen if someone use an old version of a browser, so if you're scared about that, a PHP validation won't be too much.
If you want a good example of a registration form, just ask me in private, I'll send it to you !
I need some help with updating query (html, php, mysql).
So I tried updating mySQL query (signature) connected with HTML. But I often face some problems.
I'd like to update a query (signature) by typing new signature in a form and a button that will submit action and change.
So basically I want to update user's signature when he types new one in a field and submits (presses a button).
If anyone can make a basic system for me so we will look forward successfully making the system.
Edit:
Yeah I know that nobody will write the script for me but I'm just out of ideas how could it be made. I'm no professional at all. I apologize for that :)
Anyway, this is the code:
<form action="update_signature.php">
<input type="text" name="txt" />
<input type="submit" name="insert" value="insert" onclick="insert()" />
</form>
I'm not sure what should I type in update_signature.php so I wrote a simple query:
<?php
$myq = mysql_query("UPDATE userSignature FROM users WHERE userSignature='$signature'")
$row=mysql_fetch_array($myq);
?> `
Thanks :)
I like how StackOverflow does not allow comments under 50 reputation...
The HTML code should have a "method", but if you skip it, it just posts as a "get", so not really a problem. In the "onclick" parameter however, you give it a JavaScript function, which does not exist?
The PHP is a mess. First, you need to retrieve the sent value with
$something = $_GET['txt'];
This puts the value what was left in the input with the name txt into a variable.
Second, the UPDATE syntax is totally different, it's more like
"UPDATE table SET column = '$phpvariable', etc... WHERE column2 = '$phpvariable2'"
where column is the name of the column in your table, and the query is successful in the lines where the column2 value is equal to the $phpvariable2.
Third, the UPDATE returns with a yes or no (success or not), not with an array.
This question already has answers here:
How can I combine two strings together in PHP?
(19 answers)
Closed 7 years ago.
I am making a website that gets information about a bitcoin wallet balance. What I am trying to achieve is for whatever the persons text input is to be sent to the link but sent like "http://link.com/ + input"
I am new to PHP so I am not sure what to do next or what I have done wrong so far.
<?php
echo ' <form action="https://blockchain.info/q/addressbalance/" method="post">
BTC Address: <input type="text" name="address"><br>
<input type="submit" value="Submit">
</form>'
$input = $_POST['post'];
echo $input
?>
Old Answer:
Use string concatenation.
For example:
$link = "http://link.com" . $input;
Update:
It seems like what you actually want to do is to redirect the user based on their input. For this, you should use the header() function.
Here is an example as to how you can use the function for redirection purposes.
header('Location: ' . $link);
die();
Note that this must go at the very top of the page, before any HTML is outputted. (So of course, your code for $link should go before it as well)
As for your <form action="https://blockchain.info/q/addressbalance/" method="post">, you will want to change the action to the current document. This is because $_POST['post'] only receives data after you pressed submit. Changing it to action="" generally defaults to this behavior.
This question already has answers here:
HTML Form to post on php page
(3 answers)
Closed 9 years ago.
Sorry if this has been asked before.
But what is the simplest method to post some text to a site and then display it like on a blog. I don't want it to be a blog, just a textarea, where you can type some text and submit. Like so:
<h1>Post</h1>
<form action="post.php" method="POST">
<textarea name="texty" id="texta" cols="30" rows="10"></textarea>
<input type="submit" value="Post!"/>
</form>
Can someone help me with the PHP to transfer that information and post it on the site so that it stays there like a blog. Any help is appreciated.
just :
<?php
if(isset($_POST['texty'])){
echo htmlentities($_POST['texty'])
}
?>
And look Mysql ;)
INSERT INTO...
You can access POST data via $_POST[] see http://php.net/manual/en/reserved.variables.post.php.
To store it permanently you need to use a data store, one would be a database such as MySQL. That's another chapter though and is not in the scope of this question.
i think u can send the form by ajax : $('form').ajaxForm({url: 'respond.php', success:function(data){ $('.blog').append(data)}}) and in respond.php u should insert the input into database like => if(isset($_POST['submit']) and !empty($_POST['texty'])){ $input = mysql_real_escape_string($_POST['text']); $input = htmlentities($input); now u can insert $insert = mysql_query("insert into tablename(input) values('{$input}') "); if($insert){ echo $input ; } i am new in php. so i think this works
I'm looking for any direction on a really quick and dirty webpage. I'm going to have two static items, say person A and person B. I would like to click a (+) or (-) button next to each of them which then increments or decrements an integer that's displayed relative to each person.
Anyone having a quick tut or anything would be useful.
Aside from this, how hard would it be to keep a viewable log of each time the value was altered either incremented or decremented, would it be easy to add in date/time to that?
Edit
Alright, concerning mysql. I have a db already setup from a previous wordpress installation. I'm going to create a new tables named 'points', should this have 2 fields? One for a person A and one for a person B?
Since you want it to remember the value between sessions (ie- if I incremented the counter, left the website, and came back, I expect it to still be incremented) you need to store the value server-side. Databases are the best recommendation for this.
If you're planning to use PHP (which I assume from the tags), then MySQL is one of the easiest databases to implement. If you already have a MySQL database set up at your host, then this will be easy. If not, how to set up a MySQL database will be another question you need to ask.
Since you want quick and dirty the best method would be a form. Either POST or GET (preferably GET if you want people to send a "vote up this image" link, preferably POST if you don't want such links to be possible). This is easy, but it also requires reloading the page which is why modern voting systems use AJAX calls (javascript).
Your HTML form would look something like this:
<!-- Person A goes here -->
This person has a score of <!-- We'll do this soon -->.
<form method="get" <!-- or post --> action="vote.php">
<input type="submit" name="submit_button" value="Vote Up!" />
<input type="submit" name="submit_button" value="Vote Down =(" />
<input type="hidden" name="person" value="A" />
</form>
<!-- Similar for person B -->
Note that <!-- --> is the syntax for an HTML comment (these will be removed in the final website)
In vote.php you would need to first see if the form was submitted, then see WHICH submit button was pressed (vote up or down), then see which person it applies to. Then we do our database entry.
<?php
if(isset($_GET['submit_button'])){
// They submit the form
$add = ($_GET['submit_button'] == 'Vote Up!') ? 1 : -1;
$person = $_GET['person'];
$link = mysql_connect('localhost', 'user', 'password');
mysql_select_db('database', $link);
mysql_query("UPDATE table SET value=value+$add WHERE person=$person");
} else {
die("You didn't submit the form =(");
}
?>
Mind you this is a REALLY dirty method (there is no parsing of the query and no checks made. This is very susceptible to an SQL injection. Do NOT use this in a database with important information. In fact- probably don't use this at all without a few changes =) )
Now then, this basically takes the table table, finds the entry where person equals whatever person was selected (chosen by which form was used to submit), then adds either +1 or -1 to value. You can change any of these variable names in your own table. The next step: reading the value to display on the previous page. Remember that before I just had the comment <!-- we'll do this soon -->. We'll get to that now.
In the beginning of your first page you want to read the database. This means your first page must also be PHP.
<?php
$link = mysql_connect('localhost', 'user', 'password');
mysql_select_db('database', $link);
$result = mysql_query("SELECT value FROM table WHERE person=A");
...
Now you have a MySQL resource, but you need the value out of it.
...
$row = mysql_fetch_row($result);
...
And now we display it with the information.
<!-- Person A goes here -->
This person has a score of <?php echo $row[0]; ?>.
<form method="get" <!-- or post --> action="vote.php">
<input type="submit" name="submit_button" value="Vote Up!" />
<input type="submit" name="submit_button" value="Vote Down =(" />
<input type="hidden" name="person" value="A" />
</form>
Then you repeat for person B. This is really the dirtiest method since it involves one call to the database per person. Ideally you'd grab all values you want in a single call and then iterate over the returned resource and determine who was who. Or, if you really wanted to be fancy, you could already know who was who by using SORT ASC =)
Like I said, though, this is the quickest, easiest, and dirtiest method to do what you want using PHP and MySQL.
Anyway I'd go for the database storing of person data and increment by id .
This is the flow for it :
Create mysql or mysqli database "person", create table "rates" id - autoincrement
rate will be integer.
Create php file with database connection and the functions related to it.
you can use same file to create increment function, when row is the result from the integer relative to this entry :
$rate = $row['rate'];
function incvar(){
global $rate;
if(isset($rate) || $rate>0){
return $rate++;
}
}
function decvar(){
global $rate;
if(isset($rate) || $rate>0){
return $rate--;
}
}
Now create query updating existing fields with results from those functions.
Ideally is to create ajax request onclick to this file to increase and decrease the integer. For fast execution use jquery.