I have made this form and I want to ask is this safe enough. I tried many times making a captcha thingie but it won't work for me. I am still a student please don't sent to hard things.
Question 1 : Is mysql_real_escape_string safe enough?
Question 2 : I need a really simple (numeric) captcha, can someone send me an example (or other stack post)
This gona be used on an informatic site just as a mail form. on that site are no databases/logins and that.
<?php
include '../connect.php'; #db connection for mysql_real_escape_string
$errors = array('');
//valideren of er op de submit gedrukt is en of alle benodigde data is ingevuld
if(isset($_POST['submit'])){
if(!empty($_POST['naam']) && !empty($_POST['email']) && !empty($_POST['bericht'])){
$naam = mysql_real_escape_string($_POST['naam']);
$email = mysql_real_escape_string($_POST['email']);
$bericht = mysql_real_escape_string($_POST['bericht']);
$telefoon = mysql_real_escape_string($_POST['telefoon']);
$regex = "/^[A-Za-z .'-]+$/";
if(!preg_match($regex,$naam)) {
array_push($errors , 'De naam is niet geldig');
}
if(strlen($bericht) < 5) {
array_push($errors , 'Het bericht is te kort');
}
$email_regex = '/^[A-Za-z0-9._%-]+#[A-Za-z0-9.-]+\.[A-Za-z]{2,4}$/';
if(!preg_match($email_regex,$email)) {
array_push($errors , 'Uw email is niet geldig.');
}
Here comes mail part.
}else{
array_push($errors , 'Een van de verplichte velden is niet ingevuld. Alle velden met * zijn verplicht.');
}
}
?>
<form method="post">
<p>
<label>naam*</label>
<input type="text" name="naam"/>
</p>
<p>
<label>email*</label>
<input type="text" name="email"/>
</p>
<p>
<label>telefoon</label>
<input type="text" name="telefoon"/>
</p>
<p>
<label>Bericht*</label>
<textarea name="bericht" style="width:459px; height:187px;" ></textarea>
</p>
<p>
<label> </label>
<input type="submit" value="verstuur" name="submit"/>
</p>
</form>
<?php
if (count ($errors > 0)){
foreach($errors as $error){
echo '<p class="error">'.$error.'</p>';
}
}
?>
Is mysql_real_escape_string safe enough?
It is a poor solution for protecting a MySQL database.
It is completely inappropriate for sending email.
Whatever you do to protect bad data from corrupting your email, it should be done just before the data is inserted into that email — not before you run sanity checks over it.
Related
i'm creating a member area ! i included a condition in order to insert a profile picture for the member
it dosen't show any errors ! The problem is that the picture cannot be inserted into the base what should i do ?
HTML:
<form method="POST" action="" enctype="multipart/form-data">
<label >Pseudo : </label>
<input name="newpseudo" type="text" placeholder="pseudo" value="<?php echo $user['pseudo']; ?>" /><br/><br/>
<label>email : </label>
<input name="newmail" type="email" placeholder="mail" value="<?php echo $user['mail'];?>" /><br/><br/>
<label>mot de passe : </label>
<input name="newmdp1" type="password" placeholder="mot de passe"/><br/><br/>
<label>confirmation du mot de passe : </label>
<input name="newmdp2" type="password" placeholder="confirmation du mot de passe"/><br/><br/>
<label>avatar :</label>
<input type="file" name="avatar"></input><br/><br/>
<input type="submit" name="formedition" value="Mettre a jour mon profil !">
</form>
PHP:
<?php
if(isset($_FILES['avatar']) and !empty($_FILES['avatar']['name']))
{
$tailleMax = 2097152;
$extensionsValides = array('jpg','jpeg','gif','png');
if($_FILES['avatar']['size'] <= $tailleMax)
{
$extensionUpload = strtolower(substr(strrchr($_FILES['avatar']['name'], '.'), 1));
if(in_array($extensionUpload, $extensionsValides))
{
$chemin = "membres/avatars/".$_SESSION['id'].".".$extensionUpload;
$resultat = move_uploaded_file($_FILES['avatar']['tmp_name'], $chemin);
if($resultat)
{
$updateAvatar = $bdd -> prepare('UPDATE membres SET avatar = ? WHERE id=?');
$updateAvatar -> execute(array(
'avatar' => $_SESSION['id'].".".$extensionUpload ,
'id ' => $_SESSION['id']
));
header("location:profil.php?id=" . $_SESSION['id']);
}
else
{
$msg = " erreur lors de l'importation de votre photo de profil ";
}
}
else
{
$msg =" votre photo de profil doit etre au forme de jpeg png gif ou jpg";
}
}
else
{
$msg = "votre photo de profil ne doit pas depasse 2 MO ! ";
}
}
?>
This is not a solution, but rather a series of steps you can take to QUICKLY solve this problem yourself.
"Divide and conquer". Instead of troubleshooting the entire app, all at once, break it up into smaller pieces (temporarily, for testing) and troubleshoot each piece.
First, copy your PHP code into a separate file - test.php or some such. Hard code some information to replace the data received in the $_POSTs, and run the file. Does the data go into the database? Probably not. Fix that and copy the fix into your original PHP file. Is everything fixed now?
If not, then copy your original PHP file and call it test2.php. Now, instead of putting the data into the database, just echo it out to the screen. What do you see?
Create a log file and write messages into it at various points in the code. Because PHP does not usually abort with an error message -- it just silently stops -- you need to give yourself some "eyes" to see what's going on:
$handle = fopen('__logfile.txt','a');
$line = 'Got to here 01' . "\n";
fwrite($handle, $line);
fclose($handle);
I tried to make a database where I could store people their IP address, so the same IP address couldn't subscribe twice. I already know how to get someone there IP adress but I don't know how to insert it into my database. Here is my code:
// Connect to MySQL
$mysqli = new mysqli( '***', '***', '***', 'inschrijven' );
// Check our connection
if ( $mysqli->connect_error ) {
die( 'Kan niet verbinden met database. Probeer het later opnieuw. ' . $mysqli->connect_errno . ': ' . $mysqli->connect_error );
}
// Insert our data
$sql = "INSERT INTO inschrijven ( naam, email, aantal,ip) VALUES ( '{$mysqli->real_escape_string($_POST['naam'])}', '{$mysqli->real_escape_string($_POST['email'])}', '{$mysqli->real_escape_string($_POST['aantal'])}'";
// validate agree unless you want to add 'checked' to one of the values
$insert = $mysqli->query($sql);
// Print response from MySQL
if ( $insert ) {
echo "U bent succesvol ingeschreven! U heeft bootnummer: {$mysqli->insert_id}. Op de naam: . U krijgt hiervan nog een bevesteging op uw mail, uw bootnummer kan nog veranderen. Hopelijk zien we u op de BotenBouwDag 2016!";
} else {
die("Error: {$mysqli->errno} : {$mysqli->error}");
}
$mysqli->close();
}
?>
<HTML>
<head>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<title>
Welkom op de officiële site van de BotenBouwDag 2016
</title>
</head>
<body>
<form method="post" action="">
<input name="naam" id="naam" type="text">
<input name="email" id="email" type="email" autocomplete="off">
<input name="aantal" id="aantal" type="number">
<input type="radio" name="eten"> Ja
<input type="radio" name="eten"> Nee
<input type="submit" id="submit" value="Verstuur Informatie">
</form>
<div id="ip"></div>
<div id="address"></div>
<script type="text/javascript">
$.get("http://ipinfo.io", function (response) {
$("#ip").html("IP: " + response.ip);
document.getElementById('city').value = response.city;
}, "jsonp");
</script>
</body>
</HTML>
If I got it right.You shoud add this to the your value part
VALUES ( '{$mysqli->real_escape_string($_POST['naam'])}', '{$mysqli->real_escape_string($_POST['email'])}', '{$mysqli->real_escape_string($_POST['aantal'])}','{$mysqli->real_escape_string($_SERVER['REMOTE_ADDR'])}'
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I am trying to make a html form with php verification but trying to submit the form with at least one filled textfield will say that the emails dont match (self made part of the code that should not be displayed.
<?php
error_reporting(0);
if(isset($_POST["submit"])){
//File Verification
if(empty($_POST['username']) && empty($_POST['password1']) && empty($_POST['password2']) && empty($_POST['email1']) && empty($_POST['email2']) && empty($_POST['bday'])){
echo"Kom op, vul alles in";
echo "<meta http-equiv='refresh' content='5;URL=register.php' />";
exit();
}
else{
$email1 = $_POST['email1'];
$email2 = $_POST['email2'];
$pass1 = $_POST['password1'];
$pass2 = $_POST['password2'];
if(email1 == email2){
if(pass1 == pass2){
}
else{
echo "<meta http-equiv='refresh' content='5;URL=register.php' />";
echo"Je wachtwoorden komen niet overeen";
exit();
}
}
else{
echo "<meta http-equiv='refresh' content='5;URL=register.php' />";
echo "Je email gegevens komen niet overeen";
exit();
}
}
}
else{
$form = <<<EOT
<form method="post" action="register.php">
Gebruikersnaam: <input type="text" name="username" placeholder="type hier je gebruikers naam"/><br /><br />
wachtwoord: <input type="password" name="password1" placeholder="type hier je wachtwoord"/><br /><br />
wachtwoord opnieuw: <input type="password" name="password2" placeholder="type je wachtwoord opnieuw in"/><br /><br />
email: <input type="text" name="email1" placeholder="type hier je email"/><br /><br />
email opnieuw: <input type="text" name="email2" placeholder="type hier je email opnieuw"/><br /><br />
Geboorte datum: <input type="date" name="bday"/ placeholder="type je geboorte datum hier"><br /><br />
<input type="submit" name="submit"/>
</form>
EOT;
echo $form;
}
?>
It just shows
else{
echo "<meta http-equiv='refresh' content='5;URL=register.php' />";
echo "Je email gegevens komen niet overeen";
Try changing:
if(email1 == email2){
if(pass1 == pass2){
to:
if($email1 == $email2){
if($pass1 == $pass2){
You've a typo pass1 == pass2.
Also, you may want to change from:
if(empty($_POST['username']) &&...
to
if(empty($_POST['username']) OR...
I'm making a basic lotery script and i'm getting the same error the whole time: Unexpected T_Variable on line 5. Here is my script, I hope someone can help me:
<?php
$invulcijfer = '';
if (isset($_POST['sumbitBtn']))
{
$invulcijfer = $_POST['cijfer'];
$pinda = preg_replace("/[^0-9]/", "", $invulcijfer);
$lotnummer = "1234"; // Hier je 4 cijfers voor lotnummer
if($invulcijfer = '') {
echo "<font color='#FF000'>Je moet alles invullen</font>";
} else if($pinda !== $invulcijfer) {
echo "<font color='#FF000'>Dat zijn geen cijfers</font>";
} else {
if ($pinda == $lotnummer) {
echo "<font color='green'>WAUW! Het is je gelukt!</font>";
} else {
echo "<font color='#FF000'>Sorry, het is niet gelukt..</font>";
// Maybe update query van dat ze - points hebben ofso? q wat jij wilt
}
}
}
}?>
<br><br>
<h3>Loterij Script</h3>
<font color="green">Typ 4 cijfers in en misschien win jij!</font><br><br>
<form action="" method="post">
<input type="text" id="naam" name="naam" maxlength="4"/><br>
<input type="text" id="cijfer" name="cijfer" maxlength="4"/><br>
<input type="submit" id="submitBtn" name="submitBtn" value="Check je lot"/>
</form>
EDIT
I spotted a few errors:
THIS:
if (isset($_POST['sumbitBtn']))
it needs to read as
if (isset($_POST['submitBtn']))
there was a spelling mistake.
Also if($invulcijfer = '') { needs to be if($invulcijfer == '') {
You have one closing brace too many.
Remove the one this one in }?> and your script will work.
This is the code that I ran, deleting the extra closing brace.
EDIT #2 (fixed conditions and spelling mistake for submit button.
<?php
$invulcijfer = '';
if (isset($_POST['submitBtn']))
{
$invulcijfer = $_POST['cijfer'];
$pinda = preg_replace("/[^0-9]/", "", $invulcijfer);
$lotnummer = "1234"; // Hier je 4 cijfers voor lotnummer
if($invulcijfer == '') {
echo "<font color='#FF000'>Je moet alles invullen</font>";
}
elseif ($pinda !== $invulcijfer){
echo "<font color='#FF000'>Dat zijn geen cijfers</font>";
} else {
if ($pinda == $lotnummer) {
echo "<font color='green'>WAUW! Het is je gelukt!</font>";
}
else {
echo "<font color='#FF000'>Sorry, het is niet gelukt..</font>";
// Maybe update query van dat ze - points hebben ofso? q wat jij wilt
}
}
}
?>
<br><br>
<h3>Loterij Script</h3>
<font color="green">Typ 4 cijfers in en misschien win jij!</font><br><br>
<form action="" method="post">
<input type="text" id="naam" name="naam" maxlength="4"/><br>
<input type="text" id="cijfer" name="cijfer" maxlength="4"/><br>
<input type="submit" id="submitBtn" name="submitBtn" value="Check je lot"/>
</form>
I would like to know whether these precautions are enough.
I have an html form like this in my index.php:
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<select name="Alimento">
<option value="someValue">An option</option>
</select>
Nombre*:<?php echo $error['name'];?><br /><input type="text" name="fname" value="<?php echo $name; ?>"/><br />
Mail*:<?php echo $error['mail'];?><br /><input type="text" name="mail" value="<?php echo $mail; ?>"/><br />
<input id="botonComprar" type="image" src="img/comprar.png" name="submit" width="126" height="42">
</form>
Now on the top of the file I have:
if($_SERVER['REQUEST_METHOD'] == "POST") {
$alimento = filter_input(INPUT_POST, 'Alimento', FILTER_SANITIZE_SPECIAL_CHARS);
$name = filter_input(INPUT_POST, 'fname', FILTER_SANITIZE_SPECIAL_CHARS);
$mail = filter_input(INPUT_POST, 'mail', FILTER_VALIDATE_EMAIL);
if($name == '') {
$error['name'] = '<span class="errorMsg"> Ingrese su nombre</span>';
}
if($mail == '') {
$error['mail'] = '<span class="errorMsg"> Ingrese su mail</span>';
}
if($phone == '') {
$error['phone'] = '<span class="errorMsg"> Ingrese su teléfono</span>';
}
...
I later do:
if(empty($error)){
mail($mail, $subject, $alimento, $headers);
}
This is of course simplified but it shows the gist of it.
So my questions are:
Is there any big vulnerability I've overlooked in my code?
Are the variables safe to echo as as values in the form?
I did the above to avoid the loss of filled in inputs, is this approach correct?
Is the email properly validated? Is there any way the mail function could be exploited?
Should I have used htmlspecialchars for $alimento and $name?
Is there any reason to use other email verification techniques?
Is there any big vulnerability I've overlooked in my code?
There are plenty of XSS holes here. Notably, <form action="<?php echo $_SERVER['PHP_SELF'];?>" is a reflective XSS attack vector (possibly exploitable in conjunction with social engineering).
Furthermore, in mail($mail, $subject, $alimento, $headers);, if the $headers is provided based on user input, you may find yourself vulnerable to remote code execution.
Should I have used htmlspecialchars for $alimento and $name?
Yes, with ENT_QUOTES | ENT_HTML5 instead of the default, on output rather than on input.