Hey guys, I've gotten as far as my code below, but I am trying to create an AJAX search form that is 'safe' on my wordpress blog, by detecting the session variable or a cookie or something
<?php
#session_start();
If (!array_key_exists(‘authed’, $_SESSION))
{
include ‘not_authed.inc’;
exit();
}
// go about your business.
?>
and i'm trying to add that to this:
<?php
function checkValues($value)
{
// Use this function on all those values where you want to check for both sql injection and cross site scripting
//Trim the value
$value = trim($value);
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Convert all <, > etc. to normal html and then strip these
$value = strtr($value,array_flip(get_html_translation_table(HTML_ENTITIES)));
// Strip HTML Tags
$value = strip_tags($value);
// Quote the value
$value = mysql_real_escape_string($value);
return $value;
}
mysql_connect ("mysql.*****.com", "****","$*****") or die (mysql_error());
mysql_select_db ("***********");
$term = checkValues($_REQUEST['val']);
$term = mysql_real_escape_string($term);
$sql = mysql_query("select * FROM patient_db WHERE id_number = '$term'");
if($row = mysql_fetch_array($sql)) {
echo "<img src=\"******\" class='leftfloat' border=0>";
echo '<p>';
echo '<br /> ID Number: ' .$row['id_number'];
echo '<br /> Name: ' .$row['Name'];
echo '<br /> Exp. Date: ' .$row['exp_date'];
echo '<br /> DOB: ' .$row['dob'];
echo '</p>';
//echo "<a href='******' title='Printer Friendly Version' alt='Printer Friendly Version'><img src=\"*****\" class='rightfloat' border=0 height=33 width=33></a>";
} else {
echo "<img src=\"*****\" height=50 width=50 class='leftfloat' border=0>";
print "<h1>USER ID <br/>NOT FOUND</h1><br />";
print "<strong>OOPS!! THIS COULD BE AN ERROR</strong><br />";
print "<br />";
print "<div>*****</div>";
}
?>
The problem you are going to have is that the AJAX request is a separate session / cookie as it is a completely different process not tied into to the browser.
So how do you go about authenticating someone? A Token of sorts. So you would create a hash, which would need to be stored in the database for the user, which can be regenerated upon login etc. Then you would use this token to validate that user and allow the AJAX submission to work.
Hopefully that gets the ball rolling for you. So in your AJAX push script you would just appened a variable to the GET or POST data called token and then check it on the receiving PHP script. There are other ways of doing it, this is just one that I know of :)
Related
I have more GET variables. I want the variables to be added after clicking. And after clicking again I want them to be removed from GET. I am a beginner and I don't know how to do it.
<?php
$tab_array['name1']=1;
$tab_array['name2']=2;
$tab_array['name3']=3;
$tab_array['name4']=4;
$url=$_SERVER[QUERY_STRING];
if(!empty($url)){
$url="&".$url;
}
?>
<form action="" method="GET">
<?php
foreach($tab_array as $key => $val){
?>
<?php echo $key;?>
<?php
}
?>
</form>
Someone will help?
Sorry for my bad English...
Code
<?php
$tab_array['name1']=1;
$tab_array['name2']=2;
$tab_array['name3']=3;
$tab_array['name4']=4;
$url='?'; // this will call the current url
// $_GET is the array your submitted data will be strored in - initially empty []
?>
<form method='GET'><!-- you actually don't need a form, since only input, textarea, etc get submitted -->
<?php
// save current state, so you can modify it for every possible click
$current_get = $_GET;
foreach($tab_array as $key => $value) {
$new_get = $current_get;
// check if the current key is already in your set ($new_get)
if (array_key_exists($key, $new_get)) { // it is, so remove
unset($new_get[$key]);
} else { // it is not, so add
$new_get[$key] = $value;
}
// build your query_string (from $new_get array)
$query_string = http_build_query($new_get);
// you can use variables in string when its encapsulated in double quotes: "text $var"
echo "<a href='$url$query_string'>$key</a>";
// more readable:
// echo "<a href='{$url}{$query_string}'>{$key}</a>";
// not need but looks better :P
echo '<br />' . PHP_EOL;
}
?>
</form>
A little more
there is a shortcut for <php echo $var ?> which is just <?= $var ?>
Links
array_key_exists
unset
http_build_query
I am making a tool to convert steam profile urls to the different steam ids, whatever.
I have the different functions, triggered when submitting the URL of the profile with a form.
One of the function are, that it gets the avatar of the regarding steam profile.
Actually it gets the link of the image. What I can do is, echo an img element with the link, this wont give me any flexibility since I wont be really able to style etc that afterwards.
Now, the function of getting the avatar, is in the function of the submit form.
I tried just inserting the image URL into an img element.
<img src"<?php echo $avatar ?>">
Well, then I get a error message, saying "$avatar" is undefined, even though I defined it in my main php tags. I think that is due to the fact that it is done inside the form function, could be wrong though.
My main question now is, what could be a different approach to this? I need that in the form function because it should only be called then.
Maybe I just have to use the inconvenient way of echoing an img element every time.
Here is the actual code.
<form method="post">
<input type="text" name="profile_url">
<input type="submit" value="click" name="submit">
</form>
<div id="avatar-div" style="height:100px; width:100px;">
<img src="<?php echo $avatar; ?>">
</div>
the main php part
if(isset($_POST['submit']))
{
display();
}
function display() {
require_once 'steamid.class.php';
$input = $_POST["profile_url"];
$api_key = "xxxxxxxxxxxxxxx";
$id = new SteamID($input,$api_key);
if(substr_count($input, ' ') === strlen($input)) {
echo "Enter URL";
} else {
if ($id->resolveVanity()) {
$avatar = $id->toAvatar();
$communityid = $id->toCommunityID();
echo $communityid . ", " . " ";
$steamid = $id->toSteamID();
echo $steamid . ", " . " ";
$userid = '[U:1:'.$id->toUserID().']';
echo $userid . ", " . " ";
} else {
echo "Profile wasnt found!";
}
}
}
I'm refactoring my answer based on the conversation we had. Here is the recommended PHP code.
function urlCheck() {
$input = $_POST["profile_url"];
if(empty($input)) {
echo "Enter URL";
return false;
} else {
return true;
}
}
function display() {
require_once 'steamid.class.php';
$api_key = "xxxxxxxxxxxxxxx";
$id = new SteamID($input,$api_key);
if (urlCheck()) {
if ($id->resolveVanity()) {
$communityid = $id->toCommunityID();
echo $communityid . ", " . " ";
$steamid = $id->toSteamID();
echo $steamid . ", " . " ";
$userid = '[U:1:'.$id->toUserID().']';
echo $userid . ", " . " ";
return $id->toAvatar();
} else {
echo "Profile wasn't found!";
}
}
}
You haven't mentioned where you're running display(), or where you're expecting the output (echo) to display. I can only assume you want it at the top of the page. Let me explain how to use this.
<head>
$avatar = display();
</head>
<body>
<div id="avatar-div" style="height:100px; width:100px;">
<img src="<?= $avatar ?>">
</div>
</body>
Basically the way this works, is that wherever you run display(), is where the echoes will output (in this case, before the body). Wherever you echo $avatar is where the id will be displayed. I hope this works for you.
Take a look at PHP's Variable Scope
Any variable used inside a function is by default limited to the local function scope.
To fix this problem, use the global keyword. This way you will explicitly set $avatar; as a global variable so it can be used outside of your display() function.
Here is how it would work for your example:
function display() {
global $avatar;
// Rest of your display() function
// Set $avatar somewhere in here
}
display(); // Actually call display so $avatar is set
<div id="avatar-div" style="height:100px; width:100px;">
<img src="<?=$avatar;?>">
</div>
i simply pass 3 values to the URL and while testing i was trying to echo them back to the screen but it will only echo each value once even though i have set it to echo at various points. once i escape the value it wont let me echo it. Why is this?
<?php
session_start();
if (isset($_SESSION['SESSION_C']) && ($_SESSION['SESSION_C']==true))
{
$getyear = $_GET["Year"];
echo $getyear; (IT WILL ECHO AT THIS POINT)
$getyear = mysql_real_escape_string($getyear);
echo $getyear; (BUT WONT ECHO HERE)
$getsite = $_GET["Site"];
echo $getsite;
$getsite = mysql_real_escape_string($getsite);
echo $getsite;
$getsite = str_replace(' ', '', $getsite);
echo $getsite;
$getdoc = $_GET["Doc"];
echo $getdoc;
$getdoc = mysql_real_escape_string($getdoc);
echo $getdoc;
}
else
{
echo "sessionerror";
}
?>
mysql_real_escape_string() requires a open connection to mysql. Otherwise it will return false. I guess var_dump($getdoc); will give you boolean(false).
You'll have to call mysql_connect() before that code.
Currently, when displaying all posts made by users I do the following:
while($info=mysql_fetch_array($data)) {
echo "<div id = 'posts'>";
echo $info['subject'];
echo $info['post-item'];
echo "</div>";
}
But, however, I now need to treat each element fetched as an actual post rather than just an outputted div for obtaining the post_id of each post to be able to actually enable a user to interact with different posts e.g. to 'like' a post.
I had tried hyperlinking the like href to ?id=$thispost which worked for liking however had problems such as a user altering the url, or even if I would like to also add the commenting functionality, I would need a different method!
As for different tasks, you would pass different querystrings:
like this
comment
share this
In page.php, you would then...
if (isset($_GET['do'] && isset($_GET['id'])) {
$do = $_GET['do'];
$id = $_GET['id'];
} else exit("blabla");
switch ($do) {
case 'like':
// do sth
break;
case 'comment':
// do sth
break;
// etc.
} // switch
Of course, passing the values by URL open the gate to manipulation.
So either store $do and $id in $_SESSION or in $_POST.
Example for $_POST:
$h = "";
while ($info = mysql_fetch_array($data)) {
$h .= '<div id = "posts">';
$h .= '<form method="post" action="page.php">';
$h .= "{$info['subject']}<br />{$info['post-item']}";
$h .= "<input type=\"hidden\" name=\"id\” value=\”{$info['id']}\” />';
$h .= '<input type="submit" name="do" value="like" />';
$h .= '</form></div>';
}
echo $h;
Comments:
1. don't use mysql_*, but mysqli_* or PDO -> makes your code future-proof and more secure
2. this code creates a form around every post, with a hidden field containing the id (from db) of that post...
3. and a button that will send the id invisible for the user to page.php.
4. in page.php, you read $_POST, as in my above exaple with $_GET:
if (isset($_POST['id'])) {
$do = $_POST['do'];
$id = $_POST['id'];
} else exit("blabla");
// etc.
I am trying to create a system to store the last logged on IP, and to compare it to the current IP, then do some functions later on down the road, but currently, I cannot compare them without going to the last else statement. Here's the code.
<?php
$userToPull = $session->userinfo['username'];
$query = "SELECT * FROM users WHERE username='$userToPull'";
$result = mysql_query($query);
while($row = mysql_fetch_row($result)){
$userToShow = $row[25];
$IPtoVerify = $row[26];
}
$lastActivity = RelativeTime($userToShow);
$currIP = $_SERVER['REMOTE_ADDR'];
/*
Shows Partner Stuff
}elseif(!$session->isAdmin()){
echo "<div style='text-align:right;' id='homebox'";
echo "<b>Partner Total:</b> ".$database->getNumMembers()."<br>";
echo $database->num_active_users." partners logged in and ";
echo $database->num_active_guests." guests viewing the site.<br><br>";
echo "</div>";
*/
if(!$IPtoVerify == $currIP){
echo "<div style='text-align:right; background-color: #FAAAB3' id='homebox_partner'";
echo "<b>You are logged on from an unrecognized location.</b><br>";
echo "You will be sent a notification for security purposes.";
echo "<br>This location will automatically be remembered.";
echo "</div><br>";
}elseif($IPtoVerify == $currIP){
echo "<div style='text-align:right;' id='homebox_partner'";
echo "<b>You are logged on from a recognized location.</b><br>";
echo "Your IP is ".$_SERVER['REMOTE_ADDR'];
echo "<br>Your last login was approximately ".$lastActivity;
echo "</div><br>";
}else{
echo "<div style='text-align:right;' id='homebox_partner'";
echo "<b>An error has occurred.</b><br>";
echo "</div><br>";
}
?>
The only thing not working is the if(!$IPtoVerify == $currIP){ if statement.
The IP is stored in the normal fashion, and echo's like: 100.100.100.100. (normal fashion)
Maybe I am not comparing them right, but it has worked for me in the past.
This code doesn't do what you think:
if (!$IPtoVerify == $currIP) {
PHP interprets it as:
if ((!$IPtoVerify) == $currIP) {
You will want to write it as:
if ($IPtoVerify != $currIP) {
Try ($IPtoVerify !== $currIP) instead of (!$IPtoVerify == $currIP)
!$IPtoVerify == $currIP
means
0==$currIP,
because it first validates
`!$IPtoVerify`
which always returns 0 unless $IPtoVerify is 1.
Add additional brackets like
if(!($IPtoVerify == $currIP))...
to solve the issue.