zimmo

Due to the changes we have made with the system, we need to change the following that was not written by me. I have a script which I enclose a portion of it here, but it needs to check now if the database has A or B or YOUCHOOSE in the table and then upload an image if it does. Basically at the moment, when you upload an image it is failing to upload and redirecting to the page. // pic name will be user's ID + month $pic_name ='/uploads/'.(int)$_REQUEST['id'].'/'.(int)$_REQUEST['id'].'frontcover'.'.jpg'; $exists = false; if (isset($_FILES['frontcoverpic']) && $_FILES['frontcoverpic']['size'] > 0) { // see if image for this month has already been uploaded $res = mysql_query('select 1 from uploadcentre where frontcoverpic ="'.$pic_name.'" and email = "'.$_REQUEST['email'].'" and id ='.(int)$_REQUEST['id']); $exists = ($res && mysql_num_rows($res) > 0); // check image type is ok $img_info = getimagesize($_FILES['frontcoverpic']['tmp_name']); if ($img_info[2] != 2) { // not jpeg header("Location: http://www.*****.co.uk/*****/calendar/error.php?email={$_REQUEST['email']}&name={$_REQUEST['name']}&id={$_REQUEST['id']}"); exit(); } // ok image -- re-upload will overwrite previous item if (!move_uploaded_file($_FILES['frontcoverpic']['tmp_name'],$pic_name)) { die('could not install new image'); } I think the problem lies where it checks to see if the image has been uploaded, when in fact it could just contain data in that field of A or B or YOUCHOOSE.

Bricktop... works a treat.. many thanks

I have an if else statement to check the data in a given table in the database. What I want is for one elseif statement to check if the field in the table contains .jpg how can I do this with the following: if ($row[pic] =="") { echo ("\n"); } elseif ($row[pic] =="A") { echo (" Standard A \n"); } elseif ($row[frontcoverpic] ==".jpg") { echo ("You chose the image\n"); } I know the third statement is incorrect, what I need is to be able to check if the field contains the .jpg how do I do this

Someone said to try the following: $Web_Site_Comments = strip_tags(htmlentities($_POST['Web_Site_Comments'])); ut it is still allowing the code through via email. Where am I going wrong? I enterted the following in the box: <&lt>&gt"&quot& &amp'' And it came via email fine... how can I stop this. This is asap please...

A client has asked us to not allow certain characters to be parsed through the email form we have. Can someone please help as this is beyond me. For example. The form allows someone to enter the following (this is what they do not want) Name: <&lt>&gt"&quot& &amp'' Company_Name: <&lt>&gt"&quot& &amp'' Telephone: <&lt>&gt"&quot& &amp'' Email: <&lt>&gt"&quot& &amp'' Web_Site_Comments: <&lt>&gt"&quot& &amp'' As you can see the characters: < &lt &gt etc.. are being allowed via the form. They basically are telling me that we need to NOT allow this. Here is the code for my email form <? //# Include the connections script to make a database connection. include("inc/connect.inc"); $parts = parse_url(strip_tags(rawurldecode('http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']))); //# The form should post to itself. //# The form should post to itself. // clean out any malicious data foreach ($parts as $k => $v) { $v = strip_tags(rawurldecode($v)); if (get_magic_quotes_gpc() == 1) { $parts[$k] = $v; }else{ $parts[$k] = addslashes($v); } } //# The form should post to itself. if ( $_POST['submit'] ) { require('inc/removexss.php'); $_POST = array_map('removeXSS', $_POST); $valid = 1; //# The fields all follow this patern. //# If you do not require an error check for a field then just use the //# post field method and not the error check method $producta = $_POST['producta']; $Name = $_POST['Name']; if ( empty($Name) ) { $valid = 0; $Name_error = 'Please Enter your Name'; } $Company_Name = $_POST['Company_Name']; if ( empty($Company_Name) ) { $valid = 0; $Company_Name_error = 'Please Enter your Company Name'; } $Telephone = $_POST['Telephone']; if ( empty($Telephone) ) { $valid = 0; $Telephone_error = 'Please Enter your Telephone Number'; } $Email = $_POST['Email']; $Web_Site_Comments = $_POST['Web_Site_Comments']; // End of error checking. if ( $valid == 1 ) { // In testing, if you get an Bad referer error // comment out or remove the next three lines if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 || !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) die("Bad referer"); $msg="Enquiry Form.:\n\n"; foreach($_POST as $key => $val){ if (is_array($val)){ $msg.="Item: $key\n"; foreach($val as $v){ $v = stripslashes($v); $msg.="$v\n"; } } else { $val = stripslashes($val); $msg.="$key: $val\n"; } } $recipient="*****"; $subject="Enquiry Form"; error_reporting(0); if (mail($recipient, $subject, $msg)){ echo nl2br($input); } else echo "An error occurred and the message could not be sent."; header("Location: thanks.php"); exit; } } ?> Please is there a way to STOP these characters going via email.

I am unusre of the correct syntax for prefixing the following so it includes the category from another field. I need the following: if(empty($_FILES['file_name']['name'])) { $file_name = $old_file_name; } else { $file_name = $_FILES['file_name']['name']; To be able to have the category value in the file name at the start, so prefixing the actual image file name. ie: $category,$_FILES...

As you know php is an ongoing learning curve... I feel I have learnt alot over the years to get by, being on my own learning does not give me the advanatage of finding all the things we need to know, such as security holes.. but then after looking across the internet, not many people have fixed the holes they have.. just that I have a client who found them.. Which is good, but then these (forums) are the places you get help from... you may know alot and yes, I would love to get a freelancer in... if I could afford to... I have always found the forums to be a great source of help... Thanks to those who have pointed me in some direction.. I will look elsewhere to see if I can fix this..

Thanks for the reply. The form was only set up to make sure they actually enter info, I know it is not a detailed error checker... its just so the user inputs the data... (can you point me in the right direction here for error checking individual fields). The function I took from a website that someone designed for XSS problems... I am unsure how to implement this. It was only today we were told that the forms are open to XSS attacks and we had to fix them, and this is beyond our scope to be honest. Any help is appreciated. Thanks barry

Hi, I have a problem where a client has used some software to perform a scan on the site and noticed that the site is vulnerable to xss attacks through the form I show below. Now, I have been told of a function which is also below but I do not have a clue how to implement this to stop the site being xss vulnerable. Can you tell me if the function does not work here? what should I do, as I need to perform something to stop this form and many others on the site being prone to attacks. Please anyway, can you help. I just need to know how this is done... change my code how you feel. <? //# Include the connections script to make a database connection. include("inc/connect.inc"); //# The form should post to itself. if ( $_POST['submit'] ) { $valid = 1; //# The fields all follow this patern. //# If you do not require an error check for a field then just use the //# post field method and not the error check method $Name = $_POST['Name']; if ( empty($Name) ) { $valid = 0; $Name_error = '<b><font face="Tahoma" color="#FF0000" size=4><span class="style57">Please Enter your Name</span></font></b>'; } $Company_Name = $_POST['Company_Name']; if ( empty($Company_Name) ) { $valid = 0; $Company_Name_error = '<b><font face="Tahoma" color="#FF0000" size=4><span class="style57">Please Enter your Company Name</span></font></b>'; } $Telephone = $_POST['Telephone']; if ( empty($Telephone) ) { $valid = 0; $Telephone_error = '<b><font face="Tahoma" color="#FF0000" size=4><span class="style57">Please Enter your Telephone Number</span></font></b>'; } $Email = $_POST['Email']; $Web_Site_Comments = $_POST['Web_Site_Comments']; $antispambox = $_POST['antispambox']; if ($antispambox == '73634') {} else { $valid = 0; $antispambox_error = '<b><font face="Tahoma" color="#FF0000" size=4><span class="style57">Please Enter the Numbers as shown in bold</span></font></b>'; } // End of error checking. if ( $valid == 1 ) { // In testing, if you get an Bad referer error // comment out or remove the next three lines if (strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])>7 || !strpos($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST'])) die("Bad referer"); $msg="This is the information received from the Spectroscopy Enquiry Form.:\n\n"; foreach($_POST as $key => $val){ if (is_array($val)){ $msg.="Item: $key\n"; foreach($val as $v){ $v = stripslashes($v); $msg.="***$v\n"; } } else { $val = stripslashes($val); $msg.="$key: $val\n"; } } $recipient="*****"; $subject="Enquiry Form"; error_reporting(0); if (mail($recipient, $subject, $msg)){ echo nl2br($input); } else echo "An error occurred and the message could not be sent."; header("Location: thanks.php"); exit; } } ?> And here is the function. Now can someone tell me if we have to run this function on every field in the form??? function RemoveXSS($val) { // remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed // this prevents some character re-spacing such as <java\0script> // note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs $val = preg_replace('/([\x00-\x08][\x0b-\x0c][\x0e-\x20])/', '', $val); // straight replacements, the user should never need these since they're normal characters // this prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29> $search = 'abcdefghijklmnopqrstuvwxyz'; $search .= 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'; $search .= '1234567890!@#$%^&*()'; $search .= '~`";:?+/={}[]-_|\'\\'; for ($i = 0; $i < strlen($search); $i++) { // ;? matches the ;, which is optional // 0{0,7} matches any padded zeros, which are optional and go up to 8 chars // &#x0040 @ search for the hex values $val = preg_replace('/(&#[x|X]0{0,8}'.dechex(ord($search[$i])).';?)/i', $search[$i], $val); // with a ; // &#00064 @ 0{0,7} matches '0' zero to seven times $val = preg_replace('/(&#0{0,8}'.ord($search[$i]).';?)/', $search[$i], $val); // with a ; } // now the only remaining whitespace attacks are \t, \n, and \r $ra1 = Array('javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base'); $ra2 = Array('onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart', 'ondrop', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhelp', 'onkeydown', 'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onlosecapture', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onpaste', 'onpropertychange', 'onreadystatechange', 'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onselect', 'onselectionchange', 'onselectstart', 'onstart', 'onstop', 'onsubmit', 'onunload'); $ra = array_merge($ra1, $ra2); $found = true; // keep replacing as long as the previous round replaced something while ($found == true) { $val_before = $val; for ($i = 0; $i < sizeof($ra); $i++) { $pattern = '/'; for ($j = 0; $j < strlen($ra[$i]); $j++) { if ($j > 0) { $pattern .= '('; $pattern .= '(&#[x|X]0{0,8}([9][a][b]);?)?'; $pattern .= '|(&#0{0,8}([9][10][13]);?)?'; $pattern .= ')?'; } $pattern .= $ra[$i][$j]; } $pattern .= '/i'; $replacement = substr($ra[$i], 0, 2).'<x>'.substr($ra[$i], 2); // add in <> to nerf the tag $val = preg_replace($pattern, $replacement, $val); // filter out the hex tags if ($val_before == $val) { // no replacements were made, so exit the loop $found = false; } } } return $val; }

I have put together a script for error checking and once I have this working I can complete the rest. This is the set up 1: User enters the site and clicks a link which contains a random identifier number of 12 characters. 2: The first part of the form is Personal Details. 3: When they enter the personal details I need a kind of error check, so that when they fill in the details if they miss anything, they are taken back to the form to fill in. My problem; I know you can set up this if the form posts to itself (same page), but my application does not work like this. Before the error checking I just had the form post to a script and that processed the data and then redirected them to the next step of the form. Now I need to error check the data and still perform the same, either insert the data into the database or if errors take them back to the form with the field errors. Now this script needs some work, as at present I get a parse error on my else statement. I am very tired trying to get this to work. Please if anyone can help be appreciated. basically I need this to check the form elements, if correct enter in the database, if incorrect back to form to fill in wrong or missing elements. [code] <? //# Include the connections script to make a database connection. include("../inc/connect.inc"); //# Error Checking For the Personal Details section of the quote //# The form should post to itself. if ( $_POST['submit'] ) { $valid = 1; //# The fields all follow this patern. //# If you do not require an error check for a field then just use the //# post field method and not the error check method $main_title = $_POST['main_title']; $main_firstname = $_POST['main_firstname']; if ( empty($main_firstname) ) { $valid = 0; $main_firstname_error = 'You did not enter your First Name'; } $main_surname = $_POST['main_surname']; if ( empty($main_surname) ) { $valid = 0; $main_surname_error = 'You did not enter your Surname'; } $main_dob = $_POST['main_dob']; if ( empty($main_dob) ) { $valid = 0; $main_dob_error = 'You did not enter your Date of Birth'; } $main_maritalstatus = $_POST['main_maritalstatus']; $main_fulllicence = $_POST['main_fulllicence']; $main_taxibadge = $_POST['main_taxibadge']; $main_residency = $_POST['main_residency']; $main_house = $_POST['main_house']; if ( empty($main_house) ) { $valid = 0; $main_house_error = 'You did not enter your House Number'; } $main_postcode = $_POST['main_postcode']; if ( empty($main_postcode) ) { $valid = 0; $main_postcode_error = 'You did not enter a Postcode'; } // End of error checking for the Personal Details Fields, all fields covered. if ( $valid == 1 ) {         # setup SQL statement         $SQL = " INSERT INTO personal_details ";         $SQL = $SQL . " (sid, main_title, main_firstname, main_surname, main_dob, main_maritalstatus, main_fulllicence, main_taxibadge, main_residency, main_house, main_postcode) VALUES ";         $SQL = $SQL . " ('$sid', '$main_title', '$main_firstname', '$main_surname', '$main_dob', '$main_maritalstatus', '$main_fulllicence', '$main_taxibadge', '$main_residency', '$main_house', '$main_postcode') ";         #execute SQL statement         $result = mysql_db_query( *****,"$SQL",$connection );         # check for error         if (!$result) { echo("ERROR: " . mysql_error() . "\n$SQL\n");    } {     header("Location: http://www.*****.co.uk/quote/adddrivers/index.php?sid=$sid");     exit; } else {     header("Location: http://www.*****.co.uk/quote/personal.php?sid=$sid");     exit; }     } } ?> [/code]