Tom10
Members-
Posts
108 -
Joined
-
Last visited
Everything posted by Tom10
-
Me too i'm not quite sure what your asking.
-
Hello, So i'm making a register script and the values are not inserting here is my script. if(isset($_POST['register'])) { $username = $_POST['username']; $password = $_POST['password']; $cpassword = $_POST['cpassword']; $username = htmlentities($username, ENT_QUOTES); $password = htmlentities($password, ENT_QUOTES); $cpassword = htmlentities($cpassword, ENT_QUOTES); $username = htmlspecialchars($username, ENT_QUOTES); $password = htmlspecialchars($password, ENT_QUOTES); $cpassword = htmlspecialchars($cpassword, ENT_QUOTES); $username = mysqli_real_escape_string($con, $username); $password = mysqli_real_escape_string($con, $password); $cpassword = mysqli_real_escape_string($con, $cpassword); $username = strip_tags($username); $password = strip_tags($password); $cpassword = strip_tags($cpassword); $cpassword = hash('ripemd128', $cpassword); $denymsg = "<h3>The username or password you have entered has been rejected. Check their are not illeagal characters, ie. code, special characters etc. </h3>"; if(preg_match("#[^\w\?\&\=\.]#", $username)) { echo $denymsg; die(); } else { } if(preg_match("#[^\w\?\&\=\.]#", $password)) { echo $denymsg; } else { } if($password !== $_POST['cpassword']) { die("Passwords do not match!"); } if(!$username OR !$password) { die("Make sure you have entered a username and password!"); } $sql = "INSERT INTO `users` (username, password) VALUES ('$username', '$cpassword')"; if($sql === TRUE) { echo "Your account (".$username.") has been created!"; } else { echo "Your account (".$username.") could not be created. "; echo "<br> <br> ".var_dump($sql)." "; } } I do not get any errors, but here is the result of the variable dump Your account (user) could not be created. string(92) "INSERT INTO `users` (username, password) VALUES ('user', '602cb6acf8f1d5a8c402bc6b9505730f')"
-
Thank you so much, scootstah. That made a lot of sense and cleared that up for me
-
Hi, i don't have a problem with this code it works fine, but i don't understand it. if(preg_match("#[^\w\/\&\\?\=\.]#", $fullURL)) { include 'deny.php'; die(); } else { } My understanding is that \w includes a-z Z-A so i don't understand when i load the page it doesn't instantly go to deny.php it make's sense to put the include 'deny.php' and die(); in else? Not sure if you understand what i mean, please say if you don't i will try to explain what i mean better.
-
Worked like a charm mate thank you so much
-
I am wanting to block out javascript attacks like index.php?=<script>onload=alert(document.cookie);</script> It's mainly i'm wondering how to detect using preg match if someone has entered this code or something similar
-
Hey i am trying to use preg_match with my website URL $url = "".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI'].""; if(preg_match('#([\^A-Za-z0-9\$]#', $url)) { } else { die("<h1>Security error</h1>"); } I want to kill the page and say "Security Error" if a client tries to inject code into the url, but i can't get this to work. All help is very much appreciated , Thanks
-
When it comes to security i always use a variety of functions when handling data, forms etc. Example: <?php $username = $_POST['username']; $password = trim($_POST['password']); $username = htmlspecialchars($_POST['username']); $password = htmlspecialchars($_POST['password']); $username = mysqli_real_escape_string($con, $username); $password = mysqli_real_escape_string($con, $password); $username = stripslashes($_POST['username']); $password = stripslashes($_POST['password']); $password = hash('ripemd128', $password); $username = strip_tags($username); $password = strip_tags($password); $username = filter_var($username, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $password = filter_var($password, FILTER_SANITIZE_STRING, FILTER_FLAG_ENCODE_HIGH); $username = htmlentities($username, ENT_QUOTES); $password = htmlentities($password, ENT_QUOTES); ?>
-
Your preparing the statement and executing it straight away, You are ment to bind the values and you have not got the result from the query $q = 'SELECT * FROM users WHERE username=:username AND password=:password'; $query = $dbh->prepare($q); $query->execute(array(':username' => $username, ':password' => $password)); if($query->rowCount() == 0){ header('Location: index.php?err=1'); This won't work because you haven't asked for results. You need to read up on Prepared Statements Also you are vulnerable to cross site scripting (XSS) and SQL Injection.
-
Two errors with mysql_num_rows and mysql_fetch_array functions HELP ME
Tom10 replied to Sketro's topic in PHP Coding Help
Yeah like CroNiX said, before continuing on check the query has actually succeeded. if($sql === TRUE) { //Query was successful, Execute code } else { var_dump($sql); //The Query Failed, dump the data } -
Make the form in HTML and process it in PHP, sanitize data, check a value has been entered etc.
-
Yes like cyberRobot said, mysql functions are now deprecated (out of date) they may be removed from PHP in the future, you are using mysql_connect() Here's a mysqli example: $host = "localhost"; $username = "dbUser"; $password = "NULL"; $db_name = "dbName"; $conn = mysqli_connect($host, $username, $password, $db); if($conn->connect_error()) { //If there is an error while connecting to SQL server //Execute code ie: echo $conn->connect_errono(); //Display Error Number } else { //Do Nothing } Or like cyberRobot also said you can use PDO
-
<?php error_reporting(E_ALL | E_NOTICE); ini_set('display_errors', '1'); require_once("./include/membersite_config.php"); if(!$fgmembersite->CheckLogin()) { $redir_index = "<meta http-equiv='refresh' content='0;index.php'>"; $fgmembersite->$redir_index(); exit; } if($fgmembersite->UserId() == 1261){ $redir_test = "<meta http-equiv'refresh' content='0;testes.php'>"; $fgmembersite->$redir_test(); exit; } $userid = $fgmembersite->UserId(); ?> Try this
-
Want to extract page title from url
Tom10 replied to astarmathsandphysics's topic in PHP Coding Help
Have you tried using preg_match / Regular Expressions to take GCSE and Biology out of the URL and then echo the result? -
The only thing i can think of is make a cookie, that never expires unless the client clears their browsing cache, history etc.
-
Also, you are vulnerable to SQL injection //Get name $name = $_GET['name']; $check = $conn->query("select $element_col from name_table WHERE name=$name"); Sanitize the data with functions like real_escape_string, htmlspecialchars and htmlentities because you are also vulnerable to Cross Site Scripting. i.e //Get name $name = $_GET['name']; $name = htmlentities($name, ENT_QUOTES); $name = htmlspecialchars($name, ENT_QUOTES); $name = mysqli_real_escape_string($conn, $name); If you are still getting errors after the advice you have been given then, use var_dump() and post the output on here. var_dump($check);
-
<?php $url = 'http://' . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI']; $findMe = array('@', '/', '&', '$', '"', '!', '<', '(', ')', '{'); if (false !== strpos($url, '')) { echo 'Fail!'; } else { } ?> How can i search for more than one character? I have got the error Notice: Array to string conversion in C:\xampp\htdocs\test.php on line 7
-
Yeah but i mean how can i use strpos for the url of my website, i know how to use it with normal html input
-
Like how would i be able to use PHP to detect if they have actually tried to inject malicious code into the url and if so redirect them?
-
An example would be: http://corruptsecurity.net/chat.php?%3C?php%20file_put_contents()%20?%3E
-
What i want to do with preg match is detect certain keywords or characters in the URL, it's like with mod security if you enter in the URL <script>onload=alert);</script> It comes up with 512 security error I want to use preg_match to detect the keywords or characters that someone enters into the URL and then redirect them or kill the page.
-
mysql is deprecated you should use mysqli, have you tried while($row = mysql_fetch_object($result)){ array_push($result, $row); } Your trying to get the result from the query without actually getting the results Also, $result = $rs->fetch();
-
Hi, so i'm currently looking into security in PHP and i have looked at the preg_match function on PHP.net and i don't fully understand how it works or how to use it properly for example i don't know how i would use the function to detect characters or keywords in the local url, Please can someone explain it to me? Every response is much appreciated, Thanks