webref.eu

Hi Guys I'm just getting back into coding after taking a break from it. I want to have a text field that can take up to 1000 characters. What is the best field type for the MySQL field for this? I can't remember if there are any particular special types. Thanks

Thanks for the reply. Regarding the rest of the code, I was trying to just pick out the relevant bits to save people time. What I've decided to do now is just add the e-mail validation given in the "PHP Stopping E-mail Injections" section on the following page: http://www.w3schools.com/php/php_secure_mail.asp This seems like reasonable code and I hope that it will be enough. Rgds

Hi Guys I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail. For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks. When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail. My question is, do you think this is a security weakness? Many thanks //http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/<script>/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } }

Many thanks for the help guys. I've now amended the function to use preg_match, as per the below. The function is behaving in the same way as the original. However, do you think it is still testing the form output for a newline and a carriage return correctly? I'm not sure. Thanks. //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } }

Hi Guys I'm using the following function to check form field data for dangerous code: function containsInjectionAttempt($input) { if (eregi("\r", $input) || eregi("\n", $input) || eregi("%0a", $input) || eregi("%0d", $input) || eregi("Content-Type:", $input) || eregi("bcc:", $input) || eregi("to:", $input) || eregi("cc:", $input)) { return true; } else { return false; } } For those interested, I found this at: http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ A few questions: 1) I have found most of the patterns I test for, e.g. "Content-Type:", "cc:", are recognised by the function. However, if I try inputting into my form field "\r" or "\n", they do not get detected. Does anyone have any idea why? Would it be something to do with the back slashes? 2) I gather eregi is deprecated as of PHP 5.3.0, so what should I use instead? Thanks

Thanks, was it this one you were referring to? http://www.phpfreaks.com/tutorial/php-security Presumably, as I am only using a contact form, that just sends an e-mail, there aren't so many security concerns as when adding data to a database? With an e-mailing script, is there anything in particular I need to cover? Thanks

Hi Guys I am adding a short contact form to a site. All the fields are text fields. What do you think is the minimum validation I need to add to make the form safe against hacking etc. Thanks

Hi Guys What code would you use to check that a form field does not exceed 100 characters? Thanks for any help.

Any links to good sample scripts then please guys? Rgds

Sure thing, I have started coding it from scratch, but if anyone can give me urls of good example scripts (for telephone callback or contact forms) that would be much appreciated, as it will speed things up for me. Many thanks

Hi Guys I am looking for a simple form script which allows a website visitor to provide their telephone number so the website owner can phone them back. The form would need to take the visitor details as follows: Your Name Your Tel Best Time to Call Your Email and then e-mail those details to the website owner. I would be most grateful if anyone could point me in the direction of an example script as I know this is pretty common functionality. Many thanks

fugix - Many thanks for your help, that's great. TeNDoLLA - Thanks for your comments. Rgds

Hi Guys It's been a while since I've done any PHP coding, and I need a simple script to display the large version of an image, so for example, pass the script the following url: photo.php?photo=133 I need the script to: - get the image ref, i.e. 133, so I can reference a large version of the image stored in the images/large/ folder. - cleanse the variable, i.e. protect against any hacking attempt I'm looking in to how to do this at the moment as I'm a bit out of practice, but as I understand this is basic stuff, if any of the pros can tell me the code, that would be much appreciated as it will save me some valuable time. Cheers