webref.eu
-
Posts
210 -
Joined
-
Last visited
Posts posted by webref.eu
-
-
Thanks for the reply. Regarding the rest of the code, I was trying to just pick out the relevant bits to save people time.
What I've decided to do now is just add the e-mail validation given in the "PHP Stopping E-mail Injections" section on the following page:
http://www.w3schools.com/php/php_secure_mail.asp
This seems like reasonable code and I hope that it will be enough.
Rgds
-
Hi Guys
I have built a simple form, which has text fields Name, Telephone Number, Best Time to Call and E-mail. For security purposes, I am testing each against the function shown below which looks for dangerous code snippets, in an effort to protect against email header injection attacks.
When it comes to the E-mail field, I am not actually testing whether a valid e-mail address has been entered, as it is the telephone number which is essential, not the e-mail. My question is, do you think this is a security weakness?
Many thanks
//http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/ //preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/<script>/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } } -
Many thanks for the help guys. I've now amended the function to use preg_match, as per the below. The function is behaving in the same way as the original.
However, do you think it is still testing the form output for a newline and a carriage return correctly? I'm not sure. Thanks.
//preg_match string to match goes within forward slashes, i.e. /str/, and i at the end makes it case insensitive function containsInjectionAttempt($input) { if (preg_match("/\r/i", $input) || preg_match("/\n/i", $input) || preg_match("/%0a/i", $input) || preg_match("/%0d/i", $input) || preg_match("/Content-Type:/i", $input) || preg_match("/bcc:/i", $input) || preg_match("/to:/i", $input) || preg_match("/cc:/i", $input)) { return true; } else { return false; } } -
Hi Guys
I'm using the following function to check form field data for dangerous code:
function containsInjectionAttempt($input) { if (eregi("\r", $input) || eregi("\n", $input) || eregi("%0a", $input) || eregi("%0d", $input) || eregi("Content-Type:", $input) || eregi("bcc:", $input) || eregi("to:", $input) || eregi("cc:", $input)) { return true; } else { return false; } }For those interested, I found this at:
http://www.tonyspencer.com/2005/12/15/email-injection-exploit-through-a-php-contact-form/
A few questions:
1) I have found most of the patterns I test for, e.g. "Content-Type:", "cc:", are recognised by the function. However, if I try inputting into my form field "\r" or "\n", they do not get detected. Does anyone have any idea why? Would it be something to do with the back slashes?
2) I gather eregi is deprecated as of PHP 5.3.0, so what should I use instead?
Thanks
-
Thanks, was it this one you were referring to?
http://www.phpfreaks.com/tutorial/php-security
Presumably, as I am only using a contact form, that just sends an e-mail, there aren't so many security concerns as when adding data to a database? With an e-mailing script, is there anything in particular I need to cover?
Thanks
-
Hi Guys
I am adding a short contact form to a site. All the fields are text fields. What do you think is the minimum validation I need to add to make the form safe against hacking etc.
Thanks
-
Hi Guys
What code would you use to check that a form field does not exceed 100 characters?
Thanks for any help.
-
Any links to good sample scripts then please guys?
Rgds
-
Sure thing, I have started coding it from scratch, but if anyone can give me urls of good example scripts (for telephone callback or contact forms) that would be much appreciated, as it will speed things up for me.
Many thanks
-
Hi Guys
I am looking for a simple form script which allows a website visitor to provide their telephone number so the website owner can phone them back.
The form would need to take the visitor details as follows:
Your Name
Your Tel
Best Time to Call
Your Email
and then e-mail those details to the website owner.
I would be most grateful if anyone could point me in the direction of an example script as I know this is pretty common functionality.
Many thanks
-
fugix - Many thanks for your help, that's great.
TeNDoLLA - Thanks for your comments.
Rgds
-
Hi Guys
It's been a while since I've done any PHP coding, and I need a simple script to display the large version of an image, so for example, pass the script the following url:
photo.php?photo=133
I need the script to:
- get the image ref, i.e. 133, so I can reference a large version of the image stored in the images/large/ folder.
- cleanse the variable, i.e. protect against any hacking attempt
I'm looking in to how to do this at the moment as I'm a bit out of practice, but as I understand this is basic stuff, if any of the pros can tell me the code, that would be much appreciated as it will save me some valuable time.
Cheers
-
Hi All
I have a URL which will produce data results within XML fields when I browse to it.
What I want to do is display this data to the user on one of my .php pages. I know that XML should be formatted with a .xsl stylesheet file, but what are the basic mechanics needed on my .php page for referencing the url, applying the stylesheet and then outputting the formatted results to my page?
I just don't get how I can reference an external url and show the results on one of my pages.
Thanks
-
OK, thanks guys, but how does this work when the class is being called with:
require_once('class.classname.php');
How can I send the variable values when require_once is being used?
Thanks
-
Hi All
How do you pass a variable value into a constructor?
When a class is being included in a page, and that class contains a constructor, I don't get how you can send variable values into that constructor.
I know how to send a variable value into a function of an instantiated object, but this is different ...
Thanks
-
OK, thanks for that. What you're saying does seem to make sense. I think before I made alterations, the shopcore class was getting run by the require_once statement, but perhaps not properly instantiated as you have suggested.
I will look into this more closely, thanks again.
Rgds
-
Hi All
I am trying unsuccessfully to set a variable within a class. The thing is, it appears to me that the class is getting instantiated by this line:
require_once('class.shopcore.php');and not using a "new" statement which is the only way I was familiar with to instantiate a class.
Within the class.shopcore.php file is a class called shopcore, which I am guessing gets instantiated by default.
Anyway, after the require_once line, I've added a call to a new function, SetKeyphrasePage, which I've created with the shopcore class, in order to set a KeyphrasePage variable within the shopcore class. So I have:
require_once('class.shopcore.php'); $shopcore->SetKeyphrasePage( $KeyphrasePage );This would be the common way of attempting to pass a value for a particular variable into a class. However, this isn't working, because it seems to be interfering with the whole shopcore class as I get a blank page.
So, I guess my question is, does instatiating the class using require_once as per this example mean a different technique for setting a given variable in the class is needed?
Thanks for any help ... I sure need it.
Thanks and rgds
-
Thanks for your reply. I still haven't quite got it working.
The class, which is being included in the master file, sony-laptop.php, is:
class shopcore { var $sQuery;Then within this is the function:
public function gatherEnvData()
Which contains:
if ( strlen($_GET['q']) > 0 ) { $this->sQuery = strlen($_GET['q']) > 0 ? trim( strip_tags( urldecode($_GET['q']) ) ) : null; } else { $this->sQuery = $KeyphrasePage;I'm still not managing to set sQuery, have I got the lines in the original file wrong? In original file I have:
$KeyphrasePage = "sony"; $gatherEnvData->set_sQuery($KeyphrasePage);
Thanks
-
I have a class which defines the $sQuery variable as per the below:
class shopcore { var $iMerchantId; var $iCategoryId = 0 ; var $iProductId; var $sQuery;later in the class, sQuery gets set as follows:
$this->sQuery = strlen($_GET['q']) > 0 ? trim( strip_tags( urldecode($_GET['q']) ) ) : null;
This whole class gets included in a file, let's call it sony-laptop.php. Thing is, I want to manually set $sQuery to have a value of "sony laptop". I don't want to use the querystring q to set this, I just want to manually define another variable in my sony-laptop.php file, lets called it $KeyphrasePage, and then set $sQuery to this.
I've tried stuff like this:
Early in sony-laptop.php file, define the first variable:
$KeyphrasePage = "sony laptop";
Then within class try and set sQuery to this:
$this->sQuery = $KeyphrasePage;
but it's not getting set at all, it seems $KeyphrasePage isn't passed into the class. :'( So how to I pass my $KeyphrasePage into the class properly and then set sQuery to it???
Any help much appreciated.
Thanks
-
Thanks guys, I used mysql_error() and it turns out its a versioning problem. The MySQL server is v5 and the remote host I want to connect to it is v4. This means the password can't be recognised. The error I get is:
Client does not support authentication protocol
So it wasn't an IP access issue like I thought initially.
Thanks for your help.
Rgds
-
Hi All
I am trying to connect to my MySQL database from a remote host. I have the standard PHP database connection code. I have added the remote IP address as an allowed one in cPanel. At the moment the remote host can't connect to the server.
Is there a way to get more detailed info about the type of server connection error? I am thinking if I alter the PHP code I might be able to display a more detailed connection error message.
Thanks
-
Great, thanks very much for that.
Rgds
-
Hi All
I want to show only the five most recent products added to a database. So far, I have the below query, how do I modify it to show only the first five most recent?
$sql = "SELECT * FROM Products ORDER BY ProductDateAdded DESC";
Many thanks
-
Hi All
A question about Smarty capabilities. If I built a Smarty template and based all my site pages on it, and then decided I wanted to change something on that template, e.g. add an additional column to a table, would all the pages I built based on it immediately reflect the template change, i.e. all have an additional table column?
That is the point of Smarty, right? You build a single template and then you can make changes to the template and have all your old pages instantly reflect any change, right?
Thanks
Simple Question About MySQL Text Field Types
in MySQL Help
Posted
Hi Guys
I'm just getting back into coding after taking a break from it. I want to have a text field that can take up to 1000 characters. What is the best field type for the MySQL field for this? I can't remember if there are any particular special types.
Thanks