Jump to content

tefuzz

Members
  • Posts

    70
  • Joined

  • Last visited

    Never

Posts posted by tefuzz

  1. Maybe this will be of any help?

     

    http://www.phpfreaks.com/tutorial/php-security/page8

     

    took a look at that, but the page you linked to shows about having some malicious code within a page. when pulled up by a user with permissions it executes. should I be using something like $_SERVER['HTTP_REFERER'] to check? basically, if the token is set, but the referer is not my site, i can show them a session error or something?

     

    but looking at the PHP manula it says HTTP_REFERER "...This is set by the user agent. Not all user agents will set this, and some provide the ability to modify HTTP_REFERER as a feature. In short, it cannot really be trusted..."

     

    any ideas?

  2. What's the purpose, might I ask? Yeah, I know you want to login, but what for?

     

    Well so that i dont have to write my password again and again. I am a kid of 15 years and my friend who becomes oversmart challenged me to do so. I beg u to solve my problem.

     

    thats why browsers have "do you want me to remember this password?" and autoComplete... all you have to do is click twice, and your username and password are in. ;)

  3. ok, now I have another problem.  I have the form validation set so that if there are errors it automatically fills in the valid fields again so the user doesn't need to retype everything for 1 error. However, If i run the script with an error, it fills in my valid data just like I want. Now the catch is, If I leave the page and go to say google.com, and go back, my form fields will still be filled in with that data.

     

    What can I do to make sure that if they leave the "session" it clears, and they have to start over again?  Only if they leave the form (multi part) and come back. If they go to step2 and come back to step1, I want to keep the data.

  4. OK, well I think I fixed one part of it...

     

    I changed this line of my page:

     <form action="step1.php" method="post" enctype="multipart/form-data" name="tutorApp" class="tutorAppForm">

     

    to this:

     <form action="<?php echo($_SERVER['PHP_SELF']); ?>" method="post" enctype="multipart/form-data" name="tutorApp" class="tutorAppForm">

     

  5. Based on what I see there, since step1 is set, than your session "token" never gets its value set, and because of that, the next elseif check runs true every time (since that session isn't set, the post value of token cant equal nothing, assuming that that post value is also sent)

     

    I have the first IF checking to see if they pressed the "next" button. If not, then it must be the first time on the page, so I am assigning a token. If it is pressed, then it is checking the token against the hidden input to see if they match. Or at least that what I thought it was doing. ;)

  6. I am trying to use a session token to protect my form a little bit for hijacking, and from timeouts in case the user takes 4 hours to complete it, the information will be cleared so someone couldn't hijack their data either. i have it creating a token automatically, and passing it through $_POST inside a hidden input 'token'

     

    I can't however get it to work...my code is this...seemed like it would work, but I always get "session error!". and yes, the hidden input for 'step1' is there.

     

    <?php
    session_start();
    
    if (!isset($_POST['step1'])) { 
    $_SESSION['token'] = uniqid(md5(microtime()), true); 
    } elseif ($_POST['token'] !== $_SESSION['token']) { 
       echo "session error!";
    } else {
    
    ...this is where the validation goes...
    

  7.     Exactly you looped through this array that you created called $fields, and thus that is why I believed you had confused $_POST with $fields. But if you test my script it will work. If you want to loop through $_POST then just replace that with $fields in your foreach loop.

     

    I remember what it was!  :D I was originally going to use $fields as $required, and pass it through a validation function but decided against it , I guess I just kept going with it without realizing and worked it into the $_SESSION

  8. It looks like the fields array are keys in the post array.

    Try doing

     
    print_r($_POST);
    

    at the top of your page to make sure your post data looks right, make sure all the keys are there, check upper/lower case etc..

     

    here's what comes out...I only entered firstname, lastname, month, day, and year

     

    Array ( [step1] => step1 [token] => 353cefcd1509a11e67b8196efb41284849eef876e280b4.76260405 [firstname] => dsvcasdv [lastname] => asdvasdvdsv [month] => Feb [day] => 4 [year] => 2005 [add1] => [add2] => [city] => [state] => [zip] => => [tel] => [submit] => Next ) dsvcasdv asdvasdvdsv Feb 4 2005

  9. You are confusing variables. $_POST is already an array, but if you did not submit a post form request then it will be empty. There fore echo is nothing. Also you need to make an array for your session like so.

    <?php
    $fields = array("firstname", "lastname", "month", "day", "year", "address1", "address2", "email", "telephone");
    foreach ($fields as $field) {   
    $_SESSION['fields'][]= $field;   
    }
    var_dump($_SESSION['field'] . " ";
    ?>

     

    I have an IF statement checking to see if the form has been posted via a hidden input, this code is executed only after the form is submitted...how to i add the $_POST values to the $_SESSION array then with that?

  10. you could also use a switch to accomplish the same goal...my index page is set up this way with multiple variables in the URL to determine what exactly the visitor is doing.

     

    but as wolfrage said, your URL would need to be something like http://www.mysite.com/index.php?code=1 (assuming the file you are using is named index.php)

     

    here's a quick example...

    $code = $_GET['code'];
    
    switch($code) {
      default: 
       include('default.php');
        break;
    
      case "1":
       include('one.php');
        break;
    
      case "2":
       include('two.php');
        break;
    
    }
    

     

  11. I have a multi part form, and each step I am validating the previous step. I am storing all the values into a session, and i thought this was a way to do it, but my echo just gives me blank lines...

     

     $fields = array("firstname", "lastname", "month", "day", "year", "address1", "address2", "email", "telephone");
    
    foreach ($fields as $field) {
     $_SESSION[$field] = $_POST[$field];
     echo $_SESSION[$field] . "\n";
    }

  12. Um... I don't think selected is supposed to be used in that way. I think it's supposed to be like: <option value="something" selected>Something</option>

     

    Yes, because $year == $selected, it should be the same. However, == can mean equivalent values, too. So having said that, if $year = 0; & $selected = false; - I believe that would have the same translation. So instead of using this operator, perhaps try the identical comparison operator: === (just an extra =)

     

    I have always used selected="selected"  and it is validating according to the w3c...as for the === thanks, makes more sense to me.

  13. Ok, so i created a function for my form to populate a list with years for use with birth dates. I added more functionality to it so that when validating and error checking, I could have the function still populate the list, but if a year was selected and there were other errors, not pertaining to the list it would still keep that year selected after reload. my function takes a start/end year and populates the list accordingly from highest to lowest, and checks to see which value is selected...That's where I cant figure out why it actually works.

     

    Anwyho, so here is how it is right now. Works flawlessly (might not be the best way, but im a beginner, and it works  ;))

     

    function getYears($name, $startYear, $endYear, $tabIndex, $selected) {
    $year = $endYear;
    echo ("\n\n<select name=\"$name\" id=\"$name\" tabindex=\"$tabIndex\">\n"); 
    if(empty($selected)){
    	    echo("\n\t<option selected=\"selected\" value=\"\"></option>");
       }
      while ($year >= $startYear) {
       if ($year == $selected) {
    	 echo("\n\t<option selected=\"selected\" value=\"$selected\">$selected</option>");
    	} else {
    	 echo("\n\t<option value=\"$year\">$year</option>");
    	}
      $year --;
      }
    echo ("\n</select>");
    } 

     

     

    With it like that, it works 100% no problems, none ever...However, while trying to figure it out, I had coded it a little differently, and it would populate the list with only 2 values, both being blank. here is the only difference in code:

     

    echo("\n\t<option selected=\"selected\" value=\"$year\">$year</option>");

     

    instead of

    echo("\n\t<option selected=\"selected\" value=\"$selected\">$selected</option>");

     

    Considering the statement below, shouldnt $year AND $selected work in such a case since they are equal?

    if ($year == $selected) {

  14. I know, I ask a million questions  :P but you guys are so damn helpful :D

     

    Anywho, In my form (multiple page) I am going to store the variables into a session.  Do I start the session automatically when page 1 of the form is loaded? Or do I start it when page when begins getting validated? Also, does each subsequent page automatically follow the session?

  15. I have a form. It has 4 different <select> in it. If the lists are all valid (an item is selected) but there are other errors, how would I make PHP keep the selection when the page refreshes to show the fields with errors.  Right now my <select> are borught in by a function like this:

     

    function getDays ($name, $tabIndex) {
    echo ("\n\n<select name=\"$name\" id=\"$name\" tabindex=\"$tabIndex\">\n  <option selected=\"day\" value=\"\">");
     $days = array ("1", "2", "3", "4", "5", "6", "7", "8", "9", "10",
    				"11", "12", "13", "14", "15", "16", "17", "18", "19", "20",
    				"21", "22", "23", "24", "25", "26", "27", "28", "29", "30",
    				"31");
     foreach ($days as $day) {
    	 echo("\n\t<option value=\"$day\">$day</option>");
     }
     echo ("\n</select>");
    }

  16. [quote author=jOE :D link=topic=248705.msg1164671#msg1164671 date=1240190038]

    You always want to run any doing going into a db through mysql_real_escape_string(), but then there are other methods/functions for sanitizing things like HTML or non alpha numeric characters.

     

    like i said, my fields are all basic things like name, email telephone etc. how about things like zip codes? just check if its all numbers, and a correct length?

  17. I am not currently entering the data from my form into a database, this feature will come later on. it is just an email script right now . However, I would like to make sure i am protected in either case. I have seen multiple examples using mysql_real_escape_string() and strip_tags() and strip_slashes(). but which do I use?

     

    I am not allowing HTML input in my form, it is all basic information, from small fields (name, address, phone #, email etc) There will however be a text area for comments. Right now I am validating my fields with no "security", and again, I eventually would like to enter the fields to a DB instead of an email, so i ned to be protected from injection. Any info would be great

  18. Whoever uses a session that expires before a form can be filled out is an idiot. Your session will last. Hidden fields can be tampered way easier.

     

    how can I make sure the session will last long enough for the user to fill out all 6 pages of the form?

  19.  

    Yes it would be lost.  You can either store it in a session or a hidden field like meomike mentioned, to retain the values.

     

    I was planning on using a session, but it's a 6 part form...It's an application, so some replies i got on here were if the user took too long to complete the steps the session would be lost. I guess my best bet is to stick them all into hidden fields after validation.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.