clay1

This seems like something that should be easy to find, but I've been searching for a week for an answer. I've got a site that has a public form that is filled out by unknown people. I want to make sure my database and information is as safe as possible from attacks. So I've got my form data in the post array. I need to check it to make it sure it is valid. I've got most of that down. But then what? How do I get the information into my database in an efficient but secure way?

I use Postgre and have a timestamp field in my table I update it with: UPDATE YOURTABLE SET TIMESTAMPCOLUMN = now() WHERE RECORDYOUWANT = 'whatever' You may need to edit the syntax for your database backend For the select: DATE_ADD(NOW(), INTERVAL -5 MINUTES) will do the math part

Thanks For State I was thinking build an array of the values in the drop down and test if it matches? Street Address I don't think a regex will really work. There are so many variations. Mostly I want to make sure something is entered and that it isn't something malicious. If it's a fake address.. oh well as long as it doesn't F my data up. Does that make sense? Stuff like zipcode I have down, along with how to make sure something required is there. The optional stuff and check boxes confuse me. I've got about a dozen questions that have check boxes or multiple values-- all are optional. Should I make arrays with each possibly answer and test them? That would be kind of bloated wouldn't it? Also I am using postgre will running my data through pg_query_params() sufficiently protect against injections? I have seen claims for and against it

Right, I understand I need to check everything-- I just don't know HOW. I mean I have some basic ideas, but some of the fields are problematic for me.. for example the select field I mentioned. Also Street Address.. I can check if it's null, but other than that what can I do to prevent malicious stuff from that field? I am checking out the script you linked now Thanks

$days_before_year = date('w', mktime(0, 0, 0, (x + 6) % 7 , 1, $year)); ? Maybe. Not exactly sure either.

Started a new topic since the main question on my other thread was answered. I've already validated my form with jquery. Now I am doing server side to scrub the data and provide security. I pretty much understand what I need to do for most of the fields. IE I've got a function to check the email address. What about something like a drop down menu for states? The values are all 2 letter abbreviations. For Gender I have radio buttons-- would: if ($gender != "male" || $gender != "female"){ echo "Please select your gender"; exit; } Cover my bases? I also have a whole page of options which are optional. I obviously want to prevent any exploitation there. Beyond stripping html, slashes, and trimming is there anything I should do to optional entries? There are about 30 questions on this form so I am trying to be efficient but thorough. Thanks a lot-- this board is always the most helpful I can find!

You would be wrong. It is still only conditionally sent. Good to know

Oh right, I forgot to include that in my post I had tried something similar. I got it working. I think if ($_POST) { foreach (array_keys($_POST) as $key) { $$key = $_POST[$key]; if (is_array(${$key})){ foreach(${$key} as $key2){ $$key2 = $_POST[$key2]; print "$key2 was part of array $key = $key<br />"; } } else{ print "$key is ${$key}<br />";} } } So now the best way to filter and check this stuff before putting it in my DB?

I could be wrong but won't escaping out of PHP each time like that cause ALL the html to be processed? If you do print_r($_COOKIE); what do you get?

I've got a form I need to insert the values into my database I have some questions on the best way to get the variables out of the post array I found something online that said foreach (array_keys($_POST) as $key) { $$key = $_POST[$key]; That works except I have some multiple value options like check boxes which when I do a print on $key I just get 'array' What do I do here? Working on another site I had some issues with some serialized data becoming corrupted-- don't know if it was the fault of serialize and I should avoid it or if it was due to some other problem.

Anyone?

When I click submit nothing happens. I have the problem narrowed down to the zipcode validation. jQuery.validator.addMethod("phoneUS", function(phone_number, element) { phone_number = phone_number.replace(/\s+/g, ""); return this.optional(element) || phone_number.length > 9 && phone_number.match(/^(1-?)?(\([2-9]\d{2}\)|[2-9]\d{2})-?[2-9]\d{2}-?\d{4}$/); }, "Please specify a valid phone number"); jQuery.validator.addMethod("zipcode", function(zip) { // matches US ZIP code // allow either five digits or nine digits with an optional '-' between zip = zip.replace(/^\s+/, ""); zip = zip.replace(/\s+$/, ""); if(zip.length == 0) { return true; } if(zip.match(/^\d{5}([- ]?\d{4})?$/)) { return true; } return false; }, "Please specify a valid US ZIP code(5 digits or xxxxx-xxxx format)"); If I don't enter a zip it tells me to but when I do the form won't post. If I remove that code the form will post but obviously my zipcode field won't be validated. I've tried a few different versions of validating the zip but everytime I try the form won't post.

Doing if ($pricearray[$j] >0){ $pdf->tbDrawData($data); } Appears to have worked thank you!

Using fpdf I am trying to create an invoice to send to clients. The products are sold in pricing tiers. I've got it working so it only displays a tier if the quantity is greater than 0 but I end up with a bunch of empty rows in between. Instead of for example: 1 $20 2 $30 3 $40 I am getting 1 $20 2 $30 3 $40 How can I get it so the row is advanced only if something is output? for ($j=0; $j<12; $j++) { $data = Array(); if($pricearray[$j] > 0){ $data[0]['TEXT'] = $pricearray[$j]; $data[1]['TEXT'] = $_POST['select']; $data[1]['TEXT'] .= " " . $pricedescriptionarray[$j]; $data[2]['TEXT'] = "Description"; $data[3]['TEXT'] = "20"; $data[4]['TEXT'] = "100"; } $fsize += 0.5; if ($fsize > 10) $fsize = 5; $rgb_b -= 10; $rgb_g -= 5; $rgb_b -= 20; if ($rgb_b < 150) $rgb_b = 255; if ($rgb_g < 150) $rgb_g = 255; if ($rgb_b < 150) $rgb_b = 255; $pdf->tbDrawData($data); }

I'm getting kind of confused about what you are asking There are two different PHP to PDF scripts PDFLib FPDF which is sort of a free clone of PDFLib You had said you wanted to use built in php functions which I am not aware there are any Your install came with FPDF? There are tutorials and user submitted templates on the FPDF site which will help you get a grasp of how to use it. It's rather arcane otherwise I've used fpdf on two systems. A test server I setup, and a shared host. Neither required any special handling or changes. When I uploaded my script and the library to my site it worked 'out of the box'

Isn't the PDFlib a commercial product that costs money and isn't stock with PHP? I use FPDF myself

As far as I know there is no real difference between for or while except for claims of speed

You could try reading this: http://devzone.zend.com/article/1269 http://php.net/manual/en/function.imagepng.php

$numofproductsperpage = 20; $i = 1; while ( $i < $numproductsperpage) { show product $i++; }

1 problem I see is you need single quotes around your get variables inside the brackets like this: if($_GET['ads']

Like I said I am just trying to get the data out that is already in there. I can visit changing the input later

The etc is just the list of posts being assigned to variables For example one of the ones giving me trouble still-- One of the questions 'What is your social situation' has multiple check boxes. It's assigned to the variable: $ss_social_situation = serialize($_POST['ss_social_situation']); After the list of the other posts literally the next line is the insert The export script does a select all to an associative array Then a series of echo statements. The serialized fields used to be echo'd as such: echo contate(unserialize($row['social_situation']))."\t"; But after I added the function previously mentioned I changed them all to this(obviously with the appropriate variable names): $data = @unserialize($row['social_situation']); if ($data === false) // could not unserialize { $data = repairSerializedArray($row['social_situation']); echo contate($data)."\t"; } elseif(!unserialize($row['social_situation'])){echo "\t";} else{ echo contate(unserialize($row['social_situation']))."\t"; } This has fixed the issue of having implode errors, but now some records are not lining up with the right columns. I am waiting on a sql dump to test those records.

The posts are assigned to variables and then inserted: $Name = $_POST['Name']; $gender = $_POST['Gender']; etc $sql = "INSERT INTO table () ". "VALUES ('','". $partyid."', '". $Name 6 of the posts are serialized and then assigned to a variable, everything else is the same. I'd be fine with doing away with the serialized version if there is a better alternative. I don't think a second table is necessary. They are using serialize on form questions that have multiple text box answers IE 'what are your 3 favorite bands: 1. Kenny G 2. Bob Rock 3. Fabio'

So I need to clean up the form/inserts basically? It's pretty lacking in validation Any good tips on validating a form with about 30 fields?

There are a lot of problems with the script, it was coded overseas. I will at some point be able to improve it, but my priority right now is getting the data out that I need. I think I tried stripslashes with no different result. If there were a slash entered would the data look identical in the table? Right down to the a:0:i0:s44 etc? I can't understand how there would be no discernible difference