Miss-Ruth

Well... what's the function are you referring to?

$OldWest = $_POST['OldWest'] if($OldWest = strip_tags($OldWest) && htmlentities($OldWest) && utf8_decode($OldWest) && stripslashes ($OldWest)) { echo "lol"; }; Thanks Guys!!! GOt it fixed.

is that "preg_match()"?

To prevent PHP form Hijacking it's best to Turn off the register_globals. correct? But some of my applications stop responding when it's turned off. What is the risk? Any solution to avoid the risk? Thanks. Ruth.

I'm using the following filters to prevent email injection. Is this sufficient to prevent an injection/hijacking? or am I missing something? $email = $_POST['email']; $email = strip_tags($email); $email = htmlentities($email); $email =utf8_decode($email); $email = stripslashes ($email); $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); I really appreciate your feedback.

Alright. Let me ask you the question this way... How can I update all the rows in MatchType of table1 using the following code? table1 shop JAN FEB MARCH MatchType B-11 paid -R paid -R paid -F B-12 paid -F paid -F paid -F B-13 paid -R paid -R paid -R table2 SHOP JAN FEB MARCH 2010 paid -F paid -R paid -F $MyArray1 = array(); $MyArray2 = array(); db1 $Variable1 = mysql_real_escape_string($_POST['roundonex'], $conn); $Variable1 = $_POST['name']; $queryA1 = "SELECT * FROM table1 WHERE username = '".$Variable1."'"; $resultA = mysql_query($queryA1); $scoreA = mysql_fetch_assoc($resultA); foreach (range('a','h') as $ltr) { $MyArray1[] = array($scoreA['roundzA' . $ltr]); } db2 $$Variable2 = 'roundA'; $query1 = "SELECT * FROM table2 WHERE roundx = '".$$Variable2."'"; $result = mysql_query($query1); scoreB = mysql_fetch_assoc($result); foreach (range('a','h') as $ltr) { $MyArray2[] = array(scoreB['markwinx' . $ltr]); } $count = array(); for($i=0;$i<count($MyArray1);++$i) { $count[$i] = count(array_intersect($MyArray1[$i],$MyArray2[$i])); } $count1 = array_sum($count);[/sup]

Thanks Pikachu2000 and Maq. I'm trying to match data from table1 against table2, and then update the 'MatchType' column with the matching count. I know how to match table1 against table2 and get the matching count. But I dont know how to do it to all rows on the fly when the table2 is updated. Could you show me a sample how to update row by rwo on the fly? $query = "SELECT * FROM table1 WHERE shop = 'B-11'"; //instead of B-11 how can I call each row once to update the "MatchType" column? table1 shop JAN FEB MARCH MatchType B-11 paid -R paid -R paid -F B-12 paid -F paid -F paid -F B-13 paid -R paid -R paid -R table2 SHOP JAN FEB MARCH 2010 paid -F paid -R paid -F

Ok... Now I've done this. Could someone tell me if this is coded correctly and will this prevent email injecting? <?php if(IsInjected($emailer) || IsInjected($name)) { echo "Hacking Attempt!"; exit; }else{ $to = "me@mydomain.com, myFriend@mydomain.com,".$emailer; $sender = "The Company"; $subject = "The Subject - $name"; $my_msg = "<HTML> //goes the HTML part </HTML>"; mail($to, $subject, "", $headers); } function IsInjected($str) { $injections = array('(\n+)', '(\r+)', '(\t+)', '(%0A+)', '(%0D+)', '(%08+)', '(%09+)' ); $inject = join('|', $injections); $inject = "/$inject/i"; if(preg_match($inject,$str)) { return true; } else { return false; } } ?>

How can all records in a mysql be called row by row using a loop?

Why cant someone help me or guide me..... ?

oh ok. Thanks. Then what's currently used in common/reliable to prevent an email injection?

IS it reliable to use eregi() to prevent email injection? if (eregi("(\r|\n)", $first) || eregi("(\r|\n)", $second)){ die("Spammer detected"); }else{ //do this };

Ok. I tried removing $emailField = trim($emailField) and creating another variable to define the safe input. but it doesn't seem to work. Could someone help. <?php function checkEmailField($emailField) { //$emailField = trim($emailField); $check = array("\r\n", "\r", "\n", "\t", ",", "%0a", "%0d"); foreach($check as $ch) { if (strpos($emailField, $ch) !== false) { return false; } } return true; } if (checkEmailField($emailer) && checkEmailField($name) && checkEmailField($company)) { $emailer = safe($emaileR); $name = safe($namE); $company = safe($companY); $to = "me@mydomain.com, myPartner@mydomian.com,".$emaileR;

Bounce... Any help is very much appreciated.

Good post... I'm having a similar project. Any input please.

Can someone tell me what's wrong here and how to fix it?

Thanks Nightslyr. this is my full code. What do you suggest? <?php function checkEmailField($emailField) { $emailField = trim($emailField); $check = array("\r\n", "\r", "\n", "\t", ",", "%0a", "%0d"); foreach($check as $ch) { if (strpos($emailField, $ch) !== false) { return false; } } return true; } if (checkEmailField($emailer) && checkEmailField($name) && checkEmailField($company)) { $emailer = safe($emailer); $name = safe($name); $company = safe($company); $to = "me@mydomain.com, myPartner@mydomian.com,".$emailer; $sender = "myCompany"; $subject = "Sent by - $company"; $message = "<HTML> </HTML>"; $rPkl = PHP_EOL; $separator = md5(time()); $headers = "From: ".$sender.$rPkl; $headers .= "MIME-Version: 1.0".$rPkl; $headers .= "Content-Type: multipart/mixed; boundary=\"".$separator."\"".$rPkl.$rPkl; $headers .= "Content-Transfer-Encoding: 7bit".$rPkl; $headers .= "This is a MIME encoded message.".$rPkl.$rPkl; $headers .= "--".$separator.$rPkl; $headers .= "Content-Type: text/html; charset=\"iso-8859-1\"".$rPkl; $headers .= "Content-Transfer-Encoding: 8bit".$rPkl.$rPkl; $headers .= $message.$rPkl.$rPkl; mail($to, $subject, "", $headers); } else { die('Invalid Input'); }

bounce... could someone tell me the cause for this....

I'm getting an error for safe(). Fatal error: Call to undefined function safe() $emailer = safe($emailer);

Thank you gizmola. I Really appreciate your help.

Well... Can someone advise me please to prevent this... Also will this prevent the Bcc? if (eregi("(\r|\n|%0a|%0d)", $emailer) || eregi("(\r|\n|%0a|%0d)", $name) || eregi("(\r|\n|%0a|%0d)", $company)) { die("Why ??"); } function safe( $newVariable ) { return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $newVariable ) ); } mail($to, $subject, "", $headers);

Thanks both of you. I appreciate your feedback. strpos() - How can that help? isn't there a simpler way for me to prevent this. I'm curious because I'm in a situation facing this right now. So I'm searching for an immediate fix and I'm seeking your expertise to help me code this (which might hopefuly save my job). Thank you.

Thanks requinix. I'm not sure how to prevent email injection. I googled and red some postings. But I'm not sure how to do it as yet. Also you asek you need to get an idea of my full script.. it goes like this. (this php only fetch the posted data from another file and sends it via email to me@mydomain.com, myPartner@mydomain.com, and $emailer). The code below is the existing code and I need to make sure it's email injection proof. Highly appreciate your help. $to: "me@mydomain.com, myPartner@mydomain.com,".$emailer; $sender = "myCompany"; $subject = "mySubject - $company"; $message = "<HTML> </HTML>"; $rPkl = PHP_EOL; // a random hash will be necessary to send mixed content $separator = md5(time()); $headers = "From: ".$sender.$rPkl; $headers .= "MIME-Version: 1.0".$rPkl; $headers .= "Content-Type: multipart/mixed; boundary=\"".$separator."\"".$rPkl.$rPkl; $headers .= "Content-Transfer-Encoding: 7bit".$rPkl; $headers .= "This is a MIME encoded message.".$rPkl.$rPkl; // message $headers .= "--".$separator.$rPkl; $headers .= "Content-Type: text/html; charset=\"iso-8859-1\"".$rPkl; $headers .= "Content-Transfer-Encoding: 8bit".$rPkl.$rPkl; $headers .= $message.$rPkl.$rPkl; if (eregi("(,)", $emailer) && eregi("(\r|\n)", $name) && eregi("(\r|\n)", $company)) { die("Why ??"); } function safe( $newVariable ) { return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $newVariable ) ); } mail($to, $subject, "", $headers);

Please could someone advice... I even tried this... I'm not sure if what I've done is correct/effective. $to: "me@mydomain.com, myPartner@mydomain.com,".$emailer; //Here goes the rest of the data //And at the end if (eregi("(\r|\n)", $emailer) && eregi("(\r|\n)", $name) && eregi("(\r|\n)", $compan)) { die("Why ??"); } function safe( $newVariable ) { return( str_ireplace(array( "\r", "\n", "%0a", "%0d", "Content-Type:", "bcc:","to:","cc:" ), "", $newVariable ) ); } mail($to, $subject, "", $headers);

Is this a correct approach to prevent email injection? $to: me@mydomain.com, myPartner@mydomain.com, $emailer; //then the rest of the stuff. $emailCheck = $_POST["emailer"]; if (eregi("(\r|\n)", $emailCheck)) { die("Why ?? "); } mail($to, $subject, "", $headers);