Form Security - Admin Panel Help Please

[jamieh]

Hi everyone, just wondered if it's alright for a bit of help, any tutorial links and crit on my code would be fab.

 

So i have this basically so far in my files.

 

index.php

<?php

print "<form action='sent.php' method='POST'>
<table>
<tr><td>Teamname:</td><td><input type='text' name='teamname'></td></tr>
<tr><td>Website:</td><td><input type='text' name='website'></td></tr>
<tr><td>Members:</td><td><input type='text' name='members'></td></tr>
<tr><td>Contact Email:</td><td><input type='text' name='email'></td></tr>
<tr><td><input type='submit' name='SubmitForm' value='Submit'></td></tr>
<form>";

?>

 

I know i don't really need the index page to be a .php file extention but i just wanted to keep all the files the same really.

 

config.php

<?php

$con = mysql_connect('localhost', '******', '*****');

if (!$con)
   {
   die ('Could not connect to the Database : ' . mysql_error());
   }

?>

 

Just a very basic config file.

 

admin.php

<?php

include('config.php');

print "Mainpage <br>";
print "Signups <br>";
print "Stats <br>";

?>

 

This file will obviously include a lot more once i know what i'm doing, but this is where the admin should see all the stats and signups etc.

 

sent.php

<?php

include ('config.php');

print "This information has been sent. : <br>";
print "<br> Teamname : " . $_POST['teamname'] . "<br>";
print "Website : " . $_POST['website'] . "<br>";
print "Members : " . $_POST['members'] . "<br>";
print "Contact Email : " . $_POST['email'] . "<br>";
print "<br> Thanks for signing up, you will be contacted via email soon!";

mysql_select_db("******", $con);

$sql = "INSERT INTO teams (teamname, website, members, email)
VALUES ('$_POST[teamname]', '$_POST[website]', '$_POST[members]', '$_POST[email]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }

mysql_close($con);

?>

 

Just the basics of a sent.php as you can see (very new to php) i'm not to sure what i should be doing to make the admin panel secure to add a login just for the admin.. and also how to make the forms secure.. if there is any information someon could give me or a few lines of code that would be brilliant.

 

Many thanks,

Jamie

 

 

 

 

[moon 111]

Read up on XSS and SQL injections (Google is your friend).

[jamieh]

Just been reading up on the SQL injections and now i'm assuming mysql_real_escape_string is the code i should be using on each variable i use?

 

Really confuses me.. i don't see how the form i'm using could benefit from this? (obviously it would, but how?)

 

I have read it up but is there someone that could explain it in a more simple way?

 

Many thanks,

Jamie

[jamieh]

Here's my code so far.. is this not safe enough at all?

 

<?php

include ('config.php');

if (preg_match("/^[a-zA-Z]\w+(\.\w+)*\@\w+(\.[0-9a-zA-Z]+)*\.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0)
  {
  print "Your email address is not valid for our system, please enter a correct one.";
  }
  
else {

print "This information has been sent. : <br>";
print "<br> Teamname : " . $_POST['teamname'] . "<br>";
print "Website : " . $_POST['website'] . "<br>";
print "Members : " . $_POST['members'] . "<br>";
print "Contact Email : " . $_POST['email'] . "<br>";
print "<br> Thanks for signing up, you will be contacted via email soon!";

mysql_select_db("*****", $con);

$sql = "INSERT INTO teams (teamname, website, members, email)
VALUES
('$_POST[teamname]','$_POST[website]','$_POST[members]','$_POST[email]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }
}

mysql_close($con);

?>

[ILYAS415]

A simple way to secure youself is when ur getting your $_POST data...

 

1). Assign them to variables

E.G:

$email= $_POST['email'];

 

2). Use html entities (one of the many ways to secure yourself)

E.G:

$email= htmlentities($email); // can be assigned again on another line after the first bit of code

 

There are lots of ways. To use mysql_real_escape_string just do this...

$email= mysql_real_escape_string($email);

 

---------------------------------------

 

Also on your sent.php page you have to check whether the person has even entered information on the form or whether they have just gone to sent.php on the url bar. If you need any more info on how to do atht i will be glad to help.

[jamieh]

Brilliant thanks very much for the help.

 

Yes that would be great if you could explain how to do that also, i'm not trying to pile too much on your plate but do you know anything about preg_match also?

 

I'm using it a lot now and i'm thinking surely theres a way to use it once rather than multiple times? For example:

 

if (preg_match("/^[a-zA-Z]\w+(\.\w+)*\@\w+(\.[0-9a-zA-Z]+)*\.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0)
  {
  print "Invalid email<br>";
  }

if (preg_match("/^STEAM_[0-2]:[0-2]:[0-9]{1,10}$/", $_POST["steamid"]) === 0)
  {
  print "Invalid Steam ID<br>";
  }

if (preg_match("/^[5-9]{1}$/", $_POST["members"]) === 0)
  {
  print "Invalid amount of members";
  }
  
else {

 

surely i could break all that down a lot more?

 

Thanks very much my friend.