jamieh Posted May 25, 2008 Share Posted May 25, 2008 Hi everyone, just wondered if it's alright for a bit of help, any tutorial links and crit on my code would be fab. So i have this basically so far in my files. index.php <?php print "<form action='sent.php' method='POST'> <table> <tr><td>Teamname:</td><td><input type='text' name='teamname'></td></tr> <tr><td>Website:</td><td><input type='text' name='website'></td></tr> <tr><td>Members:</td><td><input type='text' name='members'></td></tr> <tr><td>Contact Email:</td><td><input type='text' name='email'></td></tr> <tr><td><input type='submit' name='SubmitForm' value='Submit'></td></tr> <form>"; ?> I know i don't really need the index page to be a .php file extention but i just wanted to keep all the files the same really. config.php <?php $con = mysql_connect('localhost', '******', '*****'); if (!$con) { die ('Could not connect to the Database : ' . mysql_error()); } ?> Just a very basic config file. admin.php <?php include('config.php'); print "Mainpage <br>"; print "Signups <br>"; print "Stats <br>"; ?> This file will obviously include a lot more once i know what i'm doing, but this is where the admin should see all the stats and signups etc. sent.php <?php include ('config.php'); print "This information has been sent. : <br>"; print "<br> Teamname : " . $_POST['teamname'] . "<br>"; print "Website : " . $_POST['website'] . "<br>"; print "Members : " . $_POST['members'] . "<br>"; print "Contact Email : " . $_POST['email'] . "<br>"; print "<br> Thanks for signing up, you will be contacted via email soon!"; mysql_select_db("******", $con); $sql = "INSERT INTO teams (teamname, website, members, email) VALUES ('$_POST[teamname]', '$_POST[website]', '$_POST[members]', '$_POST[email]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } mysql_close($con); ?> Just the basics of a sent.php as you can see (very new to php) i'm not to sure what i should be doing to make the admin panel secure to add a login just for the admin.. and also how to make the forms secure.. if there is any information someon could give me or a few lines of code that would be brilliant. Many thanks, Jamie Link to comment https://forums.phpfreaks.com/topic/107169-form-security-admin-panel-help-please/ Share on other sites More sharing options...
moon 111 Posted May 25, 2008 Share Posted May 25, 2008 Read up on XSS and SQL injections (Google is your friend). Link to comment https://forums.phpfreaks.com/topic/107169-form-security-admin-panel-help-please/#findComment-549470 Share on other sites More sharing options...
jamieh Posted May 25, 2008 Author Share Posted May 25, 2008 Just been reading up on the SQL injections and now i'm assuming mysql_real_escape_string is the code i should be using on each variable i use? Really confuses me.. i don't see how the form i'm using could benefit from this? (obviously it would, but how?) I have read it up but is there someone that could explain it in a more simple way? Many thanks, Jamie Link to comment https://forums.phpfreaks.com/topic/107169-form-security-admin-panel-help-please/#findComment-549484 Share on other sites More sharing options...
jamieh Posted May 26, 2008 Author Share Posted May 26, 2008 Here's my code so far.. is this not safe enough at all? <?php include ('config.php'); if (preg_match("/^[a-zA-Z]\w+(\.\w+)*\@\w+(\.[0-9a-zA-Z]+)*\.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0) { print "Your email address is not valid for our system, please enter a correct one."; } else { print "This information has been sent. : <br>"; print "<br> Teamname : " . $_POST['teamname'] . "<br>"; print "Website : " . $_POST['website'] . "<br>"; print "Members : " . $_POST['members'] . "<br>"; print "Contact Email : " . $_POST['email'] . "<br>"; print "<br> Thanks for signing up, you will be contacted via email soon!"; mysql_select_db("*****", $con); $sql = "INSERT INTO teams (teamname, website, members, email) VALUES ('$_POST[teamname]','$_POST[website]','$_POST[members]','$_POST[email]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } } mysql_close($con); ?> Link to comment https://forums.phpfreaks.com/topic/107169-form-security-admin-panel-help-please/#findComment-550100 Share on other sites More sharing options...
ILYAS415 Posted May 26, 2008 Share Posted May 26, 2008 A simple way to secure youself is when ur getting your $_POST data... 1). Assign them to variables E.G: $email= $_POST['email']; 2). Use html entities (one of the many ways to secure yourself) E.G: $email= htmlentities($email); // can be assigned again on another line after the first bit of code There are lots of ways. To use mysql_real_escape_string just do this... $email= mysql_real_escape_string($email); --------------------------------------- Also on your sent.php page you have to check whether the person has even entered information on the form or whether they have just gone to sent.php on the url bar. If you need any more info on how to do atht i will be glad to help. Link to comment https://forums.phpfreaks.com/topic/107169-form-security-admin-panel-help-please/#findComment-550134 Share on other sites More sharing options...
jamieh Posted May 26, 2008 Author Share Posted May 26, 2008 Brilliant thanks very much for the help. Yes that would be great if you could explain how to do that also, i'm not trying to pile too much on your plate but do you know anything about preg_match also? I'm using it a lot now and i'm thinking surely theres a way to use it once rather than multiple times? For example: if (preg_match("/^[a-zA-Z]\w+(\.\w+)*\@\w+(\.[0-9a-zA-Z]+)*\.[a-zA-Z]{2,4}$/", $_POST["email"]) === 0) { print "Invalid email<br>"; } if (preg_match("/^STEAM_[0-2]:[0-2]:[0-9]{1,10}$/", $_POST["steamid"]) === 0) { print "Invalid Steam ID<br>"; } if (preg_match("/^[5-9]{1}$/", $_POST["members"]) === 0) { print "Invalid amount of members"; } else { surely i could break all that down a lot more? Thanks very much my friend. Link to comment https://forums.phpfreaks.com/topic/107169-form-security-admin-panel-help-please/#findComment-550145 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.