Jump to content

Recommended Posts

I have programed a post message system sort of thing what it does is when i pass the users id thought the URL it knows which person to store the message to. The message system also stores the user's session id the person who is sending the message. What i wanted to know is if this script is OK and also secure. p.s also the validation which is (preg_match ('/^[A-Z \'.-]{2,20}$/i', $trimmed['message'])) i don't get because this piece of code i used from a diffrent website. What does it mean and how do i change it to allow up to 250 charters and stop <b> and other HTML being subminted.

<?php # message.php CREATED BY Rush Dan

session_start(); // Start the session.

$page_title = 'Logged In!';
include ($_SERVER['DOCUMENT_ROOT']. '/includes/header.html');
require_once($_SERVER['DOCUMENT_ROOT']. '/access/gatekeeper.php');//require gatekeeper check for session.

if(isset($_GET['userid'])){
$userid = $_GET['userid'];
} else {
$error = 'You may of access this page by mistake.';
$url = ("error.php?error=$error");
	header("Location: $url");
	exit();
}

require_once ($_SERVER['DOCUMENT_ROOT'].'/settings/config.inc.php');

if(isset($_POST['sent'])){

require_once(MYSQL);

// Trim all the incoming data:
$trimmed = array_map('trim', $_POST);

// Assume invalid values:
$m = FALSE;

// Check for a first name:
if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $trimmed['message'])) {
	$m = mysqli_real_escape_string ($dbc, $trimmed['message']);
} else {
	echo '<p class="error">Please enter a vaild message!</p>';
}

if ($m) {

$from = $_SESSION['user_id'];

$q = "INSERT INTO messages (to_user, from_user, message) VALUES ('$userid','$from','$m')";
    $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc));

if (mysqli_affected_rows($dbc) == 1) {
echo 'Your message was successfully SAVED! ';
exit(); }

}
}

?>
<form id="form1" name="form1" method="post" action="">
  <label>
  <textarea name="message" cols="45" rows="5" id="message">
</textarea>
  </label>
  <p>
    <label>
    <input type="submit" name="message_send" id="message_send" value="Send" />
    </label>
    <input name="sent" type="hidden" id="sent" value="true" />
  </p>
</form>
<?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.html');
?>

Link to comment
https://forums.phpfreaks.com/topic/165382-solved-need-small-script-checking/
Share on other sites

You should be running some checks on the userid before allowing it to be used in the script. 

 

Should the userid always be a number?  If so, you can check that it is indeed a number as per the following: 

 

http://www.webref.eu/php-script-check-id-is-a-number-for-enhanced-security.php

 

Rgds

 

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.