Danny620 Posted July 9, 2009 Share Posted July 9, 2009 I have programed a post message system sort of thing what it does is when i pass the users id thought the URL it knows which person to store the message to. The message system also stores the user's session id the person who is sending the message. What i wanted to know is if this script is OK and also secure. p.s also the validation which is (preg_match ('/^[A-Z \'.-]{2,20}$/i', $trimmed['message'])) i don't get because this piece of code i used from a diffrent website. What does it mean and how do i change it to allow up to 250 charters and stop <b> and other HTML being subminted. <?php # message.php CREATED BY Rush Dan session_start(); // Start the session. $page_title = 'Logged In!'; include ($_SERVER['DOCUMENT_ROOT']. '/includes/header.html'); require_once($_SERVER['DOCUMENT_ROOT']. '/access/gatekeeper.php');//require gatekeeper check for session. if(isset($_GET['userid'])){ $userid = $_GET['userid']; } else { $error = 'You may of access this page by mistake.'; $url = ("error.php?error=$error"); header("Location: $url"); exit(); } require_once ($_SERVER['DOCUMENT_ROOT'].'/settings/config.inc.php'); if(isset($_POST['sent'])){ require_once(MYSQL); // Trim all the incoming data: $trimmed = array_map('trim', $_POST); // Assume invalid values: $m = FALSE; // Check for a first name: if (preg_match ('/^[A-Z \'.-]{2,20}$/i', $trimmed['message'])) { $m = mysqli_real_escape_string ($dbc, $trimmed['message']); } else { echo '<p class="error">Please enter a vaild message!</p>'; } if ($m) { $from = $_SESSION['user_id']; $q = "INSERT INTO messages (to_user, from_user, message) VALUES ('$userid','$from','$m')"; $r = mysqli_query ($dbc, $q) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($dbc)); if (mysqli_affected_rows($dbc) == 1) { echo 'Your message was successfully SAVED! '; exit(); } } } ?> <form id="form1" name="form1" method="post" action=""> <label> <textarea name="message" cols="45" rows="5" id="message"> </textarea> </label> <p> <label> <input type="submit" name="message_send" id="message_send" value="Send" /> </label> <input name="sent" type="hidden" id="sent" value="true" /> </p> </form> <?php include ($_SERVER['DOCUMENT_ROOT'].'/includes/footer.html'); ?> Quote Link to comment Share on other sites More sharing options...
ignace Posted July 9, 2009 Share Posted July 9, 2009 stop <b> and other HTML being subminted strip_tags() Quote Link to comment Share on other sites More sharing options...
webref.eu Posted July 9, 2009 Share Posted July 9, 2009 You should be running some checks on the userid before allowing it to be used in the script. Should the userid always be a number? If so, you can check that it is indeed a number as per the following: http://www.webref.eu/php-script-check-id-is-a-number-for-enhanced-security.php Rgds Quote Link to comment Share on other sites More sharing options...
Danny620 Posted July 9, 2009 Author Share Posted July 9, 2009 also does anyone know how to echo the error message in like a 5 sescond display message Quote Link to comment Share on other sites More sharing options...
Danny620 Posted July 9, 2009 Author Share Posted July 9, 2009 oh and what about if it was letters not ids how would i protect against XSS Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.