Jump to content

security risk?

Danny620

By Danny620
in PHP Coding Help

Recommended Posts

Danny620 Advanced Member

Danny620

Posted
Posted

hi i have just finished programming a send mail script but what i wanted to know if i have made this script 100% secure i have used htmlentities() to protect agast xss and mysqli_real_escape_string to protect from mysqli injections heres my code please point out anything that needs changing or adding to protect form attacks thanks

 

<?php require('config.php'); ?>

<?php	

if(isset($_POST[send])){

		$x = array();

	$touser = htmlentities($_POST[user]);
	$message = htmlentities($_POST[message]);

	$touser = mysqli_real_escape_string($dbc,$touser);
	$message = mysqli_real_escape_string($dbc,$message);

	$countmessage = strlen ($message);

	if($countmessage <= 2){ $x[] = 'Message Must be greater than 2 letters'; }

	$q = "SELECT username FROM test WHERE username='$touser'";
			$r = mysqli_query($dbc,$q);

			$usercheck = mysqli_num_rows($r);

			if($usercheck != 1){ $x[] = 'The user does not exist'; }

			if(empty($x)){

	$q = "INSERT INTO messages (to_user,from_user,datesent,message) VALUES ('$touser','$user[username]',NOW(),'$message')";	
				$r = mysqli_query($dbc,$q);

					if(mysqli_affected_rows($dbc) == 1) {

					 $sent = 'Message Sent';

						header('refresh: 5; url=inbox.php');

					}

	}
	}

	?>

<link href="css/testting.css" rel="stylesheet" type="text/css">
<form id="form1" name="form1" method="post" action="">
  <table width="379" border="0" align="center" class="table_bottom">
    <tr class="top_table">
      <td colspan="2"><span class="style1">Create Message</span></td>
    </tr>
    <tr>
      <td width="95" height="20"> </td>
      <td width="229"><div align="center">
        <p>
          <?php if($x){ foreach($x as $msg){ echo " - $msg<br />"; } } ?>
          <?php if($sent){ echo "$sent <br /> You will be redirected in 5 seconds";
	  					echo '<img src="images/ajax-loader.gif" width="220" height="19">';
						exit(); } ?>
          </p>
      </div> </td>
    </tr>
    <tr>
      <td><div align="center" class="style3">To:</div></td>
      <td><label>
        <input name="user" type="text" class="textfield" id="user" maxlength="20" />
      </label></td>
    </tr>
    <tr>
      <td height="101"><div align="center" class="style3">Message:</div></td>
      <td><label>
        <textarea name="message" cols="45" rows="5" class="textfield" id="message"></textarea>
      </label></td>
    </tr>
    <tr>
      <td height="43"> </td>
      <td><label>
        <div align="center">
          <input name="send" type="submit" class="textfield" id="send" value="Send" />
        </div>
      </label></td>
    </tr>
  </table>
</form>

Link to comment
https://forums.phpfreaks.com/topic/172496-security-risk/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.