Looking for Security Help

[VinceGledhill]

Hi People.

 

Thank you to everyone who has helped me so far with my project.

 

I have an input form which is adding stuff to a database.  Please could you help me "anti-spam" this code.  Any advice would be gratefully received.

 

BTW the last input box is google iframe google earth picture, we therefore will need to keep all of the characters that would be in a google iframe image.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Untitled Document</title>
</head>

<body>

<?php

$host = 'localhost';
$usr = "VinnyG";
$password = 'thepassword';
$db_name = 'sitename';

$username = $_POST['username'];
$height_above = $_POST['height_above'];
$mb_diff = $_POST['mb_diff'];
$alternative = $_POST['alternative']; 
$ppr = $_POST['ppr'];
$general_location = $_POST['general_location'];
$location_grid = $_POST['location_grid'];
$runway_numbers = $_POST['runway_numbers'];
$circuit_direction = $_POST['circuit_direction'];
$circuit_height = $_POST['circuit_height'];
$runway_length = $_POST['runway_length'];
$surface = $_POST['surface'];
$food = $_POST['food'];
$radio_frequency = $_POST['radio_frequency'];
$radio_callsign = $_POST['radio_callsign'];
$radio_type = $_POST['radio_type'];
$other_radio = $_POST['other_radio'];
$fuel = $_POST['fuel'];
$landing_fee = $_POST['landing_fee'];
$operating_hours = $_POST['operating_hours'];
$maintenance = $_POST['maintenance'];
$hangarage = $_POST['hangarage'];
$parking = $_POST['parking'];
$accommodation = $_POST['accommodation'];
$school = $_POST['school'];
$remarks = $_POST['remarks'];
$warnings = $_POST['warnings'];
$weblinks = $_POST['weblinks'];
$operator = $_POST['operator'];
$google_image = $_POST['google_image'];

$errorstring = ""; // default value of errorstring

if(isset($_POST['submit'])) {
// Validate all the code inputs



if ($username =="")
$errorstring = $errorstring. "Airfield Name<br>";
if ($height_above =="")
$errorstring = $errorstring. "Height Above Mean Sea Level<br>";
if ($mb_diff =="")
$errorstring = $errorstring. "mb Difference<br>";
if	($alternative =="")
$errorstring = $errorstring. "Alternative Airfield<br>";
if ($general_location =="")
$errorstring = $errorstring. "General Location<br>";
if ($location_grid =="")
$errorstring = $errorstring. "Grid Reference<br>";
if ($runway_numbers =="")
$errorstring = $errorstring. "Runway Numbers<br>";
if ($circuit_direction =="")
$errorstring = $errorstring. "Circuit Direction<br>";
if ($circuit_height =="")
$errorstring = $errorstring. "Circuit Height<br>";
if ($runway_length =="")
$errorstring = $errorstring. "Runway Length<br>";
if ($radio_frequency =="")
$errorstring = $errorstring. "Radio Frequency<br>";
if ($radio_callsign =="")
$errorstring = $errorstring. "Radio Callsign<br>";
if ($other_radio =="")
$errorstring = $errorstring. "Other Radio<br>";
if ($landing_fee =="")
$errorstring = $errorstring. "Landing Fee<br>";
if ($remarks =="")
$errorstring = $errorstring. "Remarks<br>";
if ($warnings =="")
$errorstring = $errorstring. "Warnings<br>";
if ($weblinks =="")
$errorstring = $errorstring. "Web Links<br>";
if ($operator =="")
$errorstring = $errorstring. "Operator<br>";
if ($google_image =="")
$errorstring = $errorstring. "Google Image<br>";

// does the errorstring = "nothing"?
if ($errorstring !="")
echo "You have not put anything in the following fields: <br><br> $errorstring";
//echo "If you have nothing to put in the box please type the word \"None\" or \"N\/A\"";
//die ("Please try again, ensuring that you fill out all the fields!");
else 
{
//echo "Your data has been saved";
//connect to database
mysql_connect ("$host","$usr","$password") or die ('Error During Connect:<br>'.mysql_error());
mysql_select_db ("$db_name") or die ('Error Selecting DB:<br>'.mysql_error());

$insert_query = "INSERT INTO users (username, height_above, mb_diff, alternative, ppr, general_location, location_grid, runway_numbers, circuit_direction, circuit_height, runway_length, surface, food, radio_frequency, radio_callsign, radio_type, other_radio, fuel, landing_fee, operating_hours, maintenance, hangarage, parking, accommodation, school, remarks, warnings, weblinks, operator, google_image) VALUES ('$username', '$height_above', '$mb_diff', '$alternative', '$ppr', '$general_location', '$location_grid', '$runway_numbers', '$circuit_direction', '$circuit_height', '$runway_length', '$surface', '$food', '$radio_frequency', '$radio_callsign', '$radio_type', '$other_radio', '$fuel', '$landing_fee', '$operating_hours', '$maintenance', '$hangarage', '$parking', '$accommodation' , '$school', '$remarks', '$warnings', '$weblinks', '$operator', '$google_image')";
$insert_action = mysql_query($insert_query) or die ('Error During Insert :<br>'.mysql_error().'<br><br>Error occured running the following code :<br>'.$insert_query);

$id = mysql_insert_id();

echo "Thank you, Your airfield has been submitted.";
include "resultcard.php";

// Output what the form looks like

// End of how the form looks 

}
}

if(!isset($_POST['submit']) || (isset($_POST['submit']) && !empty($errorstring)))
{
?>

<form name = "form1" method ="post" action="">
<table width="700" border="0" cellspacing="5" cellpadding="5" bgcolor = "#c9e1d0">
  <caption>
    Submit Your Airfield Details
  </caption>
  <tr>
    <td width = "50"> </td>
    <td width = "240"> </td>
    <td width = "250"> </td>
    <td width = "160"><b>Example Input</b></td>
  </tr>
  
  <tr>
    <td> </td>
    <td>Airfield Name</td>
    <td><input type='text' name='username' size = '40' maxlength='30' value = '<?php echo $username; ?>'></td>
    <td>Ince Blundell</td>
  </tr>
  <tr>
    <td> </td>
    <td>Height Above MSL</td>
    <td><input type='text' name='height_above' size = '40' maxlength= '30'value = '<?php echo $height_above; ?>'></td>
    <td>65 Ft</td>
  </tr>
  <tr>
    <td> </td>
    <td>Mb Difference</td>
    <td><input type='text' name='mb_diff' size = '40' maxlength='40'value = '<?php echo $mb_diff; ?>'></td>
    <td>2 Mb</td>
  </tr>
  <tr>
    <td> </td>
    <td>Alternative Airfield</td>
    <td><input type='text' name='alternative'  size = '40' maxlength='30' value = '<?php echo $alternative; ?>'></td>
    <td>Sherburn</td>
  </tr>
  <tr>
    <td> </td>
    <td>PPR?</td>
    <td>
    
    <select name = "ppr">
     <option value = "Yes" <?php if ($_POST['ppr'] == 'Yes') { echo 'selected="selected"'; } ?>>Yes</option>
     <option value="No" <?php if ($_POST['ppr'] == 'No') { echo 'selected="selected"'; } ?>>No</option>
</select>
  
    </td>
    <td>Yes</td>
  </tr>
  <tr>
    <td> </td>
    <td>General Location</td>
    <td><input type='text' name='general_location' size = '40' maxlength='50' value = '<?php echo $general_location; ?>' /></td>
    <td>3 Nm North Luton</td>
  </tr>
  <tr>
    <td> </td>
    <td>Location Grid Reference</td>
    <td><textarea name= "location_grid" input type = 'text' rows = "2" cols = "29" /><?php echo $location_grid; ?></textarea></td>
    <td> 53°57'7.68"N<br />
1°10'30.33"W</td>
  </tr>
  <tr>
    <td> </td>
    <td>Runway Numbers</td>
    <td><textarea name= "runway_numbers" input type = 'text' rows = "5" cols = "29"  /><?php echo $runway_numbers; ?></textarea></td>
    <td><p>This format please<br />
      05-23<br />
        18-36<br />
        14-22
      </p></td>
  </tr>
  <tr>
    <td> </td>
    <td>Circuit Direction</td>
    <td><textarea name= "circuit_direction" input type = "text" rows = "5" cols = "29" /><?php echo $circuit_direction; ?></textarea></td>
    <td><p>05-LH<br />
      23-RH<br />
      14-LH 
    </p></td>
  </tr>
  <tr>
    <td> </td>
    <td>Circuit Height</td>
    <td><input type='text' name='circuit_height' size = '40' maxlength='50' value = '<?php echo $circuit_height; ?>' /></td>
    <td>1000 Ft</td>
  </tr>
  <tr>
    <td> </td>
    <td>Runway Length</td>
    <td><input type='text' name='runway_length' size = '40'maxlength='50' value = '<?php echo $runway_length; ?>' /></td>
    <td>500m</td>
  </tr>
  <tr>
    <td> </td>
    <td>Runway Surface</td>
    <td>
     <select name = "surface">
     <option value = "Grass" <?php if ($_POST['surface'] == 'Grass') { echo 'selected="selected"'; } ?>>Grass</option>
     <option value = "Tarmac" <?php if ($_POST['surface'] == 'Tarmac') { echo 'selected="selected"'; } ?>>Tarmac</option>
     <option value = "Concrete" <?php if ($_POST['surface'] == 'Concrete') { echo 'selected="selected"'; } ?>>Concrete</option>
     <option value = "Dirt" <?php if ($_POST['surface'] == 'Dirt') { echo 'selected="selected"'; } ?>>Dirt</option>
</select>
   <!-- <select name = "surface">
    <option value = "Grass">Grass</option>
    <option value="Tarmac">Tarmac</option>
    <option value ="Concrete">Concrete</option>
    <option value = "Dirt">Dirt</option>
    </select> -->
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Food?</td>
    <td>
    
     <select name = "food">
     <option value = "Cafe" <?php if ($_POST['food'] == 'Cafe') { echo 'selected="selected"'; } ?>>Cafe</option>
     <option value = "None" <?php if ($_POST['food'] == 'None') { echo 'selected="selected"'; } ?>>None</option>
     <option value = "Tea and Coffee" <?php if ($_POST['food'] == 'Tea and Coffee') { echo 'selected="selected"'; } ?>>Tea and Coffee</option>
     <option value = "Make Your Own" <?php if ($_POST['food'] == 'Make Your Own') { echo 'selected="selected"'; } ?>>Make Your Own</option>
</select>
    
  <!--  <select name = "food">
      <option value = "Cafe">Cafe</option>
      <option value="None">None</option>
      <option value ="Tea and Coffee">Tea and Coffee</option>
      <option value = "Make Your Own">Make Your Own</option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Radio Frequency</td>
    <td><input type='text' name='radio_frequency' size = '40'maxlength='50' value = '<?php echo $radio_frequency; ?>' /></td>
    <td>135.475</td>
  </tr>
  <tr>
    <td> </td>
    <td>Radio Callsign</td>
    <td><input type='text' name='radio_callsign' size = '40'maxlength='50' value = '<?php echo $radio_callsign; ?>' /></td>
    <td>Rufforth Traffic</td>
  </tr>
  <tr>
    <td> </td>
    <td>Radio Type</td>
    <td>
    <select name = "radio_type">
     <option value = "Safety Com" <?php if ($_POST['radio_type'] == 'Safety Com') { echo 'selected="selected"'; } ?>>Safety Com</option>
     <option value = "Air Ground" <?php if ($_POST['radio_type'] == 'Air Ground') { echo 'selected="selected"'; } ?>>Air Ground</option>
     <option value = "Approach" <?php if ($_POST['radio_type'] == 'Approach') { echo 'selected="selected"'; } ?>>Approach</option>
     <option value = "Tower" <?php if ($_POST['radio_type'] == 'Tower') { echo 'selected="selected"'; } ?>>Tower</option>
</select>
    
    
   <!-- 
    <select name = "radio_type">
      <option value = "Sefety Com">Safety Com</option>
      <option value="Air Ground">Air Ground</option>
      <option value ="Approach">Approach</option>
      <option value = "Tower">Tower</option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Other Radio</td>
    <td><input type='text' name='other_radio' size = '40' maxlength='50' value = '<?php echo $other_radio; ?>' /></td>
    <td>E.G. if close to MATZ etc</td>
  </tr>
  <tr>
    <td> </td>
    <td>Fuel</td>
    <td>
    <select name = "fuel">
     <option value = "AvGas" <?php if ($_POST['fuel'] == 'AvGas') { echo 'selected="selected"'; } ?>>AvGas</option>
     <option value = "MoGas" <?php if ($_POST['fuel'] == 'MoGas') { echo 'selected="selected"'; } ?>>MoGas</option>
     <option value = "AvGas and MoGas" <?php if ($_POST['fuel'] == 'AvGas and MoGas') { echo 'selected="selected"'; } ?>>AvGas and MoGas</option>
     <option value = "We will sort you some" <?php if ($_POST['fuel'] == 'We will sort you some') { echo 'selected="selected"'; } ?>>We will sort you some</option>
     <option value = "None" <?php if ($_POST['fuel'] == 'None') { echo 'selected="selected"'; } ?>>None</option>
</select>
    
   <!-- <select name = "fuel">
      <option value = "AvGas">AvGas</option>
      <option value="MoGas">MoGas</option>
      <option value ="AvGas and MoGas">AvGas and MoGas</option>
      <option value = "We will sort you some">We will sort you some</option>
       <option value = "None">None</option>
    </select> -->
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Landing Fee</td>
    <td><input type='text' name='landing_fee' size = '40' maxlength='50' value = '<?php echo $landing_fee; ?>' /></td>
    <td>£ or Nill </td>
  </tr>
  <tr>
    <td> </td>
    <td>Operating Hours</td>
    <td>
    <select name = "operating_hours">
     <option value = "SR - SS" <?php if ($_POST['operating_hours'] == 'SR - SS') { echo 'selected="selected"'; } ?>>SR - SS</option>
     <option value="Other - See Remarks" <?php if ($_POST['operating_hours'] == 'Other - See Remarks') { echo 'selected="selected"'; } ?>>Other - See Remarks</option>
</select>
    
  <!--  <select name = "operating_hours">
      <option value = "SR - SS">Sunrise - Sunset</option>
      <option value="See Remarks">Other - See Remarks</option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Maintenance?</td>
    <td>
      <select name = "maintenance">
     <option value = "Yes" <?php if ($_POST['maintenance'] == 'Yes') { echo 'selected="selected"'; } ?>>Yes</option>
     <option value="No" <?php if ($_POST['maintenance'] == 'No') { echo 'selected="selected"'; } ?>>No</option>
</select>
   <!-- <select name = "maintenance">
      <option value = "Yes">Yes </option>
      <option value="No">No </option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Hangarage?</td>
    <td>
    <select name = "hangarage">
     <option value = "Yes" <?php if ($_POST['hangarage'] == 'Yes') { echo 'selected="selected"'; } ?>>Yes</option>
     <option value="No" <?php if ($_POST['hangarage'] == 'No') { echo 'selected="selected"'; } ?>>No</option>
</select>
    
   <!-- <select name = "hangarage">
      <option value = "Yes">Yes </option>
      <option value="No">No </option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Parking?</td>
    <td>
    <select name = "parking">
     <option value = "Yes" <?php if ($_POST['parking'] == 'Yes') { echo 'selected="selected"'; } ?>>Yes</option>
     <option value="No" <?php if ($_POST['parking'] == 'No') { echo 'selected="selected"'; } ?>>No</option>
</select>
<!--   <select name = "parking">
      <option value = "Yes">Yes </option>
      <option value="No">No </option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Accommodation?</td>
    <td>
    <select name = "accommodation">
     <option value = "Yes" <?php if ($_POST['accommodation'] == 'Yes') { echo 'selected="selected"'; } ?>>Yes</option>
     <option value="No" <?php if ($_POST['accommodation'] == 'No') { echo 'selected="selected"'; } ?>>No</option>
</select>
<!--   <select name = "accommodation">
      <option value = "Yes">Yes </option>
      <option value="No">No </option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>School?</td>
    <td>
    <select name = "school">
     <option value = "Flexwing" <?php if ($_POST['school'] == 'Flexwing') { echo 'selected="selected"'; } ?>>Flexwing</option>
     <option value="3 Axis" <?php if ($_POST['school'] == '3 Axis') { echo 'selected="selected"'; } ?>>3 Axis</option>
     <option value = "All Microlight" <?php if ($_POST['school'] == 'All Microlight') { echo 'selected="selected"'; } ?>>All Microlight</option>
     <option value="GA" <?php if ($_POST['school'] == 'GA') { echo 'selected="selected"'; } ?>>GA</option>
     <option value="Gyro" <?php if ($_POST['school'] == 'Gyro') { echo 'selected="selected"'; } ?>>Gyro</option>
     <option value="Microlight and Gyro" <?php if ($_POST['school'] == 'Microlight and Gyro') { echo 'selected="selected"'; } ?>>Microlight and Gyro</option>
<option value="Other See Comments" <?php if ($_POST['school'] == 'Other See Comments') { echo 'selected="selected"'; } ?>>Other See Comments</option>
</select>
    <!--<select name = "school">
      <option value = "Flexwing">Flexwing </option>
      <option value="3 Axis">3 Axis</option>
      <option value="All Microlight">All Mircolight</option>
      <option value="GA">GA</option>
      <option value="Gyro">Gyro</option>
      <option value="Other See Remarks">Other, See Remarks</option>
    </select> -->
    
    </td>
    <td> </td>
  </tr>
  <tr>
    <td> </td>
    <td>Remarks:</td>
    <td><textarea name= "remarks" input type = 'text' rows = "5" cols = "29" /><?php echo $remarks; ?></textarea></td>
    <td>As much info as possible 500 characters max</td>
  </tr>
  <tr>
    <td> </td>
    <td>Warnings:</td>
    <td><textarea name= "warnings" input="input" type = 'text' rows = "5" cols = "29" /><?php echo $warnings; ?></textarea></td>
    <td>As much info as possible 500 characters max</td>
  </tr>
  <tr>
    <td> </td>
    <td>Web Links</td>
    <td><textarea name= "weblinks" input="input" type = 'text' rows = "3" cols = "29" /><?php echo $weblinks; ?></textarea></td>
    <td>Link to airfield website</td>
  </tr>
  <tr>
    <td> </td>
    <td>Operator Details</td>
    <td><textarea name= "operator" input="input" type = 'text' rows = "3" cols = "29" /><?php echo $operator; ?></textarea></td>
    <td>As much info as possible</td>
  </tr>
  <tr>
    <td> </td>
    <td>Google Iframe Image</td>
    <td><textarea name= "google_image" input="input" type = 'text' rows = "5" cols = "29" /><?php echo $google_image; ?></textarea></td>
    <td>700 x 700 pixels please. <a href="http://www.youtube.com/watch?v=gVRWhLEvt-I" target = "_blank">Watch Video here for How to Get the Image from Google</a></td>
  </tr>
  <tr>
    <td> </td>
    <td><input type='submit' name='submit' value='Have-It' /></td>
    <td> </td>
    <td> </td>
  </tr>
</table>
</form>


</body>
</html>
<?php } ?>

 

Iframe code from google maps looks like this

<iframe width="425" height="350" frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="http://www.google.co.uk/maps?ie=UTF8&ll=53.755207,-1.988525&spn=5.256048,11.228027&t=h&z=7&output=embed"></iframe><br /><small><a href="http://www.google.co.uk/maps?ie=UTF8&ll=53.755207,-1.988525&spn=5.256048,11.228027&t=h&z=7&source=embed" style="color:#0000FF;text-align:left">View Larger Map</a></small>

 

[Muddy_Funster]

I think the best 'spam' protection would be to integrate a captcha box to the page (is a bit tricky but I'm sure there is a guide for it somewhere about here...)

 

On a personal note -  <iframes> : using CSS and PHP (and sometimes AJAX if you want to be funky) they are more or less redundant.

[VinceGledhill]

Thanks mate, I'll have a look at the capcha.

 

The iframe gives us the best way of showing the live google map of the airfield in question.  Anyone visiting the airfield can interact with the map which is it's biggest highlight. 

[fugix]

always filter user inout as to prevent things llike sql injection you can use functions like htmlentities() htmlspecialchars() addslashes() etc..

you can find quite a few methods http://us.php.net/manual/en/function.htmlentities.php

[fugix]

and i fyou ever want to store arrays into a db..i would recommend you use serialize() and unserialize() when storing and pulling arrays out of your db

[Pikachu2000]

htmlentities and htmlspecialchars have nothing to do with SQL injection, and addslashes should not be used unless there is no escaping function available for your specific RDBMS. MySQL has mysql_real_escape_string, Postgres has the pg_ functions, etc.

 

 

[cssfreakie]

also don't forget to take a look at the tutorial made here on php freaks. http://www.phpfreaks.com/tutorial/php-security

 

[fugix]

Htmlentities()