safety

bert56 · May 28, 2014

It is possible to use HTML in my input type, so I need the code to make it impossible to destroy the information in my database.

Can you help me?

<code>

</code>

...

<code>

if($_POST['leerlingnummer2'] ==""){

$veld = "leerlingnummer";

$doorgaan = false;

</code>

Edited May 28, 2014 by bert56

ginerjm · May 28, 2014

Huh?

bert56 · May 29, 2014

The user is only allowed to type numbers in the input type.

What code can I use to make that possible?

kicken · May 29, 2014

Check their input using ctype_digit to ensure that what they entered is numeric. If not, re-show the form with an error message.

bert56 · May 29, 2014

Thank you, but for me it is a great problem to combine the code with the input type.

I tried several combinations, but they are not correct.

I think it has to be:

if($_POST['ctype_digit(leerlingnummer2)] ==""){

$veld = "leerlingnummer";

$doorgaan = false;

But ... when I use this, there is no input in my database.

Edited May 29, 2014 by bert56

adam_bray · May 29, 2014

What you've posted above makes no sense. Have a look at kicken's link again, there are 2 examples of how to use the function.

jazzman1 · May 29, 2014

Prior to html5 all types of control for the html input fields that I know are those - http://www.w3.org/TR/html401/interact/forms.html#edef-INPUT

If you re running into html5 you could use a number type, but yours is "int" type.

Edited May 29, 2014 by jazzman1

bert56 · May 29, 2014

I don't succeed.

Is there a html solution that I can write in the form.

So, when the user types letters, he gets a warning that the input is wrong?

....

Now I saw the text of Guru and I read the code for number, but I can't get the right combination.

Do you have a hint for

Edited May 29, 2014 by bert56

Jacques1 · May 29, 2014

All right, now we got total confusion.

First of all, data validation is not a security feature. This is especially true for client-side validation like the type attribute, because this can easily be circumvented by anybody. All the user has to do is remove the attribute in their browser or not use a browser in the first place.

I think you should forget about the number stuff for now and concentrate on the real problem. You said that people may be able to destroy data if they give you the “wrong” input. Then there's definitely something wrong with your query or your application logic. Can you show us the query and explain what exactly you mean by “destroying data”?

cyberRobot · May 29, 2014

As Jacques1 mentioned, you should not depend on client-side validation. To make sure the value contains a number, you can use ctype_digit as suggested by kicken. Here is a quick example of how to use the function:

if(ctype_digit((string)$_POST['leerlingnummer2'])) {
    $veld = "leerlingnummer";
    $doorgaan = false;

bert56 · May 29, 2014

Thank you both.

Here is my query

if(!$doorgaan){

echo "U heeft het veld '".$veld."' niet ingevuld!<br/>";

echo "Ga met het pijltje links bovenaan terug naar het scherm en probeer het opnieuw. Als je op het kruisje rechts drukt, ben je alle antwoorden kwijt.";

}

else{

//***niet alle velden zijn ingevuld***

$sql_query = "SELECT leerlingnummer2 FROM nene WHERE leerlingnummer2='".$_POST['leerlingnummer2']."'";

$result = mysql_query($sql_query) or die(mysql_error());

if(mysql_num_rows($result) > 0 ){

echo "Met deze naam of dit leerlingnummer is al een beoordeling geven!<br/>";

}

//***gebruikersnaam bestaat al***

else{

$sql_aanmelding = "INSERT INTO `nene` (`leerlingnummer2`,

`regelk1`, `regelk2`, `regelk3`, `regelk4`,

`wwspel1`, `wwspel2`, `wwspel3`, `wwspel4`,

`overigew1`, `overigew2`, `overigew3`, `overigew4`,

`interp1`, `interp2`, `interp3`, `interp4`,

`formul1`, `formul2`, `formul3`, `formul4`,

`taalkundigontl1`, `taalkundigontl2`, `taalkundigontl3`, `taalkundigontl4`,

`redekundigontl1`, `redekundigontl2`, `redekundigontl3`, `redekundigontl4`,

`tekstbegrip1`, `tekstbegrip2`, `tekstbegrip3`, `tekstbegrip4`

) VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['regelk1']. "', '". $_POST['regelk2']. "', '". $_POST['regelk3']. "', '". $_POST['regelk4']. "','". $_POST['wwspel1']. "','". $_POST['wwspel2']. "', '". $_POST['wwspel3']. "', '". $_POST['wwspel4']. "', '". $_POST['overigew1']. "','". $_POST['overigew2']. "','". $_POST['overigew3']."', '". $_POST['overigew4']. "', '". $_POST['interp1']. "', '". $_POST['interp2']. "','". $_POST['interp3']. "','". $_POST['interp4']."', '". $_POST['formul1']. "', '". $_POST['formul2']. "', '". $_POST['formul3']. "','". $_POST['formul4']. "','". $_POST['taalkundigontl1']."', '". $_POST['taalkundigontl2']. "', '". $_POST['taalkundigontl3']. "', '". $_POST['taalkundigontl4']. "','". $_POST['redekundigontl1']. "','". $_POST['redekundigontl2']."', '". $_POST['redekundigontl3']. "', '". $_POST['redekundigontl4']. "','". $_POST['tekstbegrip1']. "','". $_POST['tekstbegrip2']."', '". $_POST['tekstbegrip3']. "', '". $_POST['tekstbegrip4'].

"')";

$sql_aanmelding;

$verzenden = mysql_query($sql_aanmelding);

echo "Beste ".$_POST['leerlingnummer2'].", hartelijk dank voor het beantwoorden van de vragen.

mich2004 · May 29, 2014

Bert you need to be sanitising your user input for sure.

The following (filter_input) should help..

http://www.php.net/manual/en/function.filter-input.php

ginerjm · May 29, 2014

Just by looking at the size of this query, your table design may need some re-thinking as well. I see several repeated fields - formul#, wwspel#,overigew#..... If you are trying to store multiple groups of the same data in one record, you mis-understand the whole concept of relational databases. One should never have multiple copies of the same "data" in a single record. Rather than putting 4 values of formul# in one 'main' record, the 'main' record should link to a second table that will contain 4 records that will be part of the 'main' record. By having a 'main' record id of some sort, you can then put that id into the second table and use it to 'join' the two tables in a query and end up with all the data you need for that 'record id'.

Jacques1 · May 29, 2014

The problem is that you drop the user input right into the query string without escaping it. That's what needs to be fixed.

Any PHP value you want to insert into the query must be esccaped and quoted:

$sql_query = "
    SELECT
        leerlingnummer2
    FROM
        nene
    WHERE
        leerlingnummer2= '".mysql_real_escape_string($_POST['leerlingnummer2'])."'
";

See the mysql_real_escape_string()? This prevents the user from breaking out of the string expression. So no matter what they send you, it will all just be interpreted as the content of this string and never as an actual SQL query.

Now you can add your validation on top of it if you want to. But the point is that all input must be escaped and quoted.

Note that the mysql_* functions you're using are obsolete since almost 10 years and will be removed in one of the next releases. Haven't you seen the big red warning signs? Nowadays, we use PDO or MySQLi. Those also support much better security mechanisms, namely parameterized statements: Instead of throwing your SQL and the user input into one big query string, you strictly separate the two. You first send a “query template” with placeholders to the database system. This template is parsed just like a normal query. And then you assign your data to the placeholders. Since the data is now strictly separated from the actual query, there's no risk of SQL injections. It's simply not possible to manipulate the query through the data.

So I strongly recommend you give up the old MySQL extension and switch to PDO. If that's not an option, you need mysql_real_escape_string().

bert56 · May 29, 2014

Thats a lot of information for me.

First I want to use more tables.

Than I write the escape code ( I think it is only necessary in the input, not the radiobutton).

Than I want to use PDO.

I understand I get the following error (Column 'leerlingnummer2' in field list is ambiguous), but I don't know how to solve it, because I need the unique number in each table.

<?php

/*

* To change this template, choose Tools | Templates

* and open the template in the editor.

*/

?>

//***controle of alle velden ingevuld zijn***

if(!$doorgaan){

echo "U heeft het veld '".$veld."' niet ingevuld!<br/>";

echo "Ga met het pijltje links bovenaan terug naar het scherm en probeer het opnieuw. Als je op het kruisje rechts drukt, ben je alle antwoorden kwijt.";

}

else{

//***niet alle velden zijn ingevuld***

$sql_query = "SELECT leerlingnummer2 FROM regelk, wwspel, overigew, interp, formul, taalkundigontl, redekundigont WHERE leerlingnummer2='".$_POST['leerlingnummer2']."'";

$result = mysql_query($sql_query) or die(mysql_error());

if(mysql_num_rows($result) > 0 ){

echo "Met deze naam of dit leerlingnummer is al een beoordeling geven!<br/>";

}

//***gebruikersnaam bestaat al***

else{

$sql_aanmelding = "INSERT INTO `regelk` (`leerlingnummer2`,

`regelk1`, `regelk2`, `regelk3`, `regelk4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['regelk1']. "', '". $_POST['regelk2']. "', '". $_POST['regelk3']. "', '". $_POST['regelk4'].

$sql_aanmelding = "INSERT INTO `wwspel` (`leerlingnummer2`,

`wwspel1`, `wwspel2`, `wwspel3`, `wwspel4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['wwspel1']. "','". $_POST['wwspel2']. "', '". $_POST['wwspel3']. "', '". $_POST['wwspel4'].

$sql_aanmelding = "INSERT INTO `overigew` (`leerlingnummer2`,

`overigew1`, `overigew2`, `overigew3`, `overigew4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['overigew1']. "','". $_POST['overigew2']. "','". $_POST['overigew3']."', '". $_POST['overigew4'].

$sql_aanmelding = "INSERT INTO `interp` (`leerlingnummer2`,

`interp1`, `interp2`, `interp3`, `interp4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['interp1']. "', '". $_POST['interp2']. "','". $_POST['interp3']. "','". $_POST['interp4'].

$sql_aanmelding = "INSERT INTO `formul` (`leerlingnummer2`,

`formul1`, `formul2`, `formul3`, `formul4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['formul1']. "', '". $_POST['formul2']. "', '". $_POST['formul3']. "','". $_POST['formul4'].

$sql_aanmelding = "INSERT INTO `taalkundigont` (`leerlingnummer2`,

`taalkundigontl1`, `taalkundigontl2`, `taalkundigontl3`, `taalkundigontl4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['taalkundigontl1']."', '". $_POST['taalkundigontl2']. "', '". $_POST['taalkundigontl3']. "', '". $_POST['taalkundigontl4'].

$sql_aanmelding = "INSERT INTO `redekundigont` (`leerlingnummer2`,

`redekundigontl1`, `redekundigontl2`, `redekundigontl3`, `redekundigontl4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['redekundigontl1']. "','". $_POST['redekundigontl2']."', '". $_POST['redekundigontl3']. "', '". $_POST['redekundigontl4'].

$sql_aanmelding = "INSERT INTO `tekstbegrip` (`leerlingnummer2`,

`tekstbegrip1`, `tekstbegrip2`, `tekstbegrip3`, `tekstbegrip4`)

VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['tekstbegrip1']. "','". $_POST['tekstbegrip2']."', '". $_POST['tekstbegrip3']. "', '". $_POST['tekstbegrip4'].

"')";

$sql_aanmelding;

$verzenden = mysql_query($sql_aanmelding);

echo "Beste ".$_POST['leerlingnummer2'].", hartelijk dank voor het beantwoorden van de vragen.

Edited May 29, 2014 by bert56

cyberRobot · May 29, 2014

I understand I get the following error (Column 'leerlingnummer2' in field list is ambiguous), but I don't know how to solve it, because I need the unique number in each table.

That sounds like you have multiple tables using the same column name. SQL just wants to know which one you're referring to. For example:

$sql_query = "SELECT regelk.leerlingnummer2 FROM regelk, wwspel, overigew...

davidannis · May 29, 2014

Than I write the escape code ( I think it is only necessary in the input, not the radiobutton).

NO, you need it for the radiobutton name too or I can create a form like this:

<form action="http://yourserver/yourscript" method="POST">
<input type="text" name="yourRadioButtonName" value="my malicious code">
<input type="submit">
</form>

or I can just write a script to submit directly to your script. Either way, you leave me a huge security hole.

ginerjm · May 29, 2014

And PLEASE use the proper code tags on this forum. Read the rules!

bert56 · May 30, 2014

I changed de names 'leerlingnummer2' in the different tables:

wwspel: leerlingnummer3

overigew: leerlingnummer4

interp:leerlingnummer5

formul: leerlingnummer6

taalkundigont: leerlingnummer7

redekundigont: leerlingnummer8

tekstbegrip: leerlingnummer9

But there are no posts.

I think I changed everything to get posts. I also used wwspel.leerlingnummer2 ... but I didn't change the right leerlingnummer2.

Do you know which 'leerlingnummer2' causes the problems?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="content-type" content="text/html; charset=utf8_unicode_ci" />
	<title></title>

<link rel= "stylesheet" href="menu_style.css" type="text/css" />
<link href="opmaak.css" rel="stylesheet" type="text/css"/>

</head>

</head>

<?php 

include '../navigatie/nav.inc'; 

?> 

<div id="container">  

<div id="header3"> 
   
 
</div>
<div id="menu">

  	
</div>
<div id="content">
    

<div class="kolom1">
<h3>    <B></B><BR><br>

</h3></div>
    
<div class="kolom2">
<h2></h2>
<h3><A HREF=""></A> 
</h3></div>
    

<div id="content img">

</div>

</div>



<div class="koloms12">
<br>

<?php
include ("../db_connect.inc.php");


    
$doorgaan = true;
 if($_POST['leerlingnummer2'] ==""){
        $veld = "leerlingnummer";
        $doorgaan = false;
    }

    else if($_POST['regelk1'] ==""){
        $veld = "regelk1";
        $doorgaan = false;
    }
    else if($_POST['regelk2'] ==""){
        $veld = "regelk2";
        $doorgaan = false;
    }
    else if($_POST['regelk3'] ==""){
        $veld = "regelk3";
        $doorgaan = false;
    }
    else if($_POST['regelk4'] ==""){
        $veld = "regelk4";
        $doorgaan = false;
    }
   
  else if($_POST['wwspel1'] ==""){
        $veld = "wwspel1";
        $doorgaan = false;
    }
    else if($_POST['wwspel2'] ==""){
        $veld = "wwspel2";
        $doorgaan = false;
    }
    else if($_POST['wwspel3'] ==""){
        $veld = "wwspel3";
        $doorgaan = false;
    }
    else if($_POST['wwspel4'] ==""){
        $veld = "wwspel4";
        $doorgaan = false;
    }
 else if($_POST['overigew1'] ==""){
        $veld = "overigew1";
        $doorgaan = false;
    }
    else if($_POST['overigew2'] ==""){
        $veld = "overigew2";
        $doorgaan = false;
    }
    else if($_POST['overigew3'] ==""){
        $veld = "overigew3";
        $doorgaan = false;
    }
    else if($_POST['overigew4'] ==""){
        $veld = "overigew4";
        $doorgaan = false;
    }
else if($_POST['interp1'] ==""){
        $veld = "interp1";
        $doorgaan = false;
    }
    else if($_POST['interp2'] ==""){
        $veld = "interp2";
        $doorgaan = false;
    }
    else if($_POST['interp3'] ==""){
        $veld = "interp3";
        $doorgaan = false;
    }
    else if($_POST['interp4'] ==""){
        $veld = "interp4";
        $doorgaan = false;
    }
 else if($_POST['formul1'] ==""){
        $veld = "formul1";
        $doorgaan = false;
    }
    else if($_POST['formul2'] ==""){
        $veld = "formul2";
        $doorgaan = false;
    }
    else if($_POST['formul3'] ==""){
        $veld = "formul3";
        $doorgaan = false;
    }
    else if($_POST['formul4'] ==""){
        $veld = "formul4";
        $doorgaan = false;
    }
else if($_POST['taalkundigont1'] ==""){
        $veld = "taalkundigont1";
        $doorgaan = false;
    }
    else if($_POST['taalkundigont2'] ==""){
        $veld = "taalkundigont2";
        $doorgaan = false;
    }
    else if($_POST['taalkundigont3'] ==""){
        $veld = "taalkundigont3";
        $doorgaan = false;
    }
 else if($_POST['taalkundigont4'] ==""){
        $veld = "taalkundigont4";
        $doorgaan = false;
    }
    else if($_POST['redekundigont1'] ==""){
        $veld = "redekundigont1";
        $doorgaan = false;
    }
    else if($_POST['redekundigont2'] ==""){
        $veld = "redekundigont2";
        $doorgaan = false;
    }
    else if($_POST['redekundigont3'] ==""){
        $veld = "redekundigont3";
        $doorgaan = false;
    }
else if($_POST['redekundigont4'] ==""){
        $veld = "redekundigont4";
        $doorgaan = false;
    }
    else if($_POST['tekstbegrip1'] ==""){
        $veld = "tekstbegrip1";
        $doorgaan = false;
    }
    else if($_POST['tekstbegrip2'] ==""){
        $veld = "tekstbegrip2";
        $doorgaan = false;
    }
    else if($_POST['tekstbegrip3'] ==""){
        $veld = "tekstbegrip3";
        $doorgaan = false;
    }
 else if($_POST['tekstbegrip4'] ==""){
        $veld = "tekstbegrip4";
        $doorgaan = false;
   
    
    

    }



    //***controle of alle velden ingevuld zijn***
if(!$doorgaan){
    echo "U heeft het veld '".$veld."' niet ingevuld!<br/>";
    echo "Ga met het pijltje links bovenaan terug naar het scherm en probeer het opnieuw. Als je op het kruisje rechts drukt, ben je alle antwoorden kwijt.";
}
else{
    
    //***niet alle velden zijn ingevuld***
    $sql_query = "SELECT leerlingnummer2 FROM regelk, wwspel, overigew, interp, formul, taalkundigont, redekundigont WHERE leerlingnummer2='".$_POST['leerlingnummer2'] 
."'"  


;
    $result = mysql_query($sql_query) or die(mysql_error()); 
    if(mysql_num_rows($result) > 0 ){
        echo "Met deze naam of dit leerlingnummer is al een beoordeling geven!<br/>";
        
    }
 
    //***gebruikersnaam bestaat al***
    else{
        $sql_aanmelding = "INSERT INTO `regelk` (`leerlingnummer2`, 
`regelk1`, `regelk2`, `regelk3`, `regelk4`) 
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['regelk1']. "', '". $_POST['regelk2']. "', '". $_POST['regelk3']. "', '". $_POST['regelk4'].

$sql_aanmelding = "INSERT INTO `wwspel` (`leerlingnummer2`, 
`wwspel1`, `wwspel2`, `wwspel3`, `wwspel4`) 
VALUES ('" . $_POST['leerlingnummer3'] . "', '". $_POST['wwspel1']. "','". $_POST['wwspel2']. "', '". $_POST['wwspel3']. "', '". $_POST['wwspel4'].

$sql_aanmelding = "INSERT INTO `overigew` (`leerlingnummer2`, 
`overigew1`, `overigew2`, `overigew3`, `overigew4`) 
VALUES ('" . $_POST['leerlingnummer4'] . "', '". $_POST['overigew1']. "','". $_POST['overigew2']. "','". $_POST['overigew3']."', '". $_POST['overigew4'].


$sql_aanmelding = "INSERT INTO `interp` (`leerlingnummer2`, 
`interp1`, `interp2`, `interp3`, `interp4`)
VALUES ('" . $_POST['leerlingnummer5'] . "', '". $_POST['interp1']. "', '". $_POST['interp2']. "','". $_POST['interp3']. "','". $_POST['interp4'].

$sql_aanmelding = "INSERT INTO `formul` (`leerlingnummer2`, 
`formul1`, `formul2`, `formul3`, `formul4`) 
VALUES ('" . $_POST['leerlingnummer6'] . "', '". $_POST['formul1']. "', '". $_POST['formul2']. "', '". $_POST['formul3']. "','". $_POST['formul4'].

$sql_aanmelding = "INSERT INTO `taalkundigont` (`leerlingnummer2`, 
`taalkundigont1`, `taalkundigont2`, `taalkundigont3`, `taalkundigont4`)
VALUES ('" . $_POST['leerlingnummer7'] . "', '". $_POST['taalkundigont1']."', '". $_POST['taalkundigont2']. "', '". $_POST['taalkundigont3']. "', '". $_POST['taalkundigont4'].

$sql_aanmelding = "INSERT INTO `redekundigont` (`leerlingnummer2`, 
`redekundigont1`, `redekundigont2`, `redekundigont3`, `redekundigon4`)
VALUES ('" . $_POST['leerlingnummer8'] . "', '". $_POST['redekundigont1']. "','". $_POST['redekundigont2']."', '". $_POST['redekundigont3']. "', '". $_POST['redekundigont4'].

$sql_aanmelding = "INSERT INTO `tekstbegrip` (`leerlingnummer2`, 
`tekstbegrip1`, `tekstbegrip2`, `tekstbegrip3`, `tekstbegrip4`)
VALUES ('" . $_POST['leerlingnummer9'] . "', '". $_POST['tekstbegrip1']. "','". $_POST['tekstbegrip2']."', '". $_POST['tekstbegrip3']. "', '". $_POST['tekstbegrip4'].



         "')";
        $sql_aanmelding;
        $verzenden = mysql_query($sql_aanmelding);
        echo "Beste ".$_POST['leerlingnummer2'].", hartelijk dank voor het beantwoorden van de vragen.


";


    }
}
    
?>
 





</div>









</div>

Jacques1 · May 30, 2014

When you can no longer find you own variables, it's definitely time to refactor. ::)

Wow. You really looove repetition, don't you? This looks more like a typing exercise than programming. And at least half of your code doesn't do anything, because you just keep overwriting the same variables.

I think you should scrap the code and start over, this time with PDO and a more intelligent approach. I know, it's painful to throw away code, but this is just unmaintainable. Take it as a lesson: If the only keys you press are Ctrl and V, you're doing it wrong.

Do you know what a loop is?

davidannis · May 30, 2014

You should also take a look at switch / case instead of if /elseif /elseif, else http://www.php.net/manual/en/control-structures.switch.php

Sign In

safety

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information