Jump to content

bert56
Go to solution Solved by cyberRobot,

Recommended Posts

It is possible to use HTML in my input type, so I need the code to make it impossible to destroy the information in my database.

 

Can you help me?

 

<code>

<td width="163"><input type="int" name="leerlingnummer2"></td>

</code>

 

...

 

<code>

if($_POST['leerlingnummer2'] ==""){

        $veld = "leerlingnummer";

        $doorgaan = false;

</code>

Edited by bert56
Link to comment
Share on other sites

Thank you, but for me it is a great problem to combine the code with the input type.

 

I tried several combinations, but they are not correct.

 

I think it has to be:

if($_POST['ctype_digit(leerlingnummer2)] ==""){
        $veld = "leerlingnummer";

 

        $doorgaan = false;

 

But ... when I use this, there is no input in my database.

Edited by bert56
Link to comment
Share on other sites

I don't succeed.

 

Is there a html solution that I can write in the form.

 

So, when the user types letters, he gets a warning that the input is wrong?

 

....

 

Now I saw the text of Guru and I read the code for number, but I can't get the right combination.

 

Do you have a hint for

 

<input type="int" name="leerlingnummer2">

Edited by bert56
Link to comment
Share on other sites

All right, now we got total confusion. :(

 

First of all, data validation is not a security feature. This is especially true for client-side validation like the type attribute, because this can easily be circumvented by anybody. All the user has to do is remove the attribute in their browser or not use a browser in the first place.

 

I think you should forget about the number stuff for now and concentrate on the real problem. You said that people may be able to destroy data if they give you the “wrong” input. Then there's definitely something wrong with your query or your application logic. Can you show us the query and explain what exactly you mean by “destroying data”?

 

Link to comment
Share on other sites

As Jacques1 mentioned, you should not depend on client-side validation. To make sure the value contains a number, you can use ctype_digit as suggested by kicken. Here is a quick example of how to use the function:

if(ctype_digit((string)$_POST['leerlingnummer2'])) {
    $veld = "leerlingnummer";
    $doorgaan = false;
Link to comment
Share on other sites

Thank you both.

 

Here is my query

 

if(!$doorgaan){

    echo "U heeft het veld '".$veld."' niet ingevuld!<br/>";

    echo "Ga met het pijltje links bovenaan terug naar het scherm en probeer het opnieuw. Als je op het kruisje rechts drukt, ben je alle antwoorden kwijt.";

}

else{

    

    //***niet alle velden zijn ingevuld***

    $sql_query = "SELECT leerlingnummer2 FROM nene WHERE leerlingnummer2='".$_POST['leerlingnummer2']."'";

    $result = mysql_query($sql_query) or die(mysql_error()); 

    if(mysql_num_rows($result) > 0 ){

        echo "Met deze naam of dit leerlingnummer is al een beoordeling geven!<br/>";

        

    }

 

    //***gebruikersnaam bestaat al***

    else{

        $sql_aanmelding = "INSERT INTO `nene` (`leerlingnummer2`, 

`regelk1`, `regelk2`, `regelk3`, `regelk4`, 

`wwspel1`, `wwspel2`, `wwspel3`, `wwspel4`, 

`overigew1`, `overigew2`, `overigew3`, `overigew4`, 

`interp1`, `interp2`, `interp3`, `interp4`, 

`formul1`, `formul2`, `formul3`, `formul4`, 

`taalkundigontl1`, `taalkundigontl2`, `taalkundigontl3`, `taalkundigontl4`, 

`redekundigontl1`, `redekundigontl2`, `redekundigontl3`, `redekundigontl4`, 

 `tekstbegrip1`, `tekstbegrip2`, `tekstbegrip3`, `tekstbegrip4` 

 

 

) VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['regelk1']. "', '". $_POST['regelk2']. "', '". $_POST['regelk3']. "', '". $_POST['regelk4']. "','". $_POST['wwspel1']. "','". $_POST['wwspel2']. "', '". $_POST['wwspel3']. "', '". $_POST['wwspel4']. "', '". $_POST['overigew1']. "','". $_POST['overigew2']. "','". $_POST['overigew3']."', '". $_POST['overigew4']. "', '". $_POST['interp1']. "', '". $_POST['interp2']. "','". $_POST['interp3']. "','". $_POST['interp4']."', '". $_POST['formul1']. "', '". $_POST['formul2']. "', '". $_POST['formul3']. "','". $_POST['formul4']. "','". $_POST['taalkundigontl1']."', '". $_POST['taalkundigontl2']. "', '". $_POST['taalkundigontl3']. "', '". $_POST['taalkundigontl4']. "','". $_POST['redekundigontl1']. "','". $_POST['redekundigontl2']."', '". $_POST['redekundigontl3']. "', '". $_POST['redekundigontl4']. "','". $_POST['tekstbegrip1']. "','". $_POST['tekstbegrip2']."', '". $_POST['tekstbegrip3']. "', '". $_POST['tekstbegrip4'].  

 

 

         "')";

        $sql_aanmelding;

        $verzenden = mysql_query($sql_aanmelding);

        echo "Beste ".$_POST['leerlingnummer2'].", hartelijk dank voor het beantwoorden van de vragen.

Link to comment
Share on other sites

Just by looking at the size of this query, your table design may need some re-thinking as well. I see several repeated fields - formul#, wwspel#,overigew#..... If you are trying to store multiple groups of the same data in one record, you mis-understand the whole concept of relational databases. One should never have multiple copies of the same "data" in a single record. Rather than putting 4 values of formul# in one 'main' record, the 'main' record should link to a second table that will contain 4 records that will be part of the 'main' record. By having a 'main' record id of some sort, you can then put that id into the second table and use it to 'join' the two tables in a query and end up with all the data you need for that 'record id'.

Link to comment
Share on other sites

The problem is that you drop the user input right into the query string without escaping it. That's what needs to be fixed.

 

Any PHP value you want to insert into the query must be esccaped and quoted:

$sql_query = "
    SELECT
        leerlingnummer2
    FROM
        nene
    WHERE
        leerlingnummer2= '".mysql_real_escape_string($_POST['leerlingnummer2'])."'
";

See the mysql_real_escape_string()? This prevents the user from breaking out of the string expression. So no matter what they send you, it will all just be interpreted as the content of this string and never as an actual SQL query.

 

Now you can add your validation on top of it if you want to. But the point is that all input must be escaped and quoted.

 

Note that the mysql_* functions you're using are obsolete since almost 10 years and will be removed in one of the next releases. Haven't you seen the big red warning signs? Nowadays, we use PDO or MySQLi. Those also support much better security mechanisms, namely parameterized statements: Instead of throwing your SQL and the user input into one big query string, you strictly separate the two. You first send a “query template” with placeholders to the database system. This template is parsed just like a normal query. And then you assign your data to the placeholders. Since the data is now strictly separated from the actual query, there's no risk of SQL injections. It's simply not possible to manipulate the query through the data.

 

So I strongly recommend you give up the old MySQL extension and switch to PDO. If that's not an option, you need mysql_real_escape_string().

Link to comment
Share on other sites

Thats a lot of information for me.

 

First I want to use more tables.

 

Than I write the escape code ( I think it is only necessary in the input, not the radiobutton).

 

Than I want to use PDO. 

 

I understand I get the following error (Column 'leerlingnummer2' in field list is ambiguous), but I don't know how to solve it, because I need the unique number in each table.

 

<?php
 
/*
 * To change this template, choose Tools | Templates
 * and open the template in the editor.
 */
?>
 //***controle of alle velden ingevuld zijn***
if(!$doorgaan){
    echo "U heeft het veld '".$veld."' niet ingevuld!<br/>";
    echo "Ga met het pijltje links bovenaan terug naar het scherm en probeer het opnieuw. Als je op het kruisje rechts drukt, ben je alle antwoorden kwijt.";
}
else{
    
    //***niet alle velden zijn ingevuld***
    $sql_query = "SELECT leerlingnummer2 FROM regelk, wwspel, overigew, interp, formul, taalkundigontl, redekundigont WHERE leerlingnummer2='".$_POST['leerlingnummer2']."'";
    $result = mysql_query($sql_query) or die(mysql_error()); 
    if(mysql_num_rows($result) > 0 ){
        echo "Met deze naam of dit leerlingnummer is al een beoordeling geven!<br/>";
        
    }
 
    //***gebruikersnaam bestaat al***
    else{
        $sql_aanmelding = "INSERT INTO `regelk` (`leerlingnummer2`, 
`regelk1`, `regelk2`, `regelk3`, `regelk4`) 
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['regelk1']. "', '". $_POST['regelk2']. "', '". $_POST['regelk3']. "', '". $_POST['regelk4'].
 
$sql_aanmelding = "INSERT INTO `wwspel` (`leerlingnummer2`, 
`wwspel1`, `wwspel2`, `wwspel3`, `wwspel4`) 
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['wwspel1']. "','". $_POST['wwspel2']. "', '". $_POST['wwspel3']. "', '". $_POST['wwspel4'].
 
$sql_aanmelding = "INSERT INTO `overigew` (`leerlingnummer2`, 
`overigew1`, `overigew2`, `overigew3`, `overigew4`) 
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['overigew1']. "','". $_POST['overigew2']. "','". $_POST['overigew3']."', '". $_POST['overigew4'].
 
 
$sql_aanmelding = "INSERT INTO `interp` (`leerlingnummer2`, 
`interp1`, `interp2`, `interp3`, `interp4`)
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['interp1']. "', '". $_POST['interp2']. "','". $_POST['interp3']. "','". $_POST['interp4'].
 
$sql_aanmelding = "INSERT INTO `formul` (`leerlingnummer2`, 
`formul1`, `formul2`, `formul3`, `formul4`) 
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['formul1']. "', '". $_POST['formul2']. "', '". $_POST['formul3']. "','". $_POST['formul4'].
 
$sql_aanmelding = "INSERT INTO `taalkundigont` (`leerlingnummer2`, 
`taalkundigontl1`, `taalkundigontl2`, `taalkundigontl3`, `taalkundigontl4`)
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['taalkundigontl1']."', '". $_POST['taalkundigontl2']. "', '". $_POST['taalkundigontl3']. "', '". $_POST['taalkundigontl4'].
 
$sql_aanmelding = "INSERT INTO `redekundigont` (`leerlingnummer2`, 
`redekundigontl1`, `redekundigontl2`, `redekundigontl3`, `redekundigontl4`)
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['redekundigontl1']. "','". $_POST['redekundigontl2']."', '". $_POST['redekundigontl3']. "', '". $_POST['redekundigontl4'].
 
$sql_aanmelding = "INSERT INTO `tekstbegrip` (`leerlingnummer2`, 
`tekstbegrip1`, `tekstbegrip2`, `tekstbegrip3`, `tekstbegrip4`)
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['tekstbegrip1']. "','". $_POST['tekstbegrip2']."', '". $_POST['tekstbegrip3']. "', '". $_POST['tekstbegrip4'].
 
 
 
         "')";
        $sql_aanmelding;
        $verzenden = mysql_query($sql_aanmelding);
        echo "Beste ".$_POST['leerlingnummer2'].", hartelijk dank voor het beantwoorden van de vragen.
Edited by bert56
Link to comment
Share on other sites

  • Solution

I understand I get the following error (Column 'leerlingnummer2' in field list is ambiguous), but I don't know how to solve it, because I need the unique number in each table.

 

That sounds like you have multiple tables using the same column name. SQL just wants to know which one you're referring to. For example:

$sql_query = "SELECT regelk.leerlingnummer2 FROM regelk, wwspel, overigew...
Link to comment
Share on other sites

 

Than I write the escape code ( I think it is only necessary in the input, not the radiobutton).

NO, you need it for the radiobutton name too or I can create a form like this:

<form action="http://yourserver/yourscript" method="POST">
<input type="text" name="yourRadioButtonName" value="my malicious code">
<input type="submit">
</form> 

or I can just write a script to submit directly to your script. Either way, you leave me a huge security hole.

Link to comment
Share on other sites

I changed de names 'leerlingnummer2' in the different tables:

 

wwspel: leerlingnummer3
overigew: leerlingnummer4
interp:leerlingnummer5
formul: leerlingnummer6
taalkundigont: leerlingnummer7
redekundigont: leerlingnummer8
tekstbegrip: leerlingnummer9
 
But there are no posts.
 
I think I changed everything to get posts. I also used wwspel.leerlingnummer2 ...  but I didn't change the right leerlingnummer2. 
 
Do you know which 'leerlingnummer2' causes the problems?
 
 
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
	<meta http-equiv="content-type" content="text/html; charset=utf8_unicode_ci" />
	<title></title>

<link rel= "stylesheet" href="menu_style.css" type="text/css" />
<link href="opmaak.css" rel="stylesheet" type="text/css"/>

</head>

</head>

<?php 

include '../navigatie/nav.inc'; 

?> 

<div id="container">  

<div id="header3"> 
   
 
</div>
<div id="menu">

  	
</div>
<div id="content">
    

<div class="kolom1">
<h3>    <B></B><BR><br>

</h3></div>
    
<div class="kolom2">
<h2></h2>
<h3><A HREF=""></A> 
</h3></div>
    

<div id="content img">

</div>

</div>



<div class="koloms12">
<br>

<?php
include ("../db_connect.inc.php");


    
$doorgaan = true;
 if($_POST['leerlingnummer2'] ==""){
        $veld = "leerlingnummer";
        $doorgaan = false;
    }

    else if($_POST['regelk1'] ==""){
        $veld = "regelk1";
        $doorgaan = false;
    }
    else if($_POST['regelk2'] ==""){
        $veld = "regelk2";
        $doorgaan = false;
    }
    else if($_POST['regelk3'] ==""){
        $veld = "regelk3";
        $doorgaan = false;
    }
    else if($_POST['regelk4'] ==""){
        $veld = "regelk4";
        $doorgaan = false;
    }
   
  else if($_POST['wwspel1'] ==""){
        $veld = "wwspel1";
        $doorgaan = false;
    }
    else if($_POST['wwspel2'] ==""){
        $veld = "wwspel2";
        $doorgaan = false;
    }
    else if($_POST['wwspel3'] ==""){
        $veld = "wwspel3";
        $doorgaan = false;
    }
    else if($_POST['wwspel4'] ==""){
        $veld = "wwspel4";
        $doorgaan = false;
    }
 else if($_POST['overigew1'] ==""){
        $veld = "overigew1";
        $doorgaan = false;
    }
    else if($_POST['overigew2'] ==""){
        $veld = "overigew2";
        $doorgaan = false;
    }
    else if($_POST['overigew3'] ==""){
        $veld = "overigew3";
        $doorgaan = false;
    }
    else if($_POST['overigew4'] ==""){
        $veld = "overigew4";
        $doorgaan = false;
    }
else if($_POST['interp1'] ==""){
        $veld = "interp1";
        $doorgaan = false;
    }
    else if($_POST['interp2'] ==""){
        $veld = "interp2";
        $doorgaan = false;
    }
    else if($_POST['interp3'] ==""){
        $veld = "interp3";
        $doorgaan = false;
    }
    else if($_POST['interp4'] ==""){
        $veld = "interp4";
        $doorgaan = false;
    }
 else if($_POST['formul1'] ==""){
        $veld = "formul1";
        $doorgaan = false;
    }
    else if($_POST['formul2'] ==""){
        $veld = "formul2";
        $doorgaan = false;
    }
    else if($_POST['formul3'] ==""){
        $veld = "formul3";
        $doorgaan = false;
    }
    else if($_POST['formul4'] ==""){
        $veld = "formul4";
        $doorgaan = false;
    }
else if($_POST['taalkundigont1'] ==""){
        $veld = "taalkundigont1";
        $doorgaan = false;
    }
    else if($_POST['taalkundigont2'] ==""){
        $veld = "taalkundigont2";
        $doorgaan = false;
    }
    else if($_POST['taalkundigont3'] ==""){
        $veld = "taalkundigont3";
        $doorgaan = false;
    }
 else if($_POST['taalkundigont4'] ==""){
        $veld = "taalkundigont4";
        $doorgaan = false;
    }
    else if($_POST['redekundigont1'] ==""){
        $veld = "redekundigont1";
        $doorgaan = false;
    }
    else if($_POST['redekundigont2'] ==""){
        $veld = "redekundigont2";
        $doorgaan = false;
    }
    else if($_POST['redekundigont3'] ==""){
        $veld = "redekundigont3";
        $doorgaan = false;
    }
else if($_POST['redekundigont4'] ==""){
        $veld = "redekundigont4";
        $doorgaan = false;
    }
    else if($_POST['tekstbegrip1'] ==""){
        $veld = "tekstbegrip1";
        $doorgaan = false;
    }
    else if($_POST['tekstbegrip2'] ==""){
        $veld = "tekstbegrip2";
        $doorgaan = false;
    }
    else if($_POST['tekstbegrip3'] ==""){
        $veld = "tekstbegrip3";
        $doorgaan = false;
    }
 else if($_POST['tekstbegrip4'] ==""){
        $veld = "tekstbegrip4";
        $doorgaan = false;
   
    
    

    }



    //***controle of alle velden ingevuld zijn***
if(!$doorgaan){
    echo "U heeft het veld '".$veld."' niet ingevuld!<br/>";
    echo "Ga met het pijltje links bovenaan terug naar het scherm en probeer het opnieuw. Als je op het kruisje rechts drukt, ben je alle antwoorden kwijt.";
}
else{
    
    //***niet alle velden zijn ingevuld***
    $sql_query = "SELECT leerlingnummer2 FROM regelk, wwspel, overigew, interp, formul, taalkundigont, redekundigont WHERE leerlingnummer2='".$_POST['leerlingnummer2'] 
."'"  


;
    $result = mysql_query($sql_query) or die(mysql_error()); 
    if(mysql_num_rows($result) > 0 ){
        echo "Met deze naam of dit leerlingnummer is al een beoordeling geven!<br/>";
        
    }
 
    //***gebruikersnaam bestaat al***
    else{
        $sql_aanmelding = "INSERT INTO `regelk` (`leerlingnummer2`, 
`regelk1`, `regelk2`, `regelk3`, `regelk4`) 
VALUES ('" . $_POST['leerlingnummer2'] . "', '". $_POST['regelk1']. "', '". $_POST['regelk2']. "', '". $_POST['regelk3']. "', '". $_POST['regelk4'].

$sql_aanmelding = "INSERT INTO `wwspel` (`leerlingnummer2`, 
`wwspel1`, `wwspel2`, `wwspel3`, `wwspel4`) 
VALUES ('" . $_POST['leerlingnummer3'] . "', '". $_POST['wwspel1']. "','". $_POST['wwspel2']. "', '". $_POST['wwspel3']. "', '". $_POST['wwspel4'].

$sql_aanmelding = "INSERT INTO `overigew` (`leerlingnummer2`, 
`overigew1`, `overigew2`, `overigew3`, `overigew4`) 
VALUES ('" . $_POST['leerlingnummer4'] . "', '". $_POST['overigew1']. "','". $_POST['overigew2']. "','". $_POST['overigew3']."', '". $_POST['overigew4'].


$sql_aanmelding = "INSERT INTO `interp` (`leerlingnummer2`, 
`interp1`, `interp2`, `interp3`, `interp4`)
VALUES ('" . $_POST['leerlingnummer5'] . "', '". $_POST['interp1']. "', '". $_POST['interp2']. "','". $_POST['interp3']. "','". $_POST['interp4'].

$sql_aanmelding = "INSERT INTO `formul` (`leerlingnummer2`, 
`formul1`, `formul2`, `formul3`, `formul4`) 
VALUES ('" . $_POST['leerlingnummer6'] . "', '". $_POST['formul1']. "', '". $_POST['formul2']. "', '". $_POST['formul3']. "','". $_POST['formul4'].

$sql_aanmelding = "INSERT INTO `taalkundigont` (`leerlingnummer2`, 
`taalkundigont1`, `taalkundigont2`, `taalkundigont3`, `taalkundigont4`)
VALUES ('" . $_POST['leerlingnummer7'] . "', '". $_POST['taalkundigont1']."', '". $_POST['taalkundigont2']. "', '". $_POST['taalkundigont3']. "', '". $_POST['taalkundigont4'].

$sql_aanmelding = "INSERT INTO `redekundigont` (`leerlingnummer2`, 
`redekundigont1`, `redekundigont2`, `redekundigont3`, `redekundigon4`)
VALUES ('" . $_POST['leerlingnummer8'] . "', '". $_POST['redekundigont1']. "','". $_POST['redekundigont2']."', '". $_POST['redekundigont3']. "', '". $_POST['redekundigont4'].

$sql_aanmelding = "INSERT INTO `tekstbegrip` (`leerlingnummer2`, 
`tekstbegrip1`, `tekstbegrip2`, `tekstbegrip3`, `tekstbegrip4`)
VALUES ('" . $_POST['leerlingnummer9'] . "', '". $_POST['tekstbegrip1']. "','". $_POST['tekstbegrip2']."', '". $_POST['tekstbegrip3']. "', '". $_POST['tekstbegrip4'].



         "')";
        $sql_aanmelding;
        $verzenden = mysql_query($sql_aanmelding);
        echo "Beste ".$_POST['leerlingnummer2'].", hartelijk dank voor het beantwoorden van de vragen.


";


    }
}
    
?>
 





</div>









</div>
Link to comment
Share on other sites

When you can no longer find you own variables, it's definitely time to refactor. ::)

 

Wow. You really looove repetition, don't you? This looks more like a typing exercise than programming. And at least half of your code doesn't do anything, because you just keep overwriting the same variables.

 

I think you should scrap the code and start over, this time with PDO and a more intelligent approach. I know, it's painful to throw away code, but this is just unmaintainable. Take it as a lesson: If the only keys you press are Ctrl and V, you're doing it wrong.

 

Do you know what a loop is?

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.