[PHP] Secure Mail Form using PHP
This issue has probably been discussed more than I've been able to find in the archive, so I'm sorry if I'm going over old ground. I'm trying to make sure my email form cannot be used for spam or injecting additional code and addresses in any way. So far I'm able to remove bcc, cc, to, etc but unable to remove \n \r. If I could do that I'd consider it fairly secure. As you'll see below, I've been trying various ways of doing it. snip // CHECK FOR SPAM ATTEMPTS AND REMOVE THEM $Email = stripslashes($Email); $Senders_Name = stripslashes($Senders_Name); $Message = stripslashes($Message); $recipient = stripslashes($recipient); $subject = stripslashes($subject); $Email = preg_replace( /[\n\r]+/, , $Email ); // Remove injected headers $find = array(/bcc\:/i,/Content\-Type\:/i,/cc\:/i,/to\:/i); $Email = preg_replace($find, , $Email); $Senders_Name = preg_replace($find, , $Senders_Name); $Message = preg_replace($find, , $Message); $recipient = preg_replace($find, , $recipient); // $message = preg_replace($find, , message); // $email=str_replace(\r,\n,$email); // $name=str_replace(\r,\n,$name); // $message=str_replace(\r,\n,$message); // $phone=str_replace(\r,\n,$phone); // $Email = ereg_replace( \r, , $Email ); THIS DOES NOT WORK // $Email = ereg_replace( \n, , $Email ); THIS DOES NOT WORK // $Email = ereg_replace( bcc:, , $Email ); // $Email = ereg_replace( cc:, , $Email ); $Senders_Name = preg_replace( /[\n\r]+/, , $Senders_Name ); $Message = preg_replace( /[\n\r]+/, , $Message ); $recipient = preg_replace( /[\n\r]+/, , $recipient ); $subject = preg_replace( /[\n\r]+/, , $subject ); /snip snip // NOW SEND THE EMAIL mail($recipient, $subject., $Message, From: $Email ($Senders_Name)\nReply-To: $Email\n Sent by: $Senders_Name Email Address: $Email); /snip Thanks for any guidance Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Secure Mail Form using PHP
This issue has probably been discussed more than I've been able to find in the archive, so I'm sorry if I'm going over old ground. I'm trying to make sure my email form cannot be used for spam or injecting additional code and addresses in any way. So far I'm able to remove bcc, cc, to, etc but unable to remove \n \r. If I could do that I'd consider it fairly secure. As you'll see below, I've been trying various ways of doing it. snip // CHECK FOR SPAM ATTEMPTS AND REMOVE THEM $Email = stripslashes($Email); $Senders_Name = stripslashes($Senders_Name); $Message = stripslashes($Message); $recipient = stripslashes($recipient); $subject = stripslashes($subject); $Email = preg_replace( /[\n\r]+/, , $Email ); // Remove injected headers $find = array(/bcc\:/i,/Content\-Type\:/i,/cc\:/i,/to\:/i); $Email = preg_replace($find, , $Email); $Senders_Name = preg_replace($find, , $Senders_Name); $Message = preg_replace($find, , $Message); $recipient = preg_replace($find, , $recipient); // $message = preg_replace($find, , message); // $email=str_replace(\r,\n,$email); // $name=str_replace(\r,\n,$name); // $message=str_replace(\r,\n,$message); // $phone=str_replace(\r,\n,$phone); // $Email = ereg_replace( \r, , $Email ); THIS DOES NOT WORK // $Email = ereg_replace( \n, , $Email ); THIS DOES NOT WORK // $Email = ereg_replace( bcc:, , $Email ); // $Email = ereg_replace( cc:, , $Email ); $Senders_Name = preg_replace( /[\n\r]+/, , $Senders_Name ); $Message = preg_replace( /[\n\r]+/, , $Message ); $recipient = preg_replace( /[\n\r]+/, , $recipient ); $subject = preg_replace( /[\n\r]+/, , $subject ); /snip snip // NOW SEND THE EMAIL mail($recipient, $subject., $Message, From: $Email ($Senders_Name)\nReply-To: $Email\n Sent by: $Senders_Name Email Address: $Email); /snip Thanks for any guidance Martin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Uploading Multiple Files
I'm having a little struggle getting a PHP file to upload 2 files
simultaneously.
The code follows. The first image always gets uploaded but the second one
sometimes does but when it does it is a duplicate of the first image but
named as the second.
There's probably a real simple solution but obviously I'm not seeing it.
Here's the code:
if (($userfile==) OR ($userfile==none)) {
$userfile=;
}
// $Description=nl2br($Description);
if ($userfile!=) { // can only check all aspects of the upload it if it is
used
// prep the image
$newname = $userfile_name;
$Image=$userfile_name; // the name that will be saved to the database
// get the size of the image
$TheImage=$userfile;
$imagehw = GetImageSize($TheImage);
$ImageWidth = $imagehw[0];
$ImageHeight = $imagehw[1];
function do_upload($filename,$newname) {
$file = basename($filename);
$tmp_upload_path = /tmp/;
$new_file_name = /home/httpd/vhtdocs/ramco/uploaded/.$newname;
if (!copy($tmp_upload_path.$file, $new_file_name)) echo failed to copy
filebrPossibly due to it being larger than 30k (30,000 bytes).\n;
return;
}
if ($CurrentImage!=) { // means we need to delete the existing file if it
exists
if(file_exists(/home/httpd/vhtdocs/ramco/uploaded/.$CurrentImage)) {
$filename=/home/httpd/vhtdocs/ramco/uploaded/ .$CurrentImage;
unlink($filename);
} // file deleted if it exists
} // end looking for existing file if $CurrentImage!=
// extract file extension of uploaded file
$arr_basename=explode(.,$newname);
$file_type=$arr_basename[1];
if ($file_type!=jpg) {
$Error=NotJPG;
}
// allow upload only for specific types
elseif ($ImageWidth400) {
$Error=TooBig;
}
else {
do_upload($userfile,$newname);
}
if ($userfile_size$MAX_UPLOAD_SIZE) {
$filename=/home/httpd/vhtdocs/ramco/uploaded/ .$userfile_name;
if (unlink($filename)) {
$Error=FileSizeTooBig;
}
}
} // if first upload was successful, do the next image
function do_upload2($filename2,$newname2) {
$file2 = basename($filename2);
$tmp_upload_path2 = /tmp/;
$new_file_name2 = /home/httpd/vhtdocs/ramco/uploaded/.$newname2;
if (!copy($tmp_upload_path2.$file2,$new_file_name2)) echo failed to copy
filebrPossibly due to it being larger than 30k (30,000 bytes).\n;
return;
}
// now do userfile2
if (($userfile2==) OR ($userfile2==none)) {
$userfile2=;
}
if ($userfile2!=) { // can only check all aspects of the upload it if it
is used
// prep the image
$newname2 = $userfile2_name;
$Image2=$userfile2_name;// the name that will be saved to the database
// get the size of the image
$TheImage2=$userfile2;
$imagehw2 = GetImageSize($TheImage2);
$ImageWidth2 = $imagehw2[0];
$ImageHeight2 = $imagehw2[1];
if ($CurrentImage2!=) { // means we need to delete the existing file if
it exists
if(file_exists(/home/httpd/vhtdocs/ramco/uploaded/.$CurrentImage2)) {
$filename2=/home/httpd/vhtdocs/ramco/uploaded/ .$CurrentImage2;
unlink($filename2);
} // file deleted if it exists
} // end looking for existing file if $CurrentImage!=
// extract file extension of uploaded file
$arr_basename=explode(.,$newname2);
$file_type=$arr_basename[1];
if ($file_type!=jpg) {
$Error2=NotJPG;
}
// allow upload only for specific types
elseif ($ImageWidth400) {
$Error2=TooBig;
}
else {
do_upload2($userfile,$newname);
}
if ($userfile_size$MAX_UPLOAD_SIZE) {
$filename2=/home/httpd/vhtdocs/ramco/uploaded/ .$userfile_name2;
if (unlink($filename2)) {
$Error2=FileSizeTooBig;
}
}
} // if the uploads were successful, save the entry into the database
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] myODBC from Access to mySQL (Failing)
I know it's off topic, but I've struggled to find a more responsive stream of help than this list - and note that several other ODBC questions have been answered. Why is myODBC so hard to get working on different computers? I just had to reinstall Win 95 Office 97 on one of our test computers AND Win 98 with Office 2000 on another (due to virus hits on our network)... Now, since then, we cannot update our mySQL database from either of them. Fortunately, on my Laptop I can update the mySQL tables via ODBC from Access 2000... So I'm puzzled, trying to remember the various updates that I must have done to get Access 97 on Win 95 to work and also to do the same from Access 2K on Win 98. On both I have installed myODBC and MDAC2.5 but I'm still pulling my hair out. Any help will save my hair. Thanks. Martin E. Koss M: 07946-706459 E: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] [PHP-DB] ALTER TABLE - code not working.
I have been trying to get a new column added to a table (vips) via a PHP
script, but having exhausted all the things I can find, I'm still
struggling. I've referred to TFM for all those who just can't wait to tell
me
to do so, and I believe my SQL statement is correct:
$NewCol = $Prod_Code;
$defaultvalue = "0.00";
// make usual connection
$conID = mysql_pconnect ("localhost","admin","mek1233");
mysql_select_db("FocusDynamics", $conID);
// set the query
// According to the mySQL manual:
// ALTER TABLE vips ADD column_name FLOAT (11,2) DEFAULT '0.00'
// So I used:
$AddColQuery = "ALTER TABLE vips ADD $NewCol FLOAT (11,2) DEFAULT '0.00'";
$result = mysql_query ($AddColQuery,$conID);
// now set the default value for all rows in vips table
$SetDefault = "UPDATE TABLE vips SET $NewCol=$defaultvalue";
$result = mysql_query ($SetDefault,$conID);
It is NOT adding the column, and obviously not setting the default.
Any help would be great, thanks.
Martin.
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] Line breaks in PHP
When getting the data out of a mySQL table with PHP, use: $TextArea = nl2br($TextField); If you are opening it into a form you shouldn't need any formatting as it will detect the new lines and if using a TEXTAREA the lines will be as you typed them initially. If you want to save BRs when saving the data into the table, use the above but then you won't need it when you pull the data back out. Martin. -Original Message- From: Jason Lotito [mailto:[EMAIL PROTECTED]] Sent: 29 March 2001 20:30 To: [EMAIL PROTECTED]; Php Mailing List Subject: RE: [PHP] Line breaks in PHP -Original Message- From: Matt Davis [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 29, 2001 1:29 AM To: Php Mailing List Subject: [PHP] Line breaks in PHP I have a form that edits the text on a web page by putting the data into a db and then outputting to the webpage when it is called. When I enter my text into my form I use the return key to start new lines, but when the text appears on my webpage it has no line breaks so the text just wraps to the width of the page. Is there any way of PHP picking up these line breaks so that the text will be formatted on my web page as it was on my form. Thanks Matt. http://www.php.net/nl2br Check out that function. that is what you need. Jason Lotito www.NewbieNetwork.net Where those who can, teach; and those who can, learn. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Dynamically build a form from mySQL table
Hi, I've been trying to figure this out by looking through the code in phpMyAdmin but I'm not getting very far. There's probably some help about it somewhere. What I want to do is dynamically generate a form where I get a table row containing the field name in one cell and the input field in the next cell, for example: $DatabaseName = "FocusDynamics"; $TableName = "Items"; // open the table and get all field names, sizes, etc., // for each Field name, print something like: PRINT "tr\n"; PRINT "td$FieldName/td\n"; PRINT "tdinput type=\"text\" name=\"$FieldName\" value=\"$FieldValue\" maxlength=\"FieldSize\"/td\n"; PRINT "/tr"; How do I get all this info from the table? Thanks for any help. Martin E. Koss M: 07946-706459 E: [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Rounding to strange results
Hi, I use a product database for 2 sites, one of which adds sales tax and rounds to the nearest .10 and on the other site there is no tax and also no rounding. I am unable to figure out why a price of 1000.00 is being displayed as 1.00 and any price over 1000 does the same thing. 100.00 works fine, as does all other prices, this is the same with and without rounding. Anything I should look for to solve this problem? Martin. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
[PHP] Run a script for 20minutes
Hi, I have PHP3 and MySQL on Win98 and am trying to run a script that loops through a file making process and it needs about 20 - 30 minutes to run. It generates static HTML files based on content in a database. I've increased Internet Explorer's timeout to allow for this but for some reason only about half the processing is done before everything seems to just stop. Does anyone know of a very basic way of executing a PHP script on a Win98 machine without the need for a browser? Or, another way of running this script that will take some time and create some 22,000 files through the process. Thanks, Martin. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
