Re: [PHP] Sending a message

2011-08-05 Thread Negin Nickparsa 
well,what is the problem with these manuals :) ?

google these ones:

security exploits that are SQL injection, Cross Site Scripting(xss) and
Cross Site Request Forgery

many security issues you can find

also

for your code problems try this site:

stackoverflow.com

previous times when I had these problems people in this list was too angry
about me:D
by posting emails about array like $_POST

LOL! one of those angry people told me this site I am thankful to him:)

I am happy on this Site
be a member in there;)
they will answer your code issues in just a second:)

[PHP] Sending a message

2011-08-04 Thread wil prim 
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.step #1 (messages.php): --This is where the member will view the recent messages that have been posteddiv id='messages' ?php include 'connect.php'; session_start(); $_SESSION['user']=$user; //store sql queries $sql="SELECT * FROM entries"; $result=mysql_query($sql, $con); $count=mysql_num_rows($result); if ($count1){ echo 'There are no messages yet!'; } while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo 'br/'; echo 'Subject: ' .$row['subject']; echo 'br/'; echo 'Message: ' .$row['body']; echo 'hr/';  } ? /divStep #2 (create_message.php):-- This is where the user creates a new messageh2 Create new message/h2 table border='0' width='100%' cellpadding='3px' style='text-align: top;' form method='post' action='' tr width='100%' height='30%' style='margin-top: 0px;' td Subject /td td input type='text' name='subject' maxlength='30'/td /tr tr width='100%' height='30%' td Body /td tdtextarea name='body' style='height: 200px; width: 400px;'/textarea/td /tr tr td colspan='2' align='center'input type='submit' name='new_message' value='Send!'/ /td /tr /form /tableStep #3 (insert_message.php)-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])?phpinclude 'connect.php';session_start();$user=$_SESSION['user'];if ($_POST['new_message']){ include 'connect.php'; session_start(); $_SESSION['user']=$user; $body=$_POST['body']; $subject=$_POST['subject']; $date=' '; $sql="INSERT INTO `entries` ( `id` , `from` , `subject` , `body` , `date` ) VALUES ( NULL , '$user', '$subject', '$body', '$date' )"; if (mysql_query($sql,$con)){ echo 'Inserted!'; echo $user;  } else echo 'Not Inserted'; }?Hope i dont piss anyone off with such a long message, I just really need help on this.Thanks!

Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
in previous pages you must have a login page and in login page you must
store the username and then in next steps you have username in
$_SESSION['user']
now if it is not your problem then what is the problem?

Re: [PHP] Sending a message

2011-08-04 Thread wil prim 
Well my problem is when i click submit, the $_SESSION['user'] ('from' part of the table in my db) is blank, so im guessing the $_SESSION variable didnt pass through. On Aug 04, 2011, at 10:11 PM, Negin Nickparsa nickpa...@gmail.com wrote:in previous pages you must have a login page and in login page you must
store the username and then in next steps you have username in
$_SESSION['user']
now if it is not your problem then what is the problem?

Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
you must check setting your session with this one:

if(isset($_SESSION['user']))
{


// Identifying the user
$user = $_SESSION['user'];

// Information for the user.
}
tell me what you have done in login page?

Re: [PHP] Sending a message

2011-08-04 Thread wil prim 
This is the login.php which checks the form on the login page.?phpsession_start();include('connect.php');$user=$_POST['user'];$pass=$_POST['pass'];$sql="SELECT * FROM members WHERE username='$_POST[user]' and password='$_POST[pass]'";$result=mysql_query($sql, $con);$count=mysql_num_rows($result);if ($count==1){ session_start(); $_SESSION['user'] = $user;}else{ echo 'Wrong Username or Password'; }?On Aug 04, 2011, at 10:23 PM, Negin Nickparsa nickpa...@gmail.com wrote:you must check setting your session with this one:

if(isset($_SESSION['user']))
{


// Identifying the user
$user = $_SESSION['user'];

// Information for the user.
}
tell me what you have done in login page?

Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
did you set the form method='post'
?

Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
in this line password='$_POST[pass]';

you have error change it to password='$_POST['pass']';

Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
well,sorry  change it to password=$pass (better)

also check your errors by php yourpage.php
it is more better to not stock in errors like this one

Re: [PHP] Sending a message

2011-08-04 Thread David Holmes 
Your code is full of security errors .. You should use mysql escape 
string(google it ) to protect your database from beiÿng hacked
David Holmes 
twitter @mrstanfan
owner of the exclusive StanFan.com
Whats Your StanFan?

-Original Message-
From: wil prim wilp...@me.com
Date: Sat, 06 Aug 2011 04:49:32 
To: PHP MAILINGLISTphp-general@lists.php.net; Philly 
Holbrookpholbro...@gmail.com
Subject: [PHP] Sending a message
Ok so I have tried to create a sort of messaging system on my website and I 
have run into some problems storing who the message is from, ill try to take 
you through step by step what I am trying to do.


step #1 (messages.php): --This is where the member will view the recent 
messages that have been posted
div id='messages'
?php
include 'connect.php';
session_start();
$_SESSION['user']=$user;
//store sql queries
$sql=SELECT * FROM entries;
$result=mysql_query($sql, $con);
$count=mysql_num_rows($result);
if ($count1){
echo 'There are no messages yet!';
}
while ($row=mysql_fetch_array($result)){
echo 'From: ' .$row['from'];
echo 'br/';
echo 'Subject: ' .$row['subject'];
echo 'br/';
echo 'Message: ' .$row['body'];
echo 'hr/';
   
}
?
/div

Step #2 (create_message.php):-- This is where the user creates a new message

h2 Create new message/h2
table border='0' width='100%'  cellpadding='3px' 
style='text-align: top;'
form method='post' action='insert_message.php'
tr width='100%' height='30%' style='margin-top: 0px;'
td Subject /td
td input type='text' name='subject' maxlength='30'/td
/tr
tr width='100%' height='30%'
td Body /td
tdtextarea name='body' style='height: 200px; width: 
400px;'/textarea/td
/tr
tr
td colspan='2' align='center'input type='submit' 
name='new_message' value='Send!'/ /td
/tr
/form
/table

Step #3 (insert_message.php)-- this is where my problem is (trying to insert 
$_SESSION['user'] into table ['from'])
?php
include 'connect.php';
session_start();
$user=$_SESSION['user'];
if ($_POST['new_message']){
include 'connect.php';
session_start();
$_SESSION['user']=$user;
$body=$_POST['body'];
$subject=$_POST['subject'];
$date=' ';
$sql=INSERT INTO `entries` (
`id` ,
`from` ,
`subject` ,
`body` ,
`date`
)
VALUES (
NULL , '$user', '$subject', '$body', '$date'
);
if (mysql_query($sql,$con)){
echo 'Inserted!';
echo $user;
   
}
else
echo 'Not Inserted';
   
}
?

Hope i dont piss anyone off with such a long message, I just really need help 
on this.

Thanks!


Re: [PHP] Sending a message

2011-08-04 Thread wil prim 
Woot! Got it! There was a page in between that stored $_SESSION['user']=$user rather than other way around! Thank you! and yea I will secure it!On Aug 04, 2011, at 10:37 PM, David Holmes dholmes1...@gmail.com wrote:Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked
David Holmes 
twitter @mrstanfan
owner of the exclusive StanFan.com
Whats Your StanFan?

-Original Message-
From: wil prim wilp...@me.com
Date: Sat, 06 Aug 2011 04:49:32 
To: PHP MAILINGLISTphp-general@lists.php.net; Philly Holbrookpholbro...@gmail.com
Subject: [PHP] Sending a message
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.


step #1 (messages.php): --This is where the member will view the recent messages that have been posted
div id='messages'
?php
include 'connect.php';
session_start();
$_SESSION['user']=$user;
//store sql queries
$sql="SELECT * FROM entries";
$result=mysql_query($sql, $con);
$count=mysql_num_rows($result);
if ($count1){
echo 'There are no messages yet!';
}
while ($row=mysql_fetch_array($result)){
echo 'From: ' .$row['from'];
echo 'br/';
echo 'Subject: ' .$row['subject'];
echo 'br/';
echo 'Message: ' .$row['body'];
echo 'hr/';
   
}
?
/div

Step #2 (create_message.php):-- This is where the user creates a new message

h2 Create new message/h2
table border='0' width='100%'  cellpadding='3px' style='text-align: top;'
form method='post' action=''
tr width='100%' height='30%' style='margin-top: 0px;'
td Subject /td
td input type='text' name='subject' maxlength='30'/td
/tr
tr width='100%' height='30%'
td Body /td
tdtextarea name='body' style='height: 200px; width: 400px;'/textarea/td
/tr
tr
td colspan='2' align='center'input type='submit' name='new_message' value='Send!'/ /td
/tr
/form
/table

Step #3 (insert_message.php)-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])
?php
include 'connect.php';
session_start();
$user=$_SESSION['user'];
if ($_POST['new_message']){
include 'connect.php';
session_start();
$_SESSION['user']=$user;
$body=$_POST['body'];
$subject=$_POST['subject'];
$date=' ';
$sql="INSERT INTO `entries` (
`id` ,
`from` ,
`subject` ,
`body` ,
`date`
)
VALUES (
NULL , '$user', '$subject', '$body', '$date'
)";
if (mysql_query($sql,$con)){
echo 'Inserted!';
echo $user;
   
}
else
echo 'Not Inserted';
   
}
?

Hope i dont piss anyone off with such a long message, I just really need help on this.

Thanks!


Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
or if you want to do this risky and none secure thing try this:
$query=select * from members where user='.$_POST['user'].'and
pass=password('$pas');

well first you must check errors in mysql
then storing in session

also it is better to use:

$user=mysql_real_escape_string($_POST['user']);

then write the query

Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
well I wonder!
with error syntaxes now it is working? or without them?

Re: [PHP] Sending a message

2011-08-04 Thread wil prim 
I think Ill just use the better secured one, thanks!On Aug 04, 2011, at 10:41 PM, Negin Nickparsa nickpa...@gmail.com wrote:or if you want to do this risky and none secure thing try this:$query="select * frommemberswhere user='"$_POST['user']."'and pass=password('$pas')";
well first you must check errors in mysql
then storing in session
also it is better to use:
$user=mysql_real_escape_string($_POST['user']);
then write the query

Re: [PHP] Sending a message

2011-08-04 Thread Negin Nickparsa 
it is better to use this one:

http://www.php.net/mysql_real_escape_string

if you don't use this by inputting  just a qoute or this input '--'
a hacker can easily hack your syntax

in another steps your site will send a message like:
error in mysql on this line lob lob ..

in this part he will find your server that it is my sql:D
he/she will try anither syntaxes and by errors he/she finds your table names
and ...:D
you know how bad:D

then obey the security rules

Re: [PHP] Sending a message

2011-08-04 Thread Jim Lucas 



On 8/5/2011 9:49 PM, wil prim wrote:

Ok so I have tried to create a sort of messaging system on my website and I have
run into some problems storing who the message is from, ill try to take you
through step by step what I am trying to do.


*step #1 *(messages.php):--This is where the member will view the recent
messages that have been posted
div id='messages'
?php
include 'connect.php';


session_start() should be called before anything else on the page is 
done.  move this to the first line after your opening ?php tag.

session_start();


First... from one of your other emails, you explain that by the time you 
get to this page, your user has already logged in.  But in the next 
line, you are AFAICT setting the $_SESSION['user'] to a null value.  Try 
commenting this line out and see what happens.



$_SESSION['user']=$user;
//store sql queries
$sql=SELECT * FROM entries;


You should change this a little.  I realize their isn't much to go wrong 
with this SQL statement, but you never know...

$result=mysql_query($sql, $con);


$result = mysql_query($sql, $con) OR
  die('SQL ERROR: '. mysql_errno($con) .'br /'. mysql_error($con));


$count=mysql_num_rows($result);
if ($count1){
echo 'There are no messages yet!';
}


I think you are missing an ELSE clause here...


while ($row=mysql_fetch_array($result)){
echo 'From: ' .$row['from'];
echo 'br/';
echo 'Subject: ' .$row['subject'];
echo 'br/';
echo 'Message: ' .$row['body'];
echo 'hr/';

}
?
/div

*Step #2* (create_message.php):-- This is where the user creates a new message

h2  Create new message/h2
table border='0' width='100%' cellpadding='3px' style='text-align: top;'
form method='post' action='insert_message.php'
tr width='100%' height='30%' style='margin-top: 0px;'
td  Subject/td
td  input type='text' name='subject' maxlength='30'/td
/tr
tr width='100%' height='30%'
td  Body/td
tdtextarea name='body' style='height: 200px; width: 400px;'/textarea/td
/tr
tr
td colspan='2' align='center'input type='submit' name='new_message'
value='Send!'/  /td
/tr
/form
/table

*Step #3 *(insert_message.php)-- this is where my problem is (trying to insert
$_SESSION['user'] into table ['from'])


This script is riddled with security issues and errors.

?php
include 'connect.php';


Again with the session_start() thing.  Move it to the top.

session_start();


Why do this?  Just use $_SESSION['user'] where you would use $user...

$user=$_SESSION['user'];


This is going to cause a NOTICE error.  Check out isset()

if ($_POST['new_message']){


You including this file for a second time.  Does it need to?

include 'connect.php';


Calling this a second time, just for good measure???  Remove it.

session_start();


Again, you are clearing your $_SESSION['user'] variable.

$_SESSION['user']=$user;


If you are going to assign the values to new variables, I would suggest 
tossing htmlspecialchars() around each one.

$body=$_POST['body'];
$subject=$_POST['subject'];
$date=' ';


Also, before you go using those variables above in your SQL below, you 
should wrap a call to mysql_real_escape_string() around them.

$sql=INSERT INTO `entries` (
`id` ,
`from` ,
`subject` ,
`body` ,
`date`
)
VALUES (
NULL , '$user', '$subject', '$body', '$date'
);


Refer to my suggestion about about adding the OR die() portion to the 
following command.

if (mysql_query($sql,$con)){
echo 'Inserted!';
echo $user;

}
else
echo 'Not Inserted';

}
?

Hope i dont piss anyone off with such a long message, I just really need help on
this.

Thanks!




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Sending a message

2011-08-04 Thread wil prim 
lol wow ok thanks, Im very new to coding, started html about 2 months ago, so ty for letting me know the security of the language! is there any place where i can read (other than the php manual), about a tutorial on security?On Aug 04, 2011, at 10:49 PM, Negin Nickparsa nickpa...@gmail.com wrote:it is better to use this one:http://www.php.net/mysql_real_escape_stringif you don't use this by inputting just a qoute or this input '--'
a hacker can easily hack your syntaxin another steps your site will send a message like:error in mysql on this line lob lob ..
in this part he will find your server that it is my sql:Dhe/she will try anither syntaxes and by errors he/she finds your table namesand ...:Dyou know how bad:D
then obey the security rules