Re: [PHP] Sending a message
well,what is the problem with these manuals :) ? google these ones: security exploits that are SQL injection, Cross Site Scripting(xss) and Cross Site Request Forgery many security issues you can find also for your code problems try this site: stackoverflow.com previous times when I had these problems people in this list was too angry about me:D by posting emails about array like $_POST LOL! one of those angry people told me this site I am thankful to him:) I am happy on this Site be a member in there;) they will answer your code issues in just a second:)
[PHP] Sending a message
Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do.step #1 (messages.php): --This is where the member will view the recent messages that have been posteddiv id='messages' ?php include 'connect.php'; session_start(); $_SESSION['user']=$user; //store sql queries $sql="SELECT * FROM entries"; $result=mysql_query($sql, $con); $count=mysql_num_rows($result); if ($count1){ echo 'There are no messages yet!'; } while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo 'br/'; echo 'Subject: ' .$row['subject']; echo 'br/'; echo 'Message: ' .$row['body']; echo 'hr/'; } ? /divStep #2 (create_message.php):-- This is where the user creates a new messageh2 Create new message/h2 table border='0' width='100%' cellpadding='3px' style='text-align: top;' form method='post' action='' tr width='100%' height='30%' style='margin-top: 0px;' td Subject /td td input type='text' name='subject' maxlength='30'/td /tr tr width='100%' height='30%' td Body /td tdtextarea name='body' style='height: 200px; width: 400px;'/textarea/td /tr tr td colspan='2' align='center'input type='submit' name='new_message' value='Send!'/ /td /tr /form /tableStep #3 (insert_message.php)-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from'])?phpinclude 'connect.php';session_start();$user=$_SESSION['user'];if ($_POST['new_message']){ include 'connect.php'; session_start(); $_SESSION['user']=$user; $body=$_POST['body']; $subject=$_POST['subject']; $date=' '; $sql="INSERT INTO `entries` ( `id` , `from` , `subject` , `body` , `date` ) VALUES ( NULL , '$user', '$subject', '$body', '$date' )"; if (mysql_query($sql,$con)){ echo 'Inserted!'; echo $user; } else echo 'Not Inserted'; }?Hope i dont piss anyone off with such a long message, I just really need help on this.Thanks!
Re: [PHP] Sending a message
in previous pages you must have a login page and in login page you must store the username and then in next steps you have username in $_SESSION['user'] now if it is not your problem then what is the problem?
Re: [PHP] Sending a message
Well my problem is when i click submit, the $_SESSION['user'] ('from' part of the table in my db) is blank, so im guessing the $_SESSION variable didnt pass through. On Aug 04, 2011, at 10:11 PM, Negin Nickparsa nickpa...@gmail.com wrote:in previous pages you must have a login page and in login page you must store the username and then in next steps you have username in $_SESSION['user'] now if it is not your problem then what is the problem?
Re: [PHP] Sending a message
you must check setting your session with this one: if(isset($_SESSION['user'])) { // Identifying the user $user = $_SESSION['user']; // Information for the user. } tell me what you have done in login page?
Re: [PHP] Sending a message
This is the login.php which checks the form on the login page.?phpsession_start();include('connect.php');$user=$_POST['user'];$pass=$_POST['pass'];$sql="SELECT * FROM members WHERE username='$_POST[user]' and password='$_POST[pass]'";$result=mysql_query($sql, $con);$count=mysql_num_rows($result);if ($count==1){ session_start(); $_SESSION['user'] = $user;}else{ echo 'Wrong Username or Password'; }?On Aug 04, 2011, at 10:23 PM, Negin Nickparsa nickpa...@gmail.com wrote:you must check setting your session with this one: if(isset($_SESSION['user'])) { // Identifying the user $user = $_SESSION['user']; // Information for the user. } tell me what you have done in login page?
Re: [PHP] Sending a message
did you set the form method='post' ?
Re: [PHP] Sending a message
in this line password='$_POST[pass]'; you have error change it to password='$_POST['pass']';
Re: [PHP] Sending a message
well,sorry change it to password=$pass (better) also check your errors by php yourpage.php it is more better to not stock in errors like this one
Re: [PHP] Sending a message
Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked David Holmes twitter @mrstanfan owner of the exclusive StanFan.com Whats Your StanFan? -Original Message- From: wil prim wilp...@me.com Date: Sat, 06 Aug 2011 04:49:32 To: PHP MAILINGLISTphp-general@lists.php.net; Philly Holbrookpholbro...@gmail.com Subject: [PHP] Sending a message Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do. step #1 (messages.php): --This is where the member will view the recent messages that have been posted div id='messages' ?php include 'connect.php'; session_start(); $_SESSION['user']=$user; //store sql queries $sql=SELECT * FROM entries; $result=mysql_query($sql, $con); $count=mysql_num_rows($result); if ($count1){ echo 'There are no messages yet!'; } while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo 'br/'; echo 'Subject: ' .$row['subject']; echo 'br/'; echo 'Message: ' .$row['body']; echo 'hr/'; } ? /div Step #2 (create_message.php):-- This is where the user creates a new message h2 Create new message/h2 table border='0' width='100%' cellpadding='3px' style='text-align: top;' form method='post' action='insert_message.php' tr width='100%' height='30%' style='margin-top: 0px;' td Subject /td td input type='text' name='subject' maxlength='30'/td /tr tr width='100%' height='30%' td Body /td tdtextarea name='body' style='height: 200px; width: 400px;'/textarea/td /tr tr td colspan='2' align='center'input type='submit' name='new_message' value='Send!'/ /td /tr /form /table Step #3 (insert_message.php)-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from']) ?php include 'connect.php'; session_start(); $user=$_SESSION['user']; if ($_POST['new_message']){ include 'connect.php'; session_start(); $_SESSION['user']=$user; $body=$_POST['body']; $subject=$_POST['subject']; $date=' '; $sql=INSERT INTO `entries` ( `id` , `from` , `subject` , `body` , `date` ) VALUES ( NULL , '$user', '$subject', '$body', '$date' ); if (mysql_query($sql,$con)){ echo 'Inserted!'; echo $user; } else echo 'Not Inserted'; } ? Hope i dont piss anyone off with such a long message, I just really need help on this. Thanks!
Re: [PHP] Sending a message
Woot! Got it! There was a page in between that stored $_SESSION['user']=$user rather than other way around! Thank you! and yea I will secure it!On Aug 04, 2011, at 10:37 PM, David Holmes dholmes1...@gmail.com wrote:Your code is full of security errors .. You should use mysql escape string(google it ) to protect your database from beiÿng hacked David Holmes twitter @mrstanfan owner of the exclusive StanFan.com Whats Your StanFan? -Original Message- From: wil prim wilp...@me.com Date: Sat, 06 Aug 2011 04:49:32 To: PHP MAILINGLISTphp-general@lists.php.net; Philly Holbrookpholbro...@gmail.com Subject: [PHP] Sending a message Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do. step #1 (messages.php): --This is where the member will view the recent messages that have been posted div id='messages' ?php include 'connect.php'; session_start(); $_SESSION['user']=$user; //store sql queries $sql="SELECT * FROM entries"; $result=mysql_query($sql, $con); $count=mysql_num_rows($result); if ($count1){ echo 'There are no messages yet!'; } while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo 'br/'; echo 'Subject: ' .$row['subject']; echo 'br/'; echo 'Message: ' .$row['body']; echo 'hr/'; } ? /div Step #2 (create_message.php):-- This is where the user creates a new message h2 Create new message/h2 table border='0' width='100%' cellpadding='3px' style='text-align: top;' form method='post' action='' tr width='100%' height='30%' style='margin-top: 0px;' td Subject /td td input type='text' name='subject' maxlength='30'/td /tr tr width='100%' height='30%' td Body /td tdtextarea name='body' style='height: 200px; width: 400px;'/textarea/td /tr tr td colspan='2' align='center'input type='submit' name='new_message' value='Send!'/ /td /tr /form /table Step #3 (insert_message.php)-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from']) ?php include 'connect.php'; session_start(); $user=$_SESSION['user']; if ($_POST['new_message']){ include 'connect.php'; session_start(); $_SESSION['user']=$user; $body=$_POST['body']; $subject=$_POST['subject']; $date=' '; $sql="INSERT INTO `entries` ( `id` , `from` , `subject` , `body` , `date` ) VALUES ( NULL , '$user', '$subject', '$body', '$date' )"; if (mysql_query($sql,$con)){ echo 'Inserted!'; echo $user; } else echo 'Not Inserted'; } ? Hope i dont piss anyone off with such a long message, I just really need help on this. Thanks!
Re: [PHP] Sending a message
or if you want to do this risky and none secure thing try this: $query=select * from members where user='.$_POST['user'].'and pass=password('$pas'); well first you must check errors in mysql then storing in session also it is better to use: $user=mysql_real_escape_string($_POST['user']); then write the query
Re: [PHP] Sending a message
well I wonder! with error syntaxes now it is working? or without them?
Re: [PHP] Sending a message
I think Ill just use the better secured one, thanks!On Aug 04, 2011, at 10:41 PM, Negin Nickparsa nickpa...@gmail.com wrote:or if you want to do this risky and none secure thing try this:$query="select * frommemberswhere user='"$_POST['user']."'and pass=password('$pas')"; well first you must check errors in mysql then storing in session also it is better to use: $user=mysql_real_escape_string($_POST['user']); then write the query
Re: [PHP] Sending a message
it is better to use this one: http://www.php.net/mysql_real_escape_string if you don't use this by inputting just a qoute or this input '--' a hacker can easily hack your syntax in another steps your site will send a message like: error in mysql on this line lob lob .. in this part he will find your server that it is my sql:D he/she will try anither syntaxes and by errors he/she finds your table names and ...:D you know how bad:D then obey the security rules
Re: [PHP] Sending a message
On 8/5/2011 9:49 PM, wil prim wrote: Ok so I have tried to create a sort of messaging system on my website and I have run into some problems storing who the message is from, ill try to take you through step by step what I am trying to do. *step #1 *(messages.php):--This is where the member will view the recent messages that have been posted div id='messages' ?php include 'connect.php'; session_start() should be called before anything else on the page is done. move this to the first line after your opening ?php tag. session_start(); First... from one of your other emails, you explain that by the time you get to this page, your user has already logged in. But in the next line, you are AFAICT setting the $_SESSION['user'] to a null value. Try commenting this line out and see what happens. $_SESSION['user']=$user; //store sql queries $sql=SELECT * FROM entries; You should change this a little. I realize their isn't much to go wrong with this SQL statement, but you never know... $result=mysql_query($sql, $con); $result = mysql_query($sql, $con) OR die('SQL ERROR: '. mysql_errno($con) .'br /'. mysql_error($con)); $count=mysql_num_rows($result); if ($count1){ echo 'There are no messages yet!'; } I think you are missing an ELSE clause here... while ($row=mysql_fetch_array($result)){ echo 'From: ' .$row['from']; echo 'br/'; echo 'Subject: ' .$row['subject']; echo 'br/'; echo 'Message: ' .$row['body']; echo 'hr/'; } ? /div *Step #2* (create_message.php):-- This is where the user creates a new message h2 Create new message/h2 table border='0' width='100%' cellpadding='3px' style='text-align: top;' form method='post' action='insert_message.php' tr width='100%' height='30%' style='margin-top: 0px;' td Subject/td td input type='text' name='subject' maxlength='30'/td /tr tr width='100%' height='30%' td Body/td tdtextarea name='body' style='height: 200px; width: 400px;'/textarea/td /tr tr td colspan='2' align='center'input type='submit' name='new_message' value='Send!'/ /td /tr /form /table *Step #3 *(insert_message.php)-- this is where my problem is (trying to insert $_SESSION['user'] into table ['from']) This script is riddled with security issues and errors. ?php include 'connect.php'; Again with the session_start() thing. Move it to the top. session_start(); Why do this? Just use $_SESSION['user'] where you would use $user... $user=$_SESSION['user']; This is going to cause a NOTICE error. Check out isset() if ($_POST['new_message']){ You including this file for a second time. Does it need to? include 'connect.php'; Calling this a second time, just for good measure??? Remove it. session_start(); Again, you are clearing your $_SESSION['user'] variable. $_SESSION['user']=$user; If you are going to assign the values to new variables, I would suggest tossing htmlspecialchars() around each one. $body=$_POST['body']; $subject=$_POST['subject']; $date=' '; Also, before you go using those variables above in your SQL below, you should wrap a call to mysql_real_escape_string() around them. $sql=INSERT INTO `entries` ( `id` , `from` , `subject` , `body` , `date` ) VALUES ( NULL , '$user', '$subject', '$body', '$date' ); Refer to my suggestion about about adding the OR die() portion to the following command. if (mysql_query($sql,$con)){ echo 'Inserted!'; echo $user; } else echo 'Not Inserted'; } ? Hope i dont piss anyone off with such a long message, I just really need help on this. Thanks! -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Sending a message
lol wow ok thanks, Im very new to coding, started html about 2 months ago, so ty for letting me know the security of the language! is there any place where i can read (other than the php manual), about a tutorial on security?On Aug 04, 2011, at 10:49 PM, Negin Nickparsa nickpa...@gmail.com wrote:it is better to use this one:http://www.php.net/mysql_real_escape_stringif you don't use this by inputting just a qoute or this input '--' a hacker can easily hack your syntaxin another steps your site will send a message like:error in mysql on this line lob lob .. in this part he will find your server that it is my sql:Dhe/she will try anither syntaxes and by errors he/she finds your table namesand ...:Dyou know how bad:D then obey the security rules