Have something to say? Contribute New Article Reply to this Article
PHP Injection Discussion
right now my php script is vulnerable to anyone putting in a random member_id into the url and having it excute sucessfully
how can I encrypt the id="id#" in the url, so a guest is unable to type in there own id in the posted id retrieved through the url?
echo "Edit";
<?php
function html_encode($var)
{
return htmlentities($var, ENT_QUOTES, 'UTF-8') ;
}
require_once('auth.php');
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>My interns</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
<h1> My Interns</h1>
<p><b>View All</b> | <a href="../Copy/view-paginated.php">View Paginated</a></p>
<?php
// connect to the database
include('../Copy/connect-db.php');
$var_id=$_SESSION['SESS_LOGIN'];
// get the records from the database
if ($result = $mysqli->query("SELECT * FROM `members`.`players` WHERE login='$var_id' "))
{
// display records if there are records to display
if ($result->num_rows > 0)
{
// display records in a table
echo "<table border='1' cellpadding='10'>";
// set table headers
echo "<tr><th>ID</th><th>Name</th><th>Description</th><th>Qualifications</th><th>login</th><th>hours</th><th>days required to work</th><th>pay</th><th>duties</th></tr>";
while ($row = $result->fetch_object())
{
// set up a row for each record
echo "<tr>";
echo "<td>" . $row->member_id . "</td>";
echo "<td>" . $row->name . "</td>";
echo "<td>" . $row->description . "</td>";
echo "<td>" . $row->qualifications . "</td>";
echo "<td>" . $row->login . "</td>";
echo "<td>" . $row->hours . "</td>";
echo "<td>" . $row->daysoftheweek . "</td>";
echo "<td>" . $row->pay . "</td>";
echo "<td>" . $row->duties . "</td>";
echo "<td>";
echo "<td><a href='perfectrecords.php?id=" . $row->id . "'>Edit</a></td>";
echo "<td><a href='delete.php?member_id=" . $row->id . "'>Delete</a></td>";
echo "</tr>";
}
echo "</table>";
}
// if there are no records in the database, display an alert message
else
{
echo "No results to display!";
}
}
// show an error if there is an issue with the database query
else
{
echo "Error: " . $mysqli->error;
}
// close database connection
$mysqli->close();
?>
<a href="../Copy/records.php">Add New Record</a>
</body>
</html>the "id" column is not a unique table, nor is it in the same table as the members.
i would use that approach but, my next code it parses through the url from the next script. keeping it as a session would still display it through the URL wouldn't it?
any suggestions? a modification would be nice.
<?php
// connect to the database
include("connect-db.php");
// creates the new/edit record form
// since this form is used multiple times in this file, I have made it a function that is easily reusable
function renderForm( $name = '', $description ='', $qualifications ='', $login ='', $hours ='', $daysoftheweek ='', $pay ='',$duties ='', $id = '' )
{ ?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>
<?php if ($id != '') { echo "Edit Record"; } else { echo "New Record"; } ?>
</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
</head>
<body>
<h1><?php if ($id != '') { echo "Edit Record"; } else { echo "New Record"; } ?></h1>
<?php if ($error != '') {
echo "<div style='padding:4px; border:1px solid red; color:red'>" . $error
. "</div>";
} ?>
<form action="" method="post">
<div>
<?php if ($id != '') { ?>
<input type="hidden" name="id" value="<?php echo $id; ?>" />
<p>ID: <?php echo $id; ?></p>
<?php } ?>
<strong>Name: *</strong> <input type="text" name="name"
value="<?php echo $name; ?>"/><br/>
<strong>description: *</strong> <input type="text" name="description"
value="<?php echo $description; ?>"/><br/>
<strong>qualifications: *</strong> <input type="text" name="qualifications"
value="<?php echo $qualifications; ?>"/><br/>
<strong>login: *</strong> <input type="hidden" name="login"
value="<?php echo $login; ?>"/><br/>
<strong>hours: *</strong> <input type="text" name="hours"
value="<?php echo $hours; ?>"/><br/>
<strong>days required to work: *</strong> <input type="text" name="daysoftheweek"
value="<?php echo $daysoftheweek; ?>"/><br/>
<strong>pay: *</strong> <input type="text" name="pay"
value="<?php echo $pay; ?>"/><br/>
<strong>duties: *</strong> <input type="text" name="duties"
value="<?php echo $duties; ?>"/><br/>
<input type="submit" name="submit" value="Submit" />
</div>
</form>
</body>
</html>
<?php }
/*
EDIT RECORD
*/
// if the 'id' variable is set in the URL, we know that we need to edit a record
if (isset($_GET['id']))
{
// if the form's submit button is clicked, we need to process the form
if (isset($_POST['submit']))
{
// make sure the 'id' in the URL is valid
if (is_numeric($_POST['id'], ENT_QUOTES))
{
// get variables from the URL/form
$id = $_POST['id'];
$name = htmlentities($_POST['name'], ENT_QUOTES);
$description = htmlentities($_POST['description'], ENT_QUOTES);
$qualifications = htmlentities($_POST['qualifications'], ENT_QUOTES);
$login = htmlentities($_POST['login'], ENT_QUOTES);
$hours = htmlentities($_POST['hours'], ENT_QUOTES);
$daysoftheweek = htmlentities($_POST['daysoftheweek'], ENT_QUOTES);
$pay = htmlentities($_POST['pay'], ENT_QUOTES);
$duties = htmlentities($_POST['duties'], ENT_QUOTES);
// check that firstname and lastname are both not empty
if ($name == '' || $description == '' || $qualifications == '' || $login == '' || $hours == '' || $daysoftheweek == '' || $pay == '' || $duties == '' )
{
// if they are empty, show an error message and display the form
$error = 'ERROR: Please fill in all required fields!';
renderForm($name, $description, $qualifications, $login, $hours , $daysoftheweek, $pay,$duties , $id, $error);
}
else
{
// if everything is fine, update the record in the database
if ($stmt = $mysqli->prepare("UPDATE players SET name = ?, description = ?, qualifications= ?, login =?, hours =?, daysoftheweek =?, pay =?, duties =?
WHERE id=? "))
{
$stmt->bind_param("ssssssssi", $name, $description, $qualifications, $login, $hours , $daysoftheweek, $pay, $duties , $id);
$stmt->execute();
$stmt->close();
}
// show an error message if the query has an error
else
{
echo "ERROR: could not prepare SQL statement.";
}
// redirect the user once the form is updated
header("Location: viewworking.php");
}
}
// if the 'id' variable is not valid, show an error message
else
{
echo "Error!";
}
}
// if the form hasn't been submitted yet, get the info from the database and show the form
else
{
// make sure the 'id' value is valid
if (is_numeric($_GET['id']) && $_GET['id'] > 0)
{
// get 'id' from URL
$id = $_GET['id'];
// get the recod from the database
if($stmt = $mysqli->prepare("SELECT * FROM players WHERE id=?"))
{
$stmt->bind_param("i", $id);
$stmt->execute();
$stmt->bind_result($id, $name, $description, $qualifications, $login, $hours , $daysoftheweek, $pay, $duties );
$stmt->fetch();
// show the form
renderForm($name, $description, $qualifications, $login, $hours , $daysoftheweek, $pay, $duties , $id);
$stmt->close();
}
// show an error if the query has an error
else
{
echo "Error: could not prepare SQL statement";
}
}
// if the 'id' value is not valid, redirect the user back to the view.php page
else
{
header("Location: view.php");
}
}
}
/*
NEW RECORD
*/
// if the 'id' variable is not set in the URL, we must be creating a new record
else
{
// if the form's submit button is clicked, we need to process the form
if (isset($_POST['submit']))
{
// get the form data
$id = $_POST['id'];
$name = htmlentities($_POST['name'], ENT_QUOTES);
$description = htmlentities($_POST['description'], ENT_QUOTES);
$qualifications = htmlentities($_POST['qualifications'], ENT_QUOTES);
$login = htmlentities($_POST['login'], ENT_QUOTES);
$hours = htmlentities($_POST['hours'], ENT_QUOTES);
$daysoftheweek = htmlentities($_POST['daysoftheweek'], ENT_QUOTES);
$pay = htmlentities($_POST['pay'], ENT_QUOTES);
$duties = htmlentities($_POST['duties'], ENT_QUOTES);
// check that firstname and lastname are both not empty
if ($name == '' || $description == '' || $qualifications == '' || $login == '' || $hours == '' || $daysoftheweek == '' || $pay == '' || $duties == '' )
{
// if they are empty, show an error message and display the form
$error = 'ERROR: Please fill in all required fields!';
renderForm($name, $description, $qualifications, $login, $hours , $daysoftheweek, $pay,$duties , $id, $error);
}
else
{
// insert the new record into the database
if ($stmt = $mysqli->prepare("INSERT players (name, description, qualifications, login, hours , daysoftheweek, pay, duties ) VALUES (?, ?, ?, ?, ?, ?, ?, ?,)"))
{
$stmt->bind_param("ssssssss", $name, $description, $qualifications, $login, $hours , $daysoftheweek, $pay, $duties);
$stmt->execute();
$stmt->close();
}
// show an error if the query has an error
else
{
echo "ERROR: Could not prepare SQL statement.";
}
// redirec the user
header("location: access-denied.php");
}
}
// if the form hasn't been submitted yet, show the form
else
{
renderForm();
}
}
// close the mysqli connection
$mysqli->close();
?>This article has been dead for over three months
You
© 2012 DaniWeb® LLC
