Who knows something about SQL and PHP - Printable Version
-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Skype & Technology (/forumdisplay.php?fid=9)
+---- Forum: Tech Talk (/forumdisplay.php?fid=17)
+----- Thread: Who knows something about SQL and PHP (/showthread.php?tid=80725)
Who knows something about SQL and PHP by Exca on 01-05-2008 at 04:31 PM
Okay, here i'm back again with my website (http://www.exca.be)
I have a problem with the shoutbox.
It stores all the data into the SQL itself. When you put in a message, it's all in CAPITALL LETTERS. I don't know why, but I have to rewrite all messages in myphpadmin to normal, because that's so ugly.
Secondly; I would like the names to appear in blue color (I guess that has to be done in the red sentence in the code below).
Third problem: in the statusbar you can see that the when on the page of the shoutbox the website is loading, and loading, and loading... and keeps on loading (it bothers me)
Please help, this can't be much for someone who knows it.
To be complete:
Below are the codes used on for the shoutbox if you would need them:
ACTIONSCRIPT GENERAL:
code: instname.onSetFocus= function() { if (instname.text=="Name") { instname.text=""; } };
instmessage.onSetFocus= function() { if (instmessage.text=="Message") { instmessage.text=""; } };
content.text = "Loading Shouts...";
myData = new LoadVars();
myData.onLoad = Fillvalues;
myData.load("http://www.exca.be/website/shout.php");
function Fillvalues() {
content.text = eval("myData.content");
error = eval("myData.error");
}
ACTIONSCRIPT ON THE SHOUT BUTTON
code: on (release) {
if (name eq "Name" || name eq "" || shout eq "Message" || shout eq "") {
error = "REQUIRED FIELDS MISSING";
} else {
myData.name = name;
myData.shout = shout;
myData.sendAndLoad("http://www.exca.be/website/shout.php", myData, "POST");
error = "SENDING DATA";
myData.onLoad = Check;
}
function Check() {
myData.load("http://www.exca.be/website/shout.php");
myData.onLoad = Fillvalues;
}
}
SHOUT.PHP
code: <?
// BEKIJK README VOOR DETAILS
require("config.php");
if (!empty($_POST['name']) && !empty($_POST['shout'])) {
$name=strtoupper($_POST['name']);
$shout=strtoupper($_POST['shout']);
$now=time();
$sql=mysql_query("INSERT INTO shoutbox (id,date,name,shout) VALUES ('','$now','$name','$shout')")
or die("&error=ERROR: ERROR INSERTING&content=SEE ERROR DETAILS");
echo"&error=RECEIVED YOUR SHOUT";
}
else {
$sql=mysql_query("SELECT * FROM shoutbox ORDER BY id DESC LIMIT 50")
or die("&error=ERROR: WRONG QUERY&content=SEE ERROR DETAILS");
if(mysql_numrows($sql)==0) {
echo"&error=ERROR: RETURNED EMPTY&content=SEE ERROR DETAILS";
}
else {
while($row=mysql_fetch_array($sql)) {
$content="$content"."$row[name]:\n$row[shout]\n\n";
}
echo"&content=$content";
}
}
?>
CONFIG.PHP
code: <?
$host="localhost";
$user="exca_be";
$pass="***************";
$db="exca_be";
mysql_connect($host,$user,$pass) or die("&error=ERROR: CAN'T CONNECT&content=SEE ERROR DETAILS");
mysql_select_db($db) or die("&error=ERROR: CAN'T SELECT DB&content=SEE ERROR DETAILS");
?>
Thanks in advance
RE: Who knows something about SQL and PHP by NanaFreak on 01-05-2008 at 04:40 PM
quote: Originally posted by Exca
SHOUT.PHP
code: <?
// BEKIJK README VOOR DETAILS
require("config.php");
if (!empty($_POST['name']) && !empty($_POST['shout'])) {
$name=strtoupper($_POST['name']);
$shout=strtoupper($_POST['shout']);
$now=time();
$sql=mysql_query("INSERT INTO shoutbox (id,date,name,shout) VALUES ('','$now','$name','$shout')")
or die("&error=ERROR: ERROR INSERTING&content=SEE ERROR DETAILS");
echo"&error=RECEIVED YOUR SHOUT";
}
else {
$sql=mysql_query("SELECT * FROM shoutbox ORDER BY id DESC LIMIT 50")
or die("&error=ERROR: WRONG QUERY&content=SEE ERROR DETAILS");
if(mysql_numrows($sql)==0) {
echo"&error=ERROR: RETURNED EMPTY&content=SEE ERROR DETAILS";
}
else {
while($row=mysql_fetch_array($sql)) {
$content="$content"."$row[name]:\n$row[shout]\n\n";
}
echo"&content=$content";
}
}
?>
there is your problem
RE: Who knows something about SQL and PHP by Exca on 01-05-2008 at 04:42 PM
Wow, and what does there has to be? Nothing or something else?
RE: Who knows something about SQL and PHP by NanaFreak on 01-05-2008 at 04:43 PM
nothing,
this is what that function does: http://php.net/manual/en/function.strtoupper.php
RE: Who knows something about SQL and PHP by Exca on 01-05-2008 at 04:45 PM
Okay thanks! Do you also know something about problem two and three?
quote: Secondly; I would like the names to appear in blue color (I guess that has to be done in the red sentence in the code below).
Third problem: in the statusbar you can see that the when on the page of the shoutbox the website is loading, and loading, and loading... and keeps on loading (it bothers me)
RE: Who knows something about SQL and PHP by NanaFreak on 01-05-2008 at 04:48 PM
2:
$content="$content"."<span style='color:#0000ff'>$row[name]</span>:\n$row[shout]\n\n";
i think that should do it...
dont know about number 3 sorry
RE: Who knows something about SQL and PHP by Exca on 01-05-2008 at 04:53 PM
OKay thank you very much!
RE: Who knows something about SQL and PHP by Exca on 01-05-2008 at 04:57 PM
Too bad... the code doesn't seem to work (http://www.exca.be)
RE: Who knows something about SQL and PHP by NanaFreak on 01-05-2008 at 05:00 PM
oh, that code is for html... i forgot that your site is flash, sorry that wont work
RE: Who knows something about SQL and PHP by Exca on 01-05-2008 at 05:04 PM
Well actually its the shout.php file which builds the text in the dynamic text field...
There must be a way
RE: Who knows something about SQL and PHP by surfichris on 01-05-2008 at 10:07 PM
Not on the flash side of things, but I wanted to point out a major vulnerability your script has: SQL Injection.
You don't sanitize any quotes or anything before you insert raw data in to the database.
Add the following before your insert query..
code: $name = mysql_real_escape_string($_POST['name']);
$shout = mysql_real_escape_string($_POST['shout']);
RE: Who knows something about SQL and PHP by Exca on 01-05-2008 at 10:33 PM
I don't quite understand... the shoutbox works now?
RE: Who knows something about SQL and PHP by Tochjo on 01-05-2008 at 10:35 PM
You can read Wikipedia: SQL injection to find out what Chris is talking about. Translations of it are available, if you find that easier
RE: Who knows something about SQL and PHP by Exca on 01-05-2008 at 10:42 PM
Oh, so it's a security matter.
In that case... where should I paste it? Probably on the shoutbutton, but I'm just a regular guy trying to make some website
RE: Who knows something about SQL and PHP by surfichris on 01-06-2008 at 11:35 AM
It would go on the lines right before mysql_query("INSERT INTO...");
Yes, you're just a regular guy, but it is those regular guys whose websites get hacked because they don't know things like this.
Essentially any information you save to a database from user input needs to be sanitized to prevent special characters performing unwanted things (SQL injection etc)
So essentially any incoming data you run mysql_real_escape_string on before you insert or run a query using it. If you're inserting an integer from user input, typecast it to an integer first.
For example:
String: My test' string
Result unescaped: INSERT INTO test ('abc') VALUES ('My test' string');
After mysql real escape string: INSERT INTO test ('abc') VALUES('My test\' string');
Notice how in the unescaped version there is an extra quote in there? We don't want that, it is bad and cause malicious things.
Second example of typecasting:
Incoming Integer (number): abc
Notice how it isn't a number?
Query: "SELECT * FROM test WHERE test=".$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=abc.
Now we have a problem. Because we want to be querying using an integer and a malicious user has entered a text string and we aren't quoting and escaping the value (you don't have to for integers) then whatever they enter can be executed as an additional query.
Solution?
Query: "SELECT * FROM test WHERE test=".(int)$_POST['integer'].";";
Resulting Query: SELECT * FROM test WHERE test=0
Because we've casted the data to an integer and abc is not an integer (and doesn't contain any), 0 is returned, thus in this example we're protected.
This is only a subset of what you need to look out for but it covers the basics.
Chris
RE: Who knows something about SQL and PHP by Exca on 01-06-2008 at 12:43 PM
Ok thank you for the information. Ive implemented it, so it should be okay now.
You can check the shout.php that the shoutbox uses at http://www.exca.be/website/shout.php
While i'm here, I also have another thing to solve, I started on the contactpage. www.exca.be => contact
I followed this tutorial: http://foamers.net/blogger/archives/45.
The actionscript I have on the submit-button is:
code: on (release) {
_parent.getURL("http://www.exca.be/website/contact.php","_blank","GET");
_parent.message="Your message has been sent. Thanks for contacting!";
}
These are the variable names of the textfields:
code: lastname
firstname
email
message
And this is the contact.php script:
code: <?php
$your_lastname = $_GET[‘lastname’];
$your_firstname = $_GET[‘firstname’];
$your_email = $_GET[‘email’];
$your_message = $_GET[‘message’];
$recipient_email = "info@exca.be"
$subject = "From " . $your_email;
$headers = "From: " . $your_name . " <" . $your_email . ">\n";
$headers .= ‘Content-type: text/html; charset=iso-8859-1';
$content = "<html><head><title>Contact letter</title></head><body><br />";
$content .= "Last Name: <b>" . $your_lastname . "</b><br />";
$content .= "First Name: <b>" . $your_firstname . "</b><br />";
$content .= "E-mail: <b>" . $your_email . "</b><br /><hr /><br />";
$content .= $your_message;
$content .= "<br /></body>";
mail($recipient_email,$subject,$content,$headers);
?>
<html>
<body bgcolor="#282E2C">
<div align="center" style="margin-top:60px;color:#FFFFFF;font-size:11px;
font-family:Tahoma;font-weight:bold">
Your message was sent. Thank you.
</div>
</body>
</html>
<script>resizeTo(300, 300)</script>
Check yourself what the problem is... it's just giving a blank page
I actually don't want the red part too... I don't want any page to pop up, just the message that says "Your message has been sent. Thanks for contacting!"...
RE: Who knows something about SQL and PHP by Volv on 01-09-2008 at 11:36 AM
quote: Originally posted by Chris Boulton
Not on the flash side of things, but I wanted to point out a major vulnerability your script has: SQL Injection.
You don't sanitize any quotes or anything before you insert raw data in to the database.
|