Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
PHP DISABLE HTML ON MEMBERS PAGE
#1
Hello,

I am new here, and i have to say i am very impressed on the site layout and the value of members that are on here. I am pleased to join such an appropriate forum to learn from!

Now, if i may get started on my little problem that i am having with my registration form. Before i get further into detail i am a nub at php coding, i have been getting into it lately and want to advance my learning with it.

Ok, that being said i would like to disable html sign up's on my registration. People are inserting html tag's in my registration field causing the members page to mess up. They inserted a big image that covered my whole page with the word 'hacked on it'. Which is very funny because it doesn't cause any harm but it's my stupidity for not disabling html tag's.

I would like some help with this so people can stop doing this stupid crap. I added a spam filter to my project so people don't use wpe pro to spam the mysql database and waist space.

Here is my register.php code:

PHP Code:
<?php session_start() ?> 

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<head>
    <meta http-equiv="content-type" content="text/html; charset=UTF-8">
    <title>DigiChat Member</title>
    <link rel="stylesheet" href="images/main.css" media="screen">
    <link rel="stylesheet" href="images/colors.css" media="screen">
    <link href="loginmodule.css" rel="stylesheet" type="text/css" />
    <style type="text/css">
.style1 {
    color: #CCCCCC;
    font-style: italic;
    font-weight: bold;
}
    </style>
</head>
<body>
<p>&nbsp;</p>

<p>&nbsp;</p>
<div id="container">
    <div id="header">
  <a id="logo" href="#" title="Support Center"><img src="images/head.png" alt="Support Center" width="801" height="64" border="0"></a></div>
    <ul id="nav">
                  <li><a class="ticket_status" href="./index.php">Home</a></li>
                  <li><a class="new_ticket" href="./members.php">Members</a><a class="new_ticket" href="./register.php">Register</a><a class="new_ticket" href="./news.php">News</a></li>
         <li></li>

    </ul>
    <div id="content">
      <div id="index"><?php
    
if( isset($_SESSION['ERRMSG_ARR']) && is_array($_SESSION['ERRMSG_ARR']) && count($_SESSION['ERRMSG_ARR']) >) {
        echo 
'<ul class="err">';
        foreach(
$_SESSION['ERRMSG_ARR'] as $msg) {
            echo 
'<li>'.strip_tags($msg).'</li>'
        }
        echo 
'</ul>';
        unset(
$_SESSION['ERRMSG_ARR']);
    }
?>
        <h1 align="left">Register A Free Account! </h1>
        <form id="loginForm" name="loginForm" method="post" action="register-exec.php">
          <p>&nbsp;</p>
          <table width="300" border="0" align="center" cellpadding="2" cellspacing="0">
            <tr>
              <th>First Name </th>
              <td><input name="fname" type="text" class="textfield" id="fname" /></td>
            </tr>
            <tr>
              <th width="124">Real Name </th>
              <td width="168"><input name="realname" type="text" class="textfield" id="realname" /></td>
            </tr>
            <tr>
              <th>Last Name </th>
              <td><input name="lname" type="text" class="textfield" id="lname" /></td>
            </tr>
            <tr>
              <th>Login</th>
              <td><input name="login" type="text" class="textfield" id="login" /></td>
            </tr>
            <tr>
              <th>Site ID</th>
              <td><input name="SiteID" type="text" class="textfield" id="SiteID" /></td>
            </tr>
            <tr>
              <th>Age</th>
              <td><input name="Age" type="text" class="textfield" id="Age" /></td>
            </tr>
            <tr>
              <th>Exit Message </th>
              <td><input name="exitmessage" type="text" class="textfield" id="exitmessage" /></td>
            </tr>
            <tr>
              <th>Comments </th>
              <td><input name="comments" type="text" class="textfield" id="comments" /></td>
            </tr>
            <tr>
              <th>Url</th>
              <td><input name="Url" type="text" class="textfield" id="Url" /></td>
            </tr>
            <tr>
              <th>Password</th>
              <td><input name="password" type="password" class="textfield" id="password" /></td>
            </tr>
            <tr>
              <th>Confirm Password </th>
              <td><input name="cpassword" type="password" class="textfield" id="cpassword" /></td>
            </tr>
            <tr></tr>
            <tr>
            <tr></tr>
<tr></tr>
<tr></tr>
<tr>
  <td></td>
  <td><div align="center">
    <p><img id="captcha" src="securimage_show.php" alt="CAPTCHA Image" /></p>
    <p>
      <input name="captcha_code" type="text" class="textfield" size="10" maxlength="6" />     
        <input type="submit" name="submit" value="Submit" />    
      </p>
    </div></td>
</tr>
              <td></td>
              </tr>  <tr></tr>
          </table>
        </form>
      </div>
      <div style="clear:both"></div> 
 </div>
 <div id="footer"></div>
</div>
 <div align="center">
<img src="images/poweredby.png" height="38" width="802"></div>
</body></html> 

Here is register-exec.php:

PHP Code:
<?php
    
//Start session
    
session_start();
    
    
//Include database connection details
    
require_once('config.php');
    include_once (
'securimage.php');
    
    
//Array to store validation errors
    
$errmsg_arr = array();
    
    
//Validation error flag
    
$errflag false;
    
    
//Connect to mysql server
    
$link mysql_connect(DB_HOSTDB_USERDB_PASSWORD);
    if(!
$link) {
        die(
'Failed to connect to server: ' mysql_error());
    }
    
    
//Select database
    
$db mysql_select_db(DB_DATABASE);
    if(!
$db) {
        die(
"Unable to select database");
    }
    
    
//Function to sanitize values received from the form. Prevents SQL injection
    
function clean($str) {
        
$str = @trim($str);
        if(
get_magic_quotes_gpc()) {
            
$str stripslashes($str);
        }
        return 
mysql_real_escape_string($str);
    }
    
    
//Sanitize the POST values
    
$fname clean($_POST['fname']);
    
$lname clean($_POST['lname']);
    
$login clean($_POST['login']);
    
$SiteID clean($_POST['SiteID']);
    
$Age clean($_POST['Age']);
    
$Url clean($_POST['Url']);
    
$realname clean($_POST['realname']);
    
$exitmessage clean($_POST['exitmessage']);
    
$comments clean($_POST['comments']);
    
$password clean($_POST['password']);
    
$cpassword clean($_POST['cpassword']);
    
$securimage = new Securimage();

    
    
//Input Validations
    
if($fname == '') {
        
$errmsg_arr[] = 'First name missing';
        
$errflag true;
    }
    if(
$lname == '') {
        
$errmsg_arr[] = 'Last name missing';
        
$errflag true;
    }
    if(
$login == '') {
        
$errmsg_arr[] = 'Login ID missing';
        
$errflag true;
    }
    if(
$SiteID == '') {
        
$errmsg_arr[] = 'Site ID missing';
        
$errflag true;
        }
    if(
$Age == '') {
        
$errmsg_arr[] = 'Age missing';
        
$errflag true;
        }
    if(
$Url == '') {
        
$errmsg_arr[] = 'Url missing';
        
$errflag true;
    }
    if(
$exitmessage == '') {
        
$errmsg_arr[] = 'Exit Message missing';
        
$errflag true;
    }
    if(
$comments == '') {
        
$errmsg_arr[] = 'Comments missing';
        
$errflag true;
    }
    if(
$realname == '') {
        
$errmsg_arr[] = 'Real Name missing';
        
$errflag true;
    }
    if(
$password == '') {
        
$errmsg_arr[] = 'Password missing';
        
$errflag true;
    }

    if(
$cpassword == '') {
        
$errmsg_arr[] = 'Confirm password missing';
        
$errflag true;
    }

    if( 
strcmp($password$cpassword) != ) {
        
$errmsg_arr[] = 'Passwords do not match';
        
$errflag true;
    }
        if (
$securimage->check($_POST['captcha_code']) == false) {
$errmsg_arr[] = 'Captcha Incorrect';
        
$errflag true;
    }
    

    
//Check for duplicate login ID
    
if($login != '') {
        
$qry "SELECT * FROM members WHERE login='$login'";
        
$result mysql_query($qry);
        if(
$result) {
            if(
mysql_num_rows($result) > 0) {
                
$errmsg_arr[] = 'Login ID already in use';
                
$errflag true;
            }
            @
mysql_free_result($result);
        }
        else {
            die(
"Query failed");
        }
    }
    
    
//If there are input validations, redirect back to the registration form
    
if($errflag) {
        
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        
session_write_close();
        
header("location: register.php");
        exit();
    }

    
//Create INSERT query
    
$qry "INSERT INTO members(firstname, lastname, login, SiteID, Age, Url, exitmessage, comments, realname, passwd) VALUES('$fname','$lname','$login','$SiteID','$Age','$Url','$exitmessage','$comments','$realname','".md5($_POST['password'])."')";
    
$result = @mysql_query($qry);
    
    
//Check whether the query was successful or not
    
if($result) {
        
header("location: success.php");
        exit();
    }else {
        die(
"Query failed");
    }
?>

If i could get some help with this i would be greatly appreciated. This can be annoying to other's, and i thought this would be a place to submit a question like this to users with the same problem...

Regards,

Leprechaun Coder
Reply
#2
Your clean() function doesn't really prevent anything.
PHP Code:
function clean($str) {
        
$str = @mysql_real_escape_string(trim(htmlentities($strENT_QUOTES)));
        if(
get_magic_quotes_gpc()) {
            
$str stripslashes($str);
        }
        return 
mysql_real_escape_string($str);
    } 

The function htmlentities() takes characters like "<" and ">" and turns them into html entity "&lt;" and "&gt;", "&" = &amp;..... and so on.
You can also use htmlspecialchars(), but I prefer htmlentities().

http://php.net/manual/en/function.htmlentities.php
http://www.supportforums.net/showthread.php?tid=700


Reply
#3
Hey could you come on to teamviewer and help me disable html tags if it isn't much trouble. Smile
Reply
#4
He already gave you the exact function that you need to use to prevent this from happening. You could at least copy and paste it yourself.
Reply
#5
I know but like where do i put it inside my code, i tell you i am a giant noob with php, lol.
Reply
#6
If you don't know where to put it inside "your" code, then it's not your code. In either case, it doesn't take a genius to figure out where to put it. Especially since it follows the exact same layout as the function that is already in the code, with a couple of extra functions on one line.
Reply
#7
(05-14-2011, 09:10 PM)Sly Wrote: If you don't know where to put it inside "your" code, then it's not your code. In either case, it doesn't take a genius to figure out where to put it. Especially since it follows the exact same layout as the function that is already in the code, with a couple of extra functions on one line.

This code is open source, when i got it it wasnt' secure. You seem to be filled with knowledge. Can you help me? Unsure
Reply
#8
You have the function in the original code. You have the function that Gaijin posted. Search for the function in your file, and replace it with what he posted. That's all it takes.
Reply
#9
Thank you it worked. God you guys are php l33t. Ha
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  PHP Framework List: An Ultimate Guide to 102 PHP Frameworks for Web Developers tk-hassan 0 941 07-27-2020, 11:26 PM
Last Post: tk-hassan
  [PHP] Very Basic Login Page BreShiE 17 7,926 07-11-2013, 05:57 AM
Last Post: 1n9i9c7om ツ
  PHP Video Tutorials (PHP For Beginners) Eleqtriq 4 3,667 10-10-2011, 01:00 PM
Last Post: Greyersting
  PHP error on page submit kaosjon 7 2,710 09-18-2011, 03:31 AM
Last Post: AceInfinity
  HTML&PHP Games. flAmingw0rm 25 4,454 06-04-2011, 07:23 AM
Last Post: Strafeness

Forum Jump:


Users browsing this thread: 1 Guest(s)