Forum Moderators: coopster
[php]<?php
session_start();
if (!isset($_SESSION['token']))
{
session_regenerate_id();
$_SESSION['token'] = true;
}//check for token
if (isset($_POST['token']) && isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
{//token is correct
$token_age = time() - $_SESSION['token_time'];
if ($token_age >= 300)
{//token correct but timeout
echo "detected a Timeout!";
exit;
}
if(isset($_POST['secCode']) && isset($_SESSION['secCode']) && $_POST['secCode'] == $_SESSION['secCode'] )
{
// correct security code, now validate name and other field
if(isset($_POST['name']))//name field is set
{
$n = $_POST['name'];
if (strlen($n) > 0 && strlen($n) < 31) //valid and sql friendly name now in $name
{
$name = mysql_real_escape_string($_POST['name']);
}
else {
// $n is not valid
echo "recommends you to fill your name properly.";
}
}
else {
//name not set
echo "detected that you left the name field blank.";
}
//validation for next field
if(isset($_POST['title']))//title field is set
{
$n = $_POST['title'];
if (strlen($n) > 0 && strlen($n) < 61 ) //valid and sql friendly name now in $name
{
$title = mysql_real_escape_string($_POST['title']);
}
else {
// $n is not valid
echo "recommends you to fill your title properly.";
}
}
else {
//name not set
echo "detected that you left the title field blank.";
}
//validation for next field
if(isset($_POST['content']))//content field is set
{
$content = mysql_real_escape_string($_POST['content']);
}
else {
//name not set
echo "detected that you left the content field blank.";
}
$date = strtotime("now");
$ip = $_SERVER['REMOTE_ADDR'];
$con = mysql_connect("localhost","root","pass");
if (!$con){
die('Could not connect: ' . mysql_error());
}
mysql_select_db("sql", $con);
//connect to db
$sql="INSERT INTO wow (contributed_by,title,content,date,trusted,ip)VALUES('$name','$title','$content','$date','0','$ip')";
mysql_query($sql) or die(mysql_error());
mysql_close($con);
echo "received the content you shared.";
}
else {
// security code is invalid
echo "detected an invalid code.";
exit; }
}
else
{
echo "Wrong data!";
exit;
}
?>
<html>
<body>
<form action="post.php" method="post">
<input type="hidden" name="token" value="<?php echo $token;?>" />
<table border="0" cellspacing="0" cellpadding="4">
<tr><td>Name: </td><td><input type="text" name="name" size="30" maxlength="30" /></td></tr>
<tr><td>Title: </td><td><input type="text" name="title" size="30" maxlength="30" /></td></tr>
<tr><td>Content: </td><td><textarea name="content" rows="10", cols="30"></textarea></td></tr>
<tr> <td>Code: </td>
<td>
<input type="text" name="secCode" maxlength="6" style="width:50px" size="20"> <b>«</b>
<img src="../../includes/seccode.inc.php" width="71" height="21" align="absmiddle"></td>
</tr>
<tr><td><input type="submit" /></td></tr></table>
</form>
</body>
</html>
[/code]
[edited by: kkonline at 9:44 am (utc) on Aug. 22, 2007]
You have registered globals set to OFF. You should access the post vars directly, or assign to new vars when inserting into db
$_POST['name'];
$name = $_POST['name'];
dc
$sql="INSERT INTO wow (contributed_by,title,content,date,trusted,ip)VALUES('$name','$title','$content','$date','0','$ip')";
echo $sql;
kkonline, your postings has been too lengthy making it difficult to give you a quick help. Not many people has got much time to go through more than a hundred lines of code to help you find the bug. Remove the obvious and as I mentioned in my prvious PM, post the part of the code which you think is not working. Check your code first by printing out the values, and let us know which particular part has been a challenge to you. If those postings are to be used in the future by somebody, they need to be neat.
$name = mysql_real_escape_string($_POST['name']);
so, he has basically done what you just mentioned.
kkonline, you might want to think about what you are posting and try and post only the relevant code, rather than running into a problem and posting all your code. Many of the questions you are asking are answered on the PHP website or by doing a search on Google.
Just a thought, but from a learning perspective, sometimes its best to try and find the solution yourself?
dc
The value might be empty:
<input type="hidden" name="token" value="<?php echo $token;?>" />
Habtom
if (!isset($_SESSION['token']))
{
session_regenerate_id();
$_SESSION['token'] = true;
}//check for tokenif (isset($_POST['token']) && isset($_SESSION['token']) && $_POST['token'] == $_SESSION['token'])
The part I couldn't understand about this is that when you run the page the first time, the SESSION value is empty and then will have the value true in it, so may be if token has got the value 'true' things might go ok.
Second time you run it, if the value of the token is different from SESSION, then you are going to have nothing happening to your submission.
It seems you have got a logic problem there, and not even sure what you are achieving by setting that SESSION value.
Habtom
if(isset($_POST['name']))//name field is set
{
$n = $_POST['name'];
if (strlen($n) > 0 && strlen($n) < 31) //valid and sql friendly name now in $name
{
echo $name;
echo " before escape is printed\n";<-----printed$name = mysql_real_escape_string($_POST['name']);
echo $name; // <----- not printed
echo " after escape is printed";<--- printed
}
else {
// $n is not valid
echo "Hoptic recommends you to fill your name properly.";
}
}
else {
//name not set
echo "Hoptic detected that you left the name field blank.";
}
//validation for next field ...
Hab the session part is all ok i checked and it also prints the value correctly before the mysql escape()... Read on... The above part where mysqlescape() is used ,that is the problem area]
somename before escape is printed after escape is printedINSERT INTO wow (contributed_by,title,content,date,trusted,ip)VALUES('','','','1187782377','0','59.178.100.119')
SHOULD BE: somename before escape is printed somenameafter escape is printedINSERT INTO wow (contributed_by,title,content,date,trusted,ip)VALUES('','','','1187782377','0','59.178.100.119')
In the above part of the actual code. I am validating the data and if it is valid i am cleaning it as shown... for debugging when i use the above code then the $name is is not echoed after mysql_escape(). However $name before the mysql escape is printed.
What i think is that after apply mysql escape to the variable it is converted into some sql compatible code so it cannot be printed. Means escape should be done just before sending data to db. Any other explanation to this problem?
[edited by: kkonline at 12:29 pm (utc) on Aug. 22, 2007]
mysql_real_escape_string [php.net] — Escapes special characters in a string for use in a SQL statement
mysql_real_escape_string requires an active MySQL connection (or it tries to create one with default values). Your code doesn't call mysql_connect() until later on in the script, put the mysql_connect() higher up the code above any mysql_real_escape_string() calls.
I was probably getting WARNINGS and not seeing due to the error_reporting level, Then I put error_reporting(E_ALL); ini_set('display_errors', 1); at the top of the script to make sure I see any Warnings/Notices.
Dreamcatcher i was thinking if we could have a tips and tricks section through which newbies could find standard solution to their standard problems. What you say?
and yes, mysql_real_escape_string needs a connection because it takes into account the charset
dc
