It might not be that cool, but it's still a prize.

So I'm learning php and would like to ask all you beautiful people to lend me a hand. I just finished a "guestbook" project and would like to ask all yalls to fill it out for me so I can see if it will stand up on the intro-net.

Actually it's not a guestbook, it's some sort of guessing game. Basically you fill out the form and guess what the image is. The best answer wins a prize, and if you get it right, well....you won't so happy guessing.

PHP Thingy (http://stu.aii.edu/~bim362/php/guestbook/wth2.php)

~thanks :D

lol, I guessed.

I can post javascript to your site. That is a very bad thing.

You are going to want to scrub all data you accept from users.

I would use a simple function to just strip everything out.

function scrubData($data)
{
//make sure data is an array
if(!is_array($data))
{
die('Invalid dataset');
}
//loop through array and scrub each value, reassign to "clean" array
foreach($data as $k => $v)
{
$clean[$k]=trim(htmlentities($v));
}
return $clean;
}
$clean = scrubData($_POST);


htmlentities -> http://us3.php.net/manual/en/function.htmlentities.php

Once you have your clean data, then you can build your SQL query. Be sure to strip slashes and use mysql_real_escape_string to make sure that single quotes are escaped.

that's a good thing to know. care to share how to fix that?

Edited my post :)

thanks.

I apparently but unintentionally lied about my age! I'm somewhere inbetween legal & drunk and convertible & Viagra. :D

neat.. a clearer 'add post' button would be good.

why is my comment blue? Did i win?

got me man.
that's F'ed Up.

got me man.
that's F'ed Up.

hmmm.

it's fixed now, I think it had something to do with escyle messing with it.

it's fixed now, I think it had something to do with escyle messing with it.

Yeah, probably. Sorry :(

no worries - got to learn some how.

Yeah, that's true.

I suppose a general guideline for creating webforms is that you should never trust what the user submits. Make sure to validate, scrub, and thouroughly clean everything they submit. Learning regular expressions is a must.

word.
I'll keep that in my pocket whilst I move ahead.

If I post this now, I'll have the most recent posts in the top five thread of this section!

I AM EASILY AMUSED... and bored... and at work.

As proof ^ :D

yay?

I'll take that :D

lol!

ermm sorry i posted a few times - didn't realise i had to refresh to see my post on there. how do you know what it is - i was expecting the answer to be revealed :(
php seems to be working fine though :)

You shouldn't have to refresh to see your post. The submit itself refreshes the page. What browser and OS are you using?

yeah that's what i though - windows xp and mozilla

I wanted to update the function I posted.


function scrubData($data)
{
foreach($data as $k => $v)
{
if( is_array( $v ) )
{
$clean[$k] = scrubData($v);
}
else
{
$clean[$k]=htmlentities($v, ENT_QUOTES, "UTF-8");
}
}
return $clean;
}

I have no idea what that means. ;)

I have no idea what that means. ;)
This function takes an array, then for each value converts all html entities, then stores it into a "clean" array. At the end, the clean array is returned and you have more trustworthy data to work with.

function scrubData($data)
{
foreach($data as $k => $v)
{
if( is_array( $v ) )
{
$clean[$k] = scrubData($v);
}
else
{
$clean[$k]=htmlentities($v, ENT_QUOTES, "UTF-8");
}
}
return $clean;
}


I posted something similar earlier in the thread. It's purpose is to filter input from a form. Or any array of data you pass to it.

Take, for example, the script that neballer is using. Someone can go to the site, then post text to the site. Without filtering the data, by blindly trusting the user, you leave yourself open to attack. Imaging a user visits who posts some javascript that collects the cookies of everyone who visits the site! The risk can be minimized by filtering all input. The function above converts all applicable characters into html entities, which will prevent someone from posting malicious code. < becomes &lt; , and so on.

Never, ever, trust user input.

Oomzeebaba?

LOL. Thanks for the "clarification" ecsyle. Sorry, I'm just funning with you, I'm sure it's brilliant, but I'm with Ned. >need to learn more about all of this stuff!< :)

The function above converts all applicable characters into html entities, which will prevent someone from posting malicious code. < becomes &lt; , and so on.


Oh yes.... I have seen my webform script do that to my emails from the website, when I get spammers. I did not write the script, it was provided by the webserver. I'm glad to know it's protecting me. ;)