[macman1]

Help, php new bee! I created my first php form script and would like to know if I did enough to secure it. Can anyone help me see if it is secure.

This form is at https://www.ptps.com/fastpass/fastpass_form.html

Please I am pulling my hair trying to find any answers to checking security.

Thanks in advance

[Jay6390]

Quote:

Originally Posted by macman1

Help, php new bee! I created my first php form script and would like to know if I did enough to secure it. Can anyone help me see if it is secure.

This form is at https://www.ptps.com/fastpass/fastpass_form.html

Please I am pulling my hair trying to find any answers to checking security.

Thanks in advance

To be honest macman, it would make more sense if you posted your code rather than a link to a page. that way, we can see what measures you have taken to secure the page, and suggest possible flaws which need rectifying

Jay

[macman1]

Below is the code I used minus the server info I filed it with xxxxxxx for this.
Also this resides on a secure server with ssl
Thank you again.

PHP Code:

<?php
include("global.inc.php");
$errors=0;
$error="The following errors occured while processing your form input.<ul>";
pt_register('POST','Nameasitisoncard');
pt_register('POST','BillingAddress');
pt_register('POST','City');
pt_register('POST','State');
pt_register('POST','Zip');
pt_register('POST','PhoneNumber');
pt_register('POST','EmailAddress');
pt_register('POST','VerifyEmail');
pt_register('POST','CreditCardNumber');
pt_register('POST','CreditCardType');
pt_register('POST','CCV');
pt_register('POST','ExpirationDate');
pt_register('POST','HisFirstName');
pt_register('POST','HisLastName');
pt_register('POST','HisStreetAddress');
pt_register('POST','HisCity');
pt_register('POST','HisState');
pt_register('POST','HisZip');
pt_register('POST','HisEmail');
pt_register('POST','HisPhoneNumber');
pt_register('POST','HisGrade');
pt_register('POST','HisSchool');
pt_register('POST','HerFirstName');
pt_register('POST','HerLastName');
pt_register('POST','HerStreetAddress');
pt_register('POST','HerCity');
pt_register('POST','HerState');
pt_register('POST','HerZip');
pt_register('POST','HerEmail');
pt_register('POST','HerPhoneNumber');
pt_register('POST','HerGrade');
pt_register('POST','HerSchool');
pt_register('POST','TheSupremeComboA');
pt_register('POST','TheDeluxeComboB');
pt_register('POST','TheStandardComboC');
pt_register('POST','TheSupreme');
pt_register('POST','TheDeluxe');
pt_register('POST','TheStandard');
pt_register('POST','TheEconomy');
pt_register('POST','TheBudget');
pt_register('POST','extra1');
pt_register('POST','extra2');
if($Nameasitisoncard=="" || $BillingAddress=="" || $City=="" || $State=="" || $Zip=="" || $PhoneNumber=="" || $EmailAddress=="" || $VerifyEmail=="" || $CreditCardNumber=="" || $CreditCardType=="" || $CCV=="" || $ExpirationDate=="" || $HisFirstName=="" || $HisLastName=="" || $HisStreetAddress=="" || $HisCity=="" || $HisState=="" || $HisZip=="" || $HisEmail=="" || $HisPhoneNumber=="" || $HisGrade=="" || $HisSchool=="" || $HerFirstName=="" || $HerLastName=="" || $HerStreetAddress=="" || $HerCity=="" || $HerState=="" || $HerZip=="" || $HerEmail=="" || $HerPhoneNumber=="" || $HerGrade=="" || $HerSchool=="" ){
$errors=1;
$error.="<li>You did not enter one or more of the required fields. Please go back and try again.";
}
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$EmailAddress)){
$error.="<li>Invalid email address entered";
$errors=1;
}
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$VerifyEmail)){
$error.="<li>Invalid email address entered";
$errors=1;
}
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$HerEmail)){
$error.="<li>Invalid email address entered";
$errors=1;
}
if($errors==1) echo $error;
else{
$where_form_is="http".($HTTP_SERVER_VARS["HTTPS"]=="on"?"s":"")."://".$SERVER_NAME.strrev(strstr(strrev($PHP_SELF),"/"));
$message="Name as it is on card: ".$Nameasitisoncard."
Billing Address: ".$BillingAddress."
City: ".$City."
State: ".$State."
Zip: ".$Zip."
Phone Number: ".$PhoneNumber."
Email Address: ".$EmailAddress."
Verify Email: ".$VerifyEmail."
Credit Card Number: ".$CreditCardNumber."
Credit Card Type: ".$CreditCardType."
CCV: ".$CCV."
Expiration Date: ".$ExpirationDate."
His First Name: ".$HisFirstName."
His Last Name: ".$HisLastName."
His Street Address: ".$HisStreetAddress."
His City: ".$HisCity."
His State: ".$HisState."
His Zip: ".$HisZip."
His Email: ".$HisEmail."
His Phone Number: ".$HisPhoneNumber."
His Grade: ".$HisGrade."
His School: ".$HisSchool."
Her First Name: ".$HerFirstName."
Her Last Name: ".$HerLastName."
Her Street Address: ".$HerStreetAddress."
Her City: ".$HerCity."
Her State: ".$HerState."
Her Zip: ".$HerZip."
Her Email: ".$HerEmail."
Her Phone Number: ".$HerPhoneNumber."
Her Grade: ".$HerGrade."
Her School: ".$HerSchool."
The Supreme Combo A: ".$TheSupremeComboA."
The Deluxe Combo B: ".$TheDeluxeComboB."
The Standard Combo C: ".$TheStandardComboC."
The Supreme: ".$TheSupreme."
The Deluxe: ".$TheDeluxe."
The Standard: ".$TheStandard."
The Economy: ".$TheEconomy."
The Budget: ".$TheBudget."
extra1: ".$extra1."
extra2: ".$extra2."
";

$link = mysql_connect("xxxxxxxxx","xxxxxxxx","xxxxxxxx");
mysql_select_db("personal_touch",$link);
$query="insert into prom_pictures (Name_as_it_is_on_card,Billing_Address,City,State,Zip,Phone_Number,Email_Address,Verify_Email,Credit_Card_Number,Credit_Card_Type,CCV,Expiration_Date,His_First_Name,His_Last_Name,His_Street_Address,His_City,His_State,His_Zip,His_Email,His_Phone_Number,His_Grade,His_School,Her_First_Name,Her_Last_Name,Her_Street_Address,Her_City,Her_State,Her_Zip,Her_Email,Her_Phone_Number,Her_Grade,Her_School,The_Supreme_Combo_A,The_Deluxe_Combo_B,The_Standard_Combo_C,The_Supreme,The_Deluxe,The_Standard,The_Economy,The_Budget,extra1,extra2) values ('".$Nameasitisoncard."','".$BillingAddress."','".$City."','".$State."','".$Zip."','".$PhoneNumber."','".$EmailAddress."','".$VerifyEmail."','".$CreditCardNumber."','".$CreditCardType."','".$CCV."','".$ExpirationDate."','".$HisFirstName."','".$HisLastName."','".$HisStreetAddress."','".$HisCity."','".$HisState."','".$HisZip."','".$HisEmail."','".$HisPhoneNumber."','".$HisGrade."','".$HisSchool."','".$HerFirstName."','".$HerLastName."','".$HerStreetAddress."','".$HerCity."','".$HerState."','".$HerZip."','".$HerEmail."','".$HerPhoneNumber."','".$HerGrade."','".$HerSchool."','".$TheSupremeComboA."','".$TheDeluxeComboB."','".$TheStandardComboC."','".$TheSupreme."','".$TheDeluxe."','".$TheStandard."','".$TheEconomy."','".$TheBudget."','".$extra1."','".$extra2."')";
mysql_query($query);

header("Refresh: 0;url=http://www.ptps.com/fastpass/thankyou.html");
?><?php 
}
?>

other php used!

PHP Code:

<?php

function pt_register()
{
  $num_args = func_num_args();
   $vars = array();

   if ($num_args >= 2) {
       $method = strtoupper(func_get_arg(0));

       if (($method != 'SESSION') && ($method != 'GET') && ($method != 'POST') && ($method != 'SERVER') && ($method != 'COOKIE') && ($method != 'ENV')) {
           die('The first argument of pt_register must be one of the following: GET, POST, SESSION, SERVER, COOKIE, or ENV');
     }

       $varname = "HTTP_{$method}_VARS";
      global ${$varname};

       for ($i = 1; $i < $num_args; $i++) {
           $parameter = func_get_arg($i);

           if (isset(${$varname}[$parameter])) {
               global $$parameter;
               $$parameter = ${$varname}[$parameter];
          }

       }

   } else {
       die('You must specify at least two arguments');
   }

}

?>

[phpdoctor]

Heres something you can do to your querys:

PHP Code:

$sql = 'insert table_name set Field="'.mysql_real_escape_string($value).'"' ; 

Notice the long mysql_real_escape_string() command... processes the value to make safe for using in the query. (not sure exactly what it does lol)

I think you can use this for getting the posted info to:

PHP Code:

extract($_POST, EXTR_SKIP) ; 

This will convert all the posted field into variables.
The EXTR_SKIP part means: dont replace any existing variables (security issue)
This saves a large amount of typing

Keep it up,
Lex

[Dan L]

What mysql_real_escape_string does is escape certain characters that could either break the query or allow for an injection attack. It's much preferred over addslashes() and stripslashes() which are commonly recommended.

It's generally not recommended to use globals or extract() in this case, but that's a separate topic altogether.

A quick fix for your code would be to do a regex search/replace:

Find: pt_register\('POST','(.+?)'\);
Ex: pt_register('POST','HerCity');

Replace: \$\1 = mysql_real_escape_string\(\$_POST\['\$\1'\]\);
Ex: $HerCity = mysql_real_escape_string($_POST['HerCity']);

[Jay6390]

Quote:

Originally Posted by phpdoctor

(not sure exactly what it does lol)

lol, could spend 30 seconds taking a read of the manual description

[End User]

In addition to sanitizing incoming data, this is a handy block of stuff to stick in your .htaccess file:

HTML Code:

########## Begin - Rewrite rules to block out some common exploits
#                             
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.htm [F,L]
#
########## End - Rewrite rules to block out some common exploits

Every little bit helps.

[Jay6390]

Quote:

Originally Posted by End User

In addition to sanitizing incoming data, this is a handy block of stuff to stick in your .htaccess file:

HTML Code:

########## Begin - Rewrite rules to block out some common exploits
#                             
# Block out any script trying to set a mosConfig value through the URL
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|\%3D) [OR]
# Block out any script trying to base64_encode crap to send via URL
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [OR]
# Block out any script that includes a <script> tag in URL
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
# Block out any script trying to set a PHP GLOBALS variable via URL
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
# Block out any script trying to modify a _REQUEST variable via URL
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
# Send all blocked request to homepage with 403 Forbidden error!
RewriteRule ^(.*)$ index.htm [F,L]
#
########## End - Rewrite rules to block out some common exploits

Every little bit helps.

Very useful. Thanks End User. Will be using that myself

[phpdoctor]

Quote:

Originally Posted by Jay6390

lol, could spend 30 seconds taking a read of the manual description

Still cant be bothered... as long as it works

[macman1]

I want thank you guys for your insight and willingness to help a new php user!

Shawn