Some PHP/Html help

tu y tu mama · Apr 18, 2012

So guys, with school we have to make an "enterprise".
So two other friends and I, bought a domain, for our enterprise, we got a website, pretty cool, etc.

I made the design for it and I used Serif Webplus X5, so I didn't have to code anything. Just upload the files to FTP. (And I don't know anything about html/php)

But here's the problem, I need someone who can help me. We were told to make a survey where people give feedback about our enterprise. So, as I don't know anything about PHP, nor html, neither anyone in my class or family, I'm asking if someone could help me.
It doesn't has to be something complicated, just like 6 textboxes, then writing the answers that people put in them in a file in the FTP. Something like "theNameOfThePerson.txt". So then I can see what people wrote.

Can anyone help me? I need this asap.

Apexis · Apr 18, 2012

http://www.google.com/#hl=en&output...or.r_gc.r_pw.r_qf.,cf.osb&fp=c4a0da1fc7364daa

There is tons of options.

opsftw · Jun 26, 2012

Just make a form that sends the input to a flat file and make a basic login and have another page with a basic login to view them:

Here's a basic skeleton of what you could do:

feedback.html

Code:

<html lan="en">
<head>
    <title>Give us your Feedback!</title>
</head>
<body>
    <form action="handle.php" method="post">
    <table>
        <tr>
            <td>Name: </td><td><input type="text" name="name" /></td>
        </tr><tr>
            <td>Feedback:</td><td><textarea rows="15" cols="20" name="feedback"></textarea></td>
        </tr>
    </form>
    <input type="submit" value="Submit Feedback" />
    </form>
</body>
</html>

handle.php

PHP:

<?php
header('location: http://your-landing-page.com/whatever.htm');
$date = date("d/m/y");
$name = $_POST['name'];
$fb = $_POST['feedback'];
$f = "feedback.txt";
$fh = fopen($f, 'a');
fwrite($fh, "><><><><><><><><><\nName: $name\nDate: $date\n Message: $fb\n><><><><><><><><><\n");
fclose($fh);
?>

admin_login.php

PHP:

<?php
$user = strip_slashes($_POST['user']);
$pass = strip_slashes($_POST['pass']);
if ($user == "" || $pass == "")
{
    if ($_GET['bad'] == "true")
    {
        ?>
        Wrong user or pass!<br /><br />
        <?php
    }
    ?>
    <form action="admin_login.php" method="POST">
    User: <input type="text" name="user" /><br />
    Pass: <input type="password" name="pass" /><br />
    <input type="submit" value="login" />
    <?php
}
else
{
    if ($user == "admin" && $pass == "password1")
    {
        $log = file_get_contents('feedback.txt');
        echo nl2br($log);
    }
    else
    {
        header('location: admin_login.php?bad=true
    }
}
?>

Hope this helps!

ABC_mybb_import19773 · Jun 26, 2012

Pretty sure there is an option for this in serif.

tu y tu mama · Jun 26, 2012

Abc said:
Pretty sure there is an option for this in serif.

Well this is old and I needed this for school. I don't need it anymore since I'll be in 10th grade in August...

Kalle · Jun 28, 2012

Grigori Perelman said:

Easy.

Code:

<?php
//Example of store into database.

include "databaseconnection.php";

/*Run these SQL querys -
Create table surveys(id int not null auto_increment primary key, name varchar(30), answer1 varchar(100), answer2 varchar(100), answer3 varchar(100), comments varchar(200));
*/


$name = mysql_real_escape($_POST['name']);           # name the user supplys from html form "name".
$answer1 = mysql_real_escape($_POST['answer1']);  # answer 1 the user supplys from html form "answer1"
$answer2 = mysql_real_escape($_POST['answer2']);    # Answer 2 the user supplys from html form "answer2".
$comments = mysql_real_escape($_POST['comments']);  # user comments from html form "comments".


$query = "INSERT INTO `survey` (id, name, answer1, answer2, comments) VALUES (NULL, $name, $answer1, $answer2, $comments);";
mysql_query($query);
?>

You have a SQL injection in your code

First of all you should be using mysql_real_escape_string() if you choose to use the "mysql" extension over "mysqli" (MySQL Improved).

Secondary, you do not use ' around your interpolated variables, meaning that you can inject code into the fields. Say 'answer2' had the value of (without quotation marks) "1, 2) UNION ... --".

What you should do to fix this is to change the code to use marks so that the escape string have an effect:

PHP:

$query = sprintf('INSERT INTO `table` (`name`, `answer1`, `answer2`, `comment`) VALUES (\'%s\', \'%s\', \'%s\', \'%s\')', $name, $answer1, $answer2, $comment);

(I choose to use sprintf because it makes the code much more readable than having a huge string filled with interpolated variables)

Ben Hartley · Jun 28, 2012

Kalle said:
Grigori Perelman said:

Easy.

Code:

<?php //Example of store into database. include "databaseconnection.php"; /*Run these SQL querys - Create table surveys(id int not null auto_increment primary key, name varchar(30), answer1 varchar(100), answer2 varchar(100), answer3 varchar(100), comments varchar(200)); */ $name = mysql_real_escape($_POST['name']); # name the user supplys from html form "name". $answer1 = mysql_real_escape($_POST['answer1']); # answer 1 the user supplys from html form "answer1" $answer2 = mysql_real_escape($_POST['answer2']); # Answer 2 the user supplys from html form "answer2". $comments = mysql_real_escape($_POST['comments']); # user comments from html form "comments". $query = "INSERT INTO `survey` (id, name, answer1, answer2, comments) VALUES (NULL, $name, $answer1, $answer2, $comments);"; mysql_query($query); ?>

Click to expand...

You have a SQL injection in your code

First of all you should be using mysql_real_escape_string() if you choose to use the "mysql" extension over "mysqli" (MySQL Improved).

Secondary, you do not use ' around your interpolated variables, meaning that you can inject code into the fields. Say 'answer2' had the value of (without quotation marks) "1, 2) UNION ... --".

What you should do to fix this is to change the code to use marks so that the escape string have an effect:

PHP:

$query = sprintf('INSERT INTO `table` (`name`, `answer1`, `answer2`, `comment`) VALUES (\'%s\', \'%s\', \'%s\', \'%s\')', $name, $answer1, $answer2, $comment);

(I choose to use sprintf because it makes the code much more readable than having a huge string filled with interpolated variables)

My script will not even function xD but Say that i was not usin heroin when i made that post and used mysql_real_escape_string instead but forgot my lil quotes then your UNION injection would not work, you would need to use true/false time based injection (unless you can view the data that is inserted, in which case you can pwn me usin subselects).

Anyway i delete my post because it is a post of a crackhead.

Glen · Jun 29, 2012

Kalle is a perfectionist, but you can learn a lot from him.

Some PHP/Html help

tu y tu mama

Onyx user!

Apexis

Active Member

opsftw

Member

ABC_mybb_import19773

Onyx user!

tu y tu mama

Onyx user!

Kalle

Onyx user!

Ben Hartley

Active Member

Glen

Power member.

Some PHP/Html help

Onyx user!

Active Member

Member

Onyx user!

Onyx user!

Onyx user!

Active Member

Power member.

Privacy & Transparency

Privacy & Transparency