function startCookie($email, $password, $conn) { if (checkSQLInjection($email) and checkSQLInjection($password)) { $result = mysqli_query($conn, "SELECT email , password FROM user WHERE email = '{$email}' AND password = '******'"); if (mysqli_num_rows($result) > 0) { setcookie("email", $email, time() + 86400 * 30, "/"); } } else { //SQL INJECTION } }
<?php $email = $_POST["email"]; $password = $_POST["password"]; $repassword = $_POST["password2"]; $name = $_POST["name"]; $surname = $_POST["surname"]; $birth = $_POST["birth"]; $gender = $_POST["optradio"]; // Check connection $conn = mysqli_connect("localhost", "adminID5Rju3", "Rz5h2JWnm4xd", "tweb"); if ($conn->connect_error) { die("Connection failed: " . $conn->connect_error); } if (checkSQLInjection($email) and checkSQLInjection($password) and checkSQLInjection($repassword) and checkSQLInjection($name) and checkSQLInjection($surname) and checkSQLInjection($birth)) { $result = mysqli_query($conn, "SELECT * FROM user WHERE email = '{$email}'"); if (mysqli_num_rows($result) > 0) { //If there is a user with the same email -> cant sign up header("Location: index.php?error=1"); } else { //No problems, we create the new user $sql = "INSERT INTO user VALUES('{$email}','{$password}','name','surname','{$birth}','{$gender}')"; if ($conn->query($sql) === TRUE) { setcookie("email", $email, time() + 86400 * 30, "/"); header("Location: index.php"); } else { header("Location: index.php?error=2"); } $conn->close(); } }
$pet_age = $_POST["age"]; } $pet_type = $_POST["pettype"]; $comment = $_POST["comment"]; $user = $_COOKIE["email"]; //$target_dir = "/var/lib/openshift/561e6c1489f5cf425a00010d/app-root/runtime/repo/progetto/images/"; if (isset($pet_type) and isset($comment)) { if (checkSQLInjection($pet_type) and checkSQLInjection($comment)) { // Check connection $conn = mysqli_connect("localhost", "adminID5Rju3", "Rz5h2JWnm4xd", "tweb"); if ($conn->connect_error) { header("Location: post.php?error=1"); } if (isset($pet_name) and isset($pet_age)) { //Pet post if (checkSQLInjection($pet_name) and checkSQLInjection($pet_age)) { $sql = "INSERT INTO post(pet_type,info,post_type,pet_name,pet_age,user) VALUES('{$pet_type}','{$comment}','{$post_type}','{$pet_name}','{$pet_age}','{$user}')"; } else { header("Location: home.php?error=1"); } } else { //Carer post $sql = "INSERT INTO post(pet_type,info,post_type,user) VALUES('{$pet_type}','{$comment}','{$post_type}','{$user}')"; } if ($conn->query($sql) === TRUE) { header("Location: home.php?error=0"); } else { header("Location: home.php?error=2"); } $conn->close(); } else {
if (checkSQLInjection($comment)) { insertComment($comment, $sender, $receiver, $postid); } } else { //Get comments petition getPostComments($postid); } } else { //We know It is a chat message if (isset($_POST["check"])) { //Get chat messages getChatMessages($sender, $receiver); } else { //Here, We insert a new chat message $message = $_POST["message"]; if (checkSQLInjection($message)) { insertMessage($message, $sender, $receiver); } } } function checkSQLInjection($data) { $input = strtolower($data); if (strpos($input, 'select') !== 0 and strpos($input, 'alter table') !== 0 and strpos($input, 'update') !== 0 and strpos($input, 'delete') !== 0 and strpos($input, 'insert into') !== 0) { return 1; } else { return 0; } } function insertMessage($message, $sender, $receiver) {
//Check SQL INJECTION function checkSQLInjection($data) { $input = strtolower($data); if (strpos($input, 'select') !== 0 and strpos($input, 'alter table') !== 0 and strpos($input, 'update') !== 0 and strpos($input, 'delete') !== 0 and strpos($input, 'insert into') !== 0) { return 1; } else { return 0; } } ?> <script src="js/search.js"></script> <div class="main-container"> <div class="central-panel"> <?php if (isset($_POST["search"]) and $_POST["search"] !== "" and checkSQLInjection($_POST["search"])) { $search = $_POST["search"]; $conn = mysqli_connect("localhost", "adminID5Rju3", "Rz5h2JWnm4xd", "tweb"); if ($conn->connect_error) { ?> <div class="alert alert-warning"> <a class="close" data-dismiss="alert" aria-label="close">×</a> <strong>Warning!</strong> Conection problems. </div> <?php } else { //First of all, we look for user $result = mysqli_query($conn, "SELECT name, surname, birth, gender, email \n\t\t\t \tFROM user WHERE name = '{$search}' OR surname = '{$search}'"); $i = 1; //If there is a user... if (($num_rows = mysqli_num_rows($result)) > 0) {