function AuthenticateUser($database, $email, $password) { $email = SanitizeString($email); $password = SanitizeString($password); $query = "SELECT pw_hash,pw_salt FROM users WHERE email='{$email}'"; $result = MySqlDatabaseQuery($database, $query); echo $result[0]['pw_salt']; echo HashPassword($password, $result[0]['pw_salt']); echo $result[0]['pw_hash']; if (HashPassword($password, $result[0]['pw_salt']) === $result[0]['pw_hash']) { return TRUE; } else { if (UnconfirmedUserExists($database, $email)) { return "unconfirmed"; } else { return FALSE; } } }
<?php if (isset($_POST['url'])) { echo file_get_contents('http://' . SanitizeString($_POST['url'])); } function SanitizeString($var) { $var = strip_tags($var); $var = htmlentities($var); return stripslashes($var); }
<?php /** * Created by PhpStorm. * User: keilc * Date: 25/08/2015 * Time: 10:23 AM */ include_once 'header.php'; if (!$loggedin) { die; } if (isset($_GET['view'])) { $view = SanitizeString($_GET['view']); } else { $view = $user; } if ($view == $user) { $name1 = $name2 = "Your"; $name3 = "You are"; } else { $name1 = "<a href='members.php?view={$view}'>{$view}</a>a>'s"; $name2 = "{$view}'s"; $name3 = "{$view} is"; } echo "<div class='main'>"; //Put followers and following in their own array $followers = array(); $following = array(); //Get the users followers $result = QueryMysql("SELECT * FROM friends WHERE user = '******'");
<?php /** * Created by PhpStorm. * User: keilc * Date: 24/08/2015 * Time: 5:04 PM */ include_once 'header.php'; if (!$loggedin) { die; } echo "<div class='main'><h3>Your Profile</h3>"; //Check if text was entered if (isset($_POST['text'])) { $text = SanitizeString($_POST['text']); $text = preg_replace('/\\s\\s+/', '', $text); //Security check if user actually exists to prevent hacking. Update text if text exists or insert if it does not if (mysql_num_rows(QueryMysql("SELECT * FROM profiles WHERE user ='******'"))) { QueryMysql("UPDATE profiles SET text='{$text}' WHERE user='******'"); } else { QueryMysql("INSERT INTO profile VALUES('{$user}','{$text}')"); } } else { $result = QueryMysql("SELECT * FROM profiles WHERE user='******'"); if (mysql_num_rows($result)) { $row = mysql_fetch_row($result); $text = stripslashes($row[1]); } else { $text = ""; }
<?php /** * Created by PhpStorm. * User: keilc * Date: 24/08/2015 * Time: 3:33 PM */ include_once 'header.php'; echo "<div class='main'><>Please enter your details to login</h3>"; $error = $user = $pass = ""; if (isset($_POST['user'])) { $user = SanitizeString($_POST['user']); $pass = SanitizeString($_POST['pass']); if ($user == "" || $pass == "") { $error = "Not all fields entered<br />"; } else { $query = "SELECT user, pass FROM members WHERE user = '******' AND pass = '******'"; //If the username or password do not exist if (mysql_num_rows(QueryMysql($query)) == 0) { $error = "<span class = 'error'>Username/Passowrd invalid</span>span><br /><br />"; } else { $_SESSION['user'] = $user; $_SESSION['pass'] = $pass; die("You are now logged in. Please <a href='members.php?view={$user}'>" . "click here</a> to continue.<br /><br />"); } } } echo <<<_END <form method='post' action='login.php'>{$error} <span class='fieldname'>Username</span><input type='text'
<?php include "mysql.php"; $table = SanitizeString($_POST["table"]); $id = $_POST["id"]; $sql = "DELETE FROM {$table} WHERE id={$id}"; if ($conn->query($sql) === TRUE) { echo "<div class='info-box background-green wrap'>ID: {$id} poistettu taulusta {$table} onnistuneesti</div>"; } else { echo "<div class='info-box background-red wrap'>Virhe: " . $conn->error . "</div>"; } $conn->close(); function SanitizeString($string) { $replace_chars = array('Š' => 'S', 'š' => 's', 'Ð' => 'Dj', 'Ž' => 'Z', 'ž' => 'z', 'À' => 'A', 'Á' => 'A', 'Â' => 'A', 'Ã' => 'A', 'Ä' => 'A', 'Å' => 'A', 'Æ' => 'A', 'Ç' => 'C', 'È' => 'E', 'É' => 'E', 'Ê' => 'E', 'Ë' => 'E', 'Ì' => 'I', 'Í' => 'I', 'Î' => 'I', 'Ï' => 'I', 'Ñ' => 'N', 'Ò' => 'O', 'Ó' => 'O', 'Ô' => 'O', 'Õ' => 'O', 'Ö' => 'O', 'Ø' => 'O', 'Ù' => 'U', 'Ú' => 'U', 'Û' => 'U', 'Ü' => 'U', 'Ý' => 'Y', 'Þ' => 'B', 'ß' => 'Ss', 'à' => 'a', 'á' => 'a', 'â' => 'a', 'ã' => 'a', 'ä' => 'a', 'å' => 'a', 'æ' => 'a', 'ç' => 'c', 'è' => 'e', 'é' => 'e', 'ê' => 'e', 'ë' => 'e', 'ì' => 'i', 'í' => 'i', 'î' => 'i', 'ï' => 'i', 'ð' => 'o', 'ñ' => 'n', 'ò' => 'o', 'ó' => 'o', 'ô' => 'o', 'õ' => 'o', 'ö' => 'o', 'ø' => 'o', 'ù' => 'u', 'ú' => 'u', 'û' => 'u', 'ý' => 'y', 'ý' => 'y', 'þ' => 'b', 'ÿ' => 'y', 'ƒ' => 'f'); return strtr($string, $replace_chars); }