Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- PHP/MYSQL Security Questions (Online Order Form, Admin Portal)
- <form method="post" action="admin/login.php">
- <table align="center">
- <tr><th>Admin Login Form</th></tr>
- <tr><td>Name</td><td><input type="text" name="Name" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)"></td></tr>
- <tr><td>Password</td><td><input type="password" name="Password" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)"></td></tr>
- <tr><td></td><td><input type="reset" value="Clear Form"> <input type="submit" value="Login"></td></tr>
- </table>
- </form>
- <?php
- $inputusername = $_POST['Name'];
- $inputpassword = $_POST['Password'];
- $username = "a username that is not obvious";
- $password = "a password that is at least 10 characters long";
- if($username == $inputusername && $password == $inputpassword) {
- session_start();
- $_SESSION['valid'] = TRUE;
- $_SESSION['IP'] = $_SERVER["REMOTE_ADDR"];
- $_SESSION['agent'] = $_SERVER['HTTP_USER_AGENT'];
- header('Location: portal.php');
- exit;
- }
- else {echo "<center>Invalid username or password<br><a href='../admin.html'>Try Again</a></center>"; exit;}
- ?>
- <?php
- session_start();
- if(!$_SESSION['valid']) {header('Location: ../admin.html'); exit;}
- if($_SESSION['IP'] != $_SERVER["REMOTE_ADDR"]) {header('Location: ../admin.html'); exit;}
- if($_SESSION['agent'] != $_SERVER['HTTP_USER_AGENT']) {header('Location: ../admin.html'); exit;}
- ?>
- <?php include('session-authentication-script.php'); ?>
- *Actual page goes here*
- <?php
- include('session-authentication-script.php');
- $_SESSION['valid'] = FALSE;
- session_destroy();
- header('Location: ../admin.html');
- exit;
- ?>
- <form name="Order" method="post" action="incl/email_Order.php">
- <table>
- <tr><td>Name</td><td><input type="text" name="Name" size="30" onKeyPress="return aJSFunctionToStopEnterKeyFromWorking(event)" ></td></tr>
- *gather up a bunch more form data in the same fashion*
- <tr><td></td><td><input type="reset" value="Clear Form"> <input type="submit" value="Submit Order" ></td></tr></table>
- $to = "sales@company.com";
- $subject = "Online Order";
- $message = "Name: " . $_REQUEST['Name'] . "rn" .
- *and here is a bunch of other stuff being concatenated to $message in the same fashion*
- $headers = 'From: sales@company.com' . "rn" .
- 'Reply-To: ' . $_REQUEST['Email'] . "rn";
- if(mail($to, $subject, $message, $headers)) {print "Thank you for your order!";}
- else {print "We encountered an error sending your order. Please attempt again.";}
- exit;
- echo "Requested article: ".$_GET['id'];
- '<script src="bad_script_from_bad_server.js"></script>'
- echo "Requested article: ".filter_input ( INPUT_GET, 'id', FILTER_VALIDATE_INT);
- if(!isset($_POST['nonce']) || !isset($_SESSION['nonce']) || $_POST['nonce'] != $_SESSION['nonce']) {
- // Invalid POST
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement