PHP/MySQL made simple

1

June 6, 2008  8:57 PM

Securing your E-mail address in a contact form

Jon Harris Profile: Jonsjava
Exchange Server ActiveSync

All too often, I see easy ways to exploit a websites contact form. They have it so that everything is posted to the submit form in plain text. While this may be ok, if you’re not posting any of this to a database, it’s still not good practice.
I usually tend to do it as such:

My contact form:

Contact Us

Your Name:
E-Mail Address:
Contact Reason: Need assistance with a script you made
Need Assistance with a script I made
Looking for help with an open-source project
Wanted to thank you for all you've done
Offering assistance with one of your open-source projects
Just saying "Hi"/Other

Subject:
Message:
 


Now, you notice that I did this:

Need Assistance with a script I made
Looking for help with an open-source project
Wanted to thank you for all you've done
Offering assistance with one of your open-source projects
Just saying "Hi"/Other

What that does is this: they can’t change the contact reason. It’s locked. If they modify the select to their liking, then it just won’t work.

How does that work, you ask?
Simple, here’s how:

$reason_array = array("Need assistance with a script you made", "Need Assistance with a script I made", "Looking for help with an open-source project", "Wanted to thank you for all you've done", "Offering assistance with one of your open-source projects", "Just saying \"Hi\"/Other");
$reason = $_POST['reason'];
$contact_reason = $reason_array[$reason -1];
$subject = $_POST['subject'];
$body = $_POST['body'];
$email = $_POST['email'];
$name = $_POST['name'];
$to = "email@somedomain.com";
$subject = $_POST['subject'];
$message = "

Contact Reason: $contact_reason
\n
Name:$name
\n";
$message_clean1 = str_replace("\'", "'", $_POST['body']);
$message_clean2 = str_replace('"', "'", $message_clean1);
$message_clean3 = str_replace("\v", "", $message_clean2);
$message_clean4 = str_replace("\'", "'", $message_clean3);
$message .= $message_clean4;
$message .= "

";
$message .= "\n";
include("MIME.class.php");
$mime = new MIME_mail($email, $to, $subject);
$mime->attach($message, "", HTML, BASE64);
$mime->send_mail();
header("location:index.php");
exit();

This is my the submit page for my contact form. Now, as you may have noticed, I’m using the MIME mailer class (found at PHP Guru.
I’ve added the reason codes into an array, so if they modify it, and change it from a numerical value, we’ll know.

Next Time: I will show you how to stop spammers from using your script.

April 14, 2008  4:23 PM

Intelligent Password Generator (Part I)

Jon Harris Profile: Jonsjava
Exchange Server ActiveSync

Outline
Everybody and their brother(or sister, as the case may be) has their own “random password generator”. I’ve used them, and to be honest, I’ve never been impressed. You wind up with these passwords that are impossible to remember with combinations that just don’t “flow” when you attempt to type them. I got to thinking about all the times that I’ve helped others figure out a good password. One that would meet our requirements *and* be easy to remember. This is an example of how it works:

“Yes, Mr. Doe, your email account was compromised, so we had to disable your account. When you’re ready to change your password, please give us a call at XXX-XXX-XXXX).”

“I’m ready to change it now, but I don’t know what to change it to. Could you help me pick a password?”

“Sure, I’ll tell you what. Think of your first pets name. Think of the day you were married, or had your first kid, and then think of another meaningful person or event, and change one letter to a symbol….”

“Ok, I got it, it’s Dog1935f@ther. That’s easy to remember!”

“Your first dogs name was ‘Dog’?”

“He was a fish….”

Ok, the last part was just comedy, but you get the gist. Only intelligent beings can make intelligent passwords, UNLESS….

Never mind. You aren’t interested anyways.

Oh, you are? Ok.

Basic Concept

I needed an application that would take a few words, a couple numbers, and a date. It would need to strip out any characters that I didn’t allow in my passwords, and it needed to be able to replace characters to make the password meet the combination requirements set my my site, for security reasons.

Broken down, it needed to

  • Take 3 words
  • take 1 number
  • Take 1 date, in any format

Then, it needed to:

  • Strip out any illegal characters
  • combine enough words to meet the password length requirements
  • substitute characters with similar characters until the password strength has been met
  • check the password, to verify that it meets all requirements
  • create 2 more passwords, and output to the customers screen

Next time:
I will give you a part of the code, and explain why I did it this way.
I will show you some examples of what this application will output when given different input.


April 11, 2008  3:25 PM

An introduction

Jon Harris Profile: Jonsjava
Exchange Server ActiveSync

Prelude
There are many sites out there that offer a good list of software to help you program PHP, as well as a good number of websites that help you out with a project by linking you to great open-source products that server a purpose. This will not be one of those sites. This site will be for those of you who already have your program of choice, be it a $500.00 IDE or just notepad, but you need pointers on how to do something, and can’t find a good place to get the info.

Background
I started programming in PHP because, well, I needed some money. Since then, I have become fairly proficient in the language. You will almost never see me write Object-Oriented (O-O) scripts, and rarely use case statements. That doesn’t mean that I don’t know how, it simply means that I prefer the style I use. There are many ways to write a PHP program, and some are better than others. What I am going to be offering for you is the basic idea for code, and a working sample, with a good explanation on how it works, as well as why I do it that way. Hopefully I will show you good ways to program, as well as open you up to the possibility to the fact that there are other ways to program other than Object oriented programming.

Example
The first example I will use is a fun one. There is a site, 99 bottles of beer.net, who’s goal is to have a repository of programming source code that when executed will generate the full song “99 Bottles of Beer on the Wall“. Most people will use a class that will return the value of the bottle until you reach 0, then print the final line:

No more bottles of beer on the wall, no more bottles of beer.
Go to the store and buy some more, 99 bottles of beer on the wall.

I don’t like wasting code. I’m a firm believer that programmers have more important things to do than write useless lines of code, when just a few, short lines will do. My solution to this challenge? This:

*EDIT*Could not leave script in and keep rest of post looking correct. to view code, go to http://vent.jonsjava.com/beer.txt

What this script does is this:

  • sets the max number of beers ($count=99)
  • prints out each verse until it reaches zero, decreasing the number of bottles each time (–$count)
  • Once it reaches zero, it prints the final verse, then it’s done

(To see the code in action, go to http://vent.jonsjava.com/beer.php

Do you really need a 75-line class to do this? It may not be pretty, but it’s a good proof of concept.

In the Next Issue
I will be discussing how to write an intelligent password generator


1

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: