php - People can edit my form and send a string that is different from an email that mess up my databases -


my form requires email(set via input type) people use inspect element , submit other values not email. 1 of them percent sign , messes databases badly. tried checking percent sign didnt help. here's code, please give me lead or tell me what's wrong?

thanks

if(strpos($_post['email'], '&#37;') == false)  {     $curpass = strtoupper(hash("whirlpool", $_post['curpass']));     $passii = $con->prepare("select `password` `playerinfo` `playername` = ?;");     $passii->execute(array($_session["playername"]));     while($row = $passii->fetch())     {         $curpass1 = $row['password'];     }     if($curpass == $curpass1)     {         $email = mysql_escape_string($pemail);         echo "<div class='flash_success'>your email has been changed.</div>";         $p_name_settings = $_session['playername'];         $updatemail = $con->prepare("update `playerinfo` set `email` = ? `playername` = ?");         $updatemail->execute(array($pemail, $_session["playername"]));     }     else     {         echo "<div class='flash_error'>you did not enter current password correctly. settings not saved.</div>";     } }

you use filter_validate_email , filter_sanitize_email prevent insertion. like:

$email = $_post['email'];  // remove illegal characters email $email = filter_var($email, filter_sanitize_email);  // validate e-mail if (filter_var($email, filter_validate_email)) {     // email valid email address     $curpass = strtoupper(hash("whirlpool", $_post['curpass']));     $passii = $con->prepare("select `password` `playerinfo` `playername` = ?;");     $passii->execute(array($_session["playername"]));     while($row = $passii->fetch())     {         $curpass1 = $row['password'];     }     if($curpass == $curpass1)     {         $email = mysqli_real_escape_string($con, $email);         echo "<div class='flash_success'>your email has been changed.</div>";         $p_name_settings = $_session['playername'];         $updatemail = $con->prepare("update `playerinfo` set `email` = ? `playername` = ?");         $updatemail->execute(array($pemail, $_session["playername"]));     }     else     {         echo "<div class='flash_error'>you did not enter current password correctly. settings not saved.</div>";     } }

Comments

Post a Comment

Popular posts from this blog

python Tkinter Capturing keyboard events save as one single string -

is possible store keyboard events 1 string? code below stores 1 char , prints it. card reader or bar code reader, contains collection of character/ string not 1 character @ time. goal save char pressed text variable. from tkinter import * root = tk() def key(event): text= event.char text+= event.char print ("pressed", text) def callback(event): frame.focus_set() print ("clicked at", event.x, event.y) frame = frame(root, width=100, height=100) frame.bind("<key>", key) frame.bind("<button-1>", callback) frame.pack() root.mainloop() currently, creating text variable , everytime key() function gets called, , text stores last character typed. you can define text module level variable , , use module level text inside key function - text = '' def key(event): global text text+= event.char print("pressed", text)
Read more

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m
Read more

javascript - VueJS2 and the Window Object - how to use? -

i trying use third-party api collect data user. unsure how go setting in vue instance. here's test code in jsfiddle: demo to see issue, choose "def" dropdown , select brief , see element @ bottom of page 'fill out brief form here'. snipped html code custom trigger attribute: <div class="alert alert-warning" v-if="(!selectedoffice.injira) && (product ==='brief')">fill out brief <a href="#" class="mycustomtrigger"> form here</a></div> the javascript code data collector: jquery.ajax({ url: "https://organik.atlassian.net/s/d41d8cd98f00b204e9800998ecf8427e-t/1gaygj/b/c/3d70dff4c40bd20e976d5936642e2171/_/download/batch/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector-embededjs/com.atlassian.jira.collector.plugin.jira-issue-collector-plugin:issuecollector-embededjs.js?locale=en-us&collectorid=208a7651", type: "get
Read more