php - People can edit my form and send a string that is different from an email that mess up my databases -


my form requires email(set via input type) people use inspect element , submit other values not email. 1 of them percent sign , messes databases badly. tried checking percent sign didnt help. here's code, please give me lead or tell me what's wrong?

thanks

if(strpos($_post['email'], '&#37;') == false)  {     $curpass = strtoupper(hash("whirlpool", $_post['curpass']));     $passii = $con->prepare("select `password` `playerinfo` `playername` = ?;");     $passii->execute(array($_session["playername"]));     while($row = $passii->fetch())     {         $curpass1 = $row['password'];     }     if($curpass == $curpass1)     {         $email = mysql_escape_string($pemail);         echo "<div class='flash_success'>your email has been changed.</div>";         $p_name_settings = $_session['playername'];         $updatemail = $con->prepare("update `playerinfo` set `email` = ? `playername` = ?");         $updatemail->execute(array($pemail, $_session["playername"]));     }     else     {         echo "<div class='flash_error'>you did not enter current password correctly. settings not saved.</div>";     } }

you use filter_validate_email , filter_sanitize_email prevent insertion. like:

$email = $_post['email'];  // remove illegal characters email $email = filter_var($email, filter_sanitize_email);  // validate e-mail if (filter_var($email, filter_validate_email)) {     // email valid email address     $curpass = strtoupper(hash("whirlpool", $_post['curpass']));     $passii = $con->prepare("select `password` `playerinfo` `playername` = ?;");     $passii->execute(array($_session["playername"]));     while($row = $passii->fetch())     {         $curpass1 = $row['password'];     }     if($curpass == $curpass1)     {         $email = mysqli_real_escape_string($con, $email);         echo "<div class='flash_success'>your email has been changed.</div>";         $p_name_settings = $_session['playername'];         $updatemail = $con->prepare("update `playerinfo` set `email` = ? `playername` = ?");         $updatemail->execute(array($pemail, $_session["playername"]));     }     else     {         echo "<div class='flash_error'>you did not enter current password correctly. settings not saved.</div>";     } }

Comments

Post a Comment

Popular posts from this blog

android - InAppBilling registering BroadcastReceiver in AndroidManifest -

i'm implementing inapp billing in android app. works well, however, i'm trying decouple broadcast receiver activity manifest. suggestion in android's trivialdrive sample: // important: dynamically register broadcast messages updated purchases. // register receiver here instead of <receiver> in manifest // because call getpurchases() @ startup, therefore can ignore // broadcasts sent while app isn't running. // note: registering listener in activity bad idea, done here // because sample. regardless, receiver must registered after // iabhelper setup, before first call getpurchases(). currently there's class extends broadcastreceiver : public class iabbroadcastreceiver extends broadcastreceiver { /** * intent action receiver should filter for. */ public static final string action = "com.android.vending.billing.purchases_updated"; private final iabbroadcastlistener mlistener; public iabbroadcastreceiver(iabbroadcastlistener listener) { m
Read more

python Tkinter Capturing keyboard events save as one single string -

is possible store keyboard events 1 string? code below stores 1 char , prints it. card reader or bar code reader, contains collection of character/ string not 1 character @ time. goal save char pressed text variable. from tkinter import * root = tk() def key(event): text= event.char text+= event.char print ("pressed", text) def callback(event): frame.focus_set() print ("clicked at", event.x, event.y) frame = frame(root, width=100, height=100) frame.bind("<key>", key) frame.bind("<button-1>", callback) frame.pack() root.mainloop() currently, creating text variable , everytime key() function gets called, , text stores last character typed. you can define text module level variable , , use module level text inside key function - text = '' def key(event): global text text+= event.char print("pressed", text)
Read more

sql server - Why does Linq-to-SQL add unnecessary COUNT()? -

here tables: create table customer ( cid int primary key, name varchar(32) ) create table ord ( oid int primary key, cid int foreign key references customer, address varchar(20) ) here's linq-to-sql statement: var aaa = c in db.customer select new { c, o = c.ord.tolist() }; and here's inexplicable query generated linq-to-sql: select [t0].[cid] [cid], [t0].[name] [name], [t1].[oid] [oid], [t1].[cid] [cid2], [t1].[address] [address], (select count(*) [dbo].[ord] [t2] [t2].[cid] = [t0].[cid]) [value] [dbo].[customer] [t0] left outer join [dbo].[ord] [t1] on [t1].[cid] = [t0].[cid] order [t0].[cid], [t1].[oid] i want understand how rid of count(*) part. it's entirely uncalled for! linq needs count(*) in order determine number of entries returned o = c.ord.tolist() .
Read more