code security

General PHP Help
#21

Could you be more specific, please?
Am unsure.

#22

Where do you have this (or your equivalent)?

[php] function escape ($unescaped) {
return htmlentities($unescaped, ENT_QUOTES, “UTF-8”);
}[/php]

If you don’t have the function defined anywhere then PHP will throw an undefined error, as you are trying to use a function that PHP does not know about.

#23

No equivalent. Only in the code.

#24

In your latest code you do this
[php] $name = escape($name);
$email = escape($email);
$website = escape($website); [/php]

Here you use the function escape, but that function does not exist in php, and you have not defined it. So you need to add the actual function to your code

[php] function escape ($unescaped) {
return htmlentities($unescaped, ENT_QUOTES, “UTF-8”);
}[/php]

So that each time you do a escape($var) PHP will know what code to run :slight_smile:

#25

Looks like I had it in the wrong place. Nothing goes in between function escape.

#26

I’m not following you :\

You don’t need to use the escape function at all, I just recommended to make a escape function so you wouldn’t have to write that htmlentities line each and every time.

#27

In between the escape function that’s already in the code, I
placed $name = escape($name);$email = escape($email); $website = escape($website); in between. Is that wrong? ???

#28

Ah, I didnt see that before.

Yes that is wrong. Just paste the function I wtote at the beginning of the script. Every time you call that function in your code it will jump up to the function, run the code in the brackets, and return the escaped variable.

#29

This is what is I did.

<?php if(isset($_POST['submit'])) { // Added not to display "please fill out required fields." $name = escape($name); $email = escape($email); $website = escape($website); $message = escape($message); $time = time(); function escape ($unescaped) { return htmlentities($unescaped, ENT_QUOTES, "UTF-8"); } if (!$name || !$email) { echo "*Please fill out required fields";} else { if(strlen($name) > 0 && strlen($message)> 0) { if(filesize('testcomments.log') > 0) { $pre ='
'; } } $outputstring = $pre. '

'.$name.'. '.date('F j Y \a\t h:i a',$time).'

'.$message .'

'; @fwrite($fp, $outputstring, strlen($outputstring)); fclose($fp);

echo “”; // changed from Header( )
}
}

?>

		 <input type="text" name="name" placeholder="Name">*
		 <br /><br/> 
		 <input type="text" name="email" placeholder="Email">*
		 <br /><br/> 
		 <input type="text" name="website" placeholder="Website">
		 <br /><br/>
		 <textarea name="message" cols="40" rows="4" placeholder="Comments"></textarea></br>

Comments:

<?php include "testcomments.log"; ?>
#30

Ok, the error with the php after testing on localhost is line 5 in bold print. Is this incorrect or not? I’m really not sure.

<?php if(isset($_POST['submit'])) { // Added not to display "please fill out required fields." [b]$name = escape($name); [/b] $email = escape($email); $website = escape($website); $message = escape($message); $time = time(); function escape ($unescaped) { return htmlentities($unescaped, ENT_QUOTES, "UTF-8"); } if (!$name || !$email) { echo "*Please fill out required fields";} else { if(strlen($name) > 0 && strlen($message)> 0) { if(filesize('testcomments.log') > 0) { $pre ='
'; } } $outputstring = $pre. '

'.$name.'. '.date('F j Y \a\t h:i a',$time).'

'.$message .'

'; @fwrite($fp, $outputstring, strlen($outputstring)); fclose($fp);

echo “”; // changed from Header( )
}
}

?>

        <input type="text" name="name" placeholder="Name">*
        <br /><br/> 
        <input type="text" name="email" placeholder="Email">*
        <br /><br/> 
        <input type="text" name="website" placeholder="Website">
        <br /><br/>
        <textarea name="message" cols="40" rows="4" placeholder="Comments"></textarea></br>

Comments:

<?php include "testcomments.log"; ?>
Sponsor our Newsletter | Privacy Policy | Terms of Service