Wrox Home  
Search P2P Archive for: Go
Shopping CartView Cart  |  My Account  |  Support
Home Browse Titles

P2P Archives
 

Archive Index
Back to Active P2P Forum

 


Wrox Chapters on Demand - Download the chapters you need and take them on the go!
Wrox First - Instant Access online to new Wrox books

New Titles for ASP.NET

Cover image for product 0470190647
DotNetNuke Websites Problem Design Solution
Cover image for product 0470391847
Jumping from ASP to ASP.NET
Wrox CafePress.com Store - Now Open
  Return to Index  

pro_php thread: When in script should protection be added?

Message #1 by Jefferis Peterson <jefferis@p...> on Wed, 14 Mar 2001 10:02:54 -0500
I have a simple order form that I'm trying to make secure. I've added
htmlspecialchars() on echo html functions, but I'm trying to figure out
when in the process such protection should be added. 

For instance I have a function to check values before I process them into
a form. Do I need to protect here in the check function or only on 
output, since the check is only passing the variables:

>function check_inputs ($wholename, $email, $street, $city, $state, $zip,
>$country, $phone, $fax, $comments, $QuantityABC,  $QuantityHeadToe, 
>$QuantitySixtyandUP,  $QuantityWheelChair,  $QuantityBack, 
>$QuantityShapeUP,  $QuantityPackage,  $totalorder, $cardno, $MCVISA)
>{
>
>	if (($wholename == "" )||($email == "") )
>	{
>	echo"<html>";
>	echo"<body bgcolor=#FFFFFF text=#000000 link=#003300>";
>	echo "<hr width=75% align=center>\n";
>	echo "<center><font color=red>Please enter your name and your email
>address!</font></center>\n";
etc.

If info is valid then I process a check form:

 
>echo"<tr valign=top><td colspan=2 align=center><p><b><u>CUSTOMER
>INFORMATION</td></tr>\n";
>echo"<td align=left><p><b>NAME:</b></p></td><td
>align=left><p>htmlspecialchars($wholename)</p></td></tr>\n";
>echo"<tr valign=top>\n"; 

But I'm concerned about the mathematical calculations and then sending it
on via email:
>
>$t= 23.90;
>$pt= 107.70;
>if ($QuantityABC != 0)	
>{
>echo"<tr valign=top>\n";
>echo"<td align=left><p>ABC's Of Health</p></td><td
>align=center><p>$QuantityABC</p></td>\n";
>echo"<td align=right><p>\$ 23.90</p></td>\n";
>
>	$extended_1=sprintf("%.2f", ($t * $QuantityABC));
>	

htmlspecialchars is added for browser echo protection... 
Do I need or could I add 
>ord ($QuantityABC) 

to assure that no extraneous code is entered into the quantity number
field for the item? or do I need to predefine the $Quantity 
ord($Quantity)?  

Finally,  for mail export, do I just need to add
quotemeta( ) to all fields? 

>
>$mailinfo="wholename - $wholename\n email - $email \nstreet - $street\n
>city - $city\n state - $state\n zip - $zip\n country - $country\n phone -
>$phone\n fax - $fax\n comments - $comments\n  ABC Tapes = $QuantityABC  
>ABC Price = $extended_1 \n Head To Toe Tapes = $QuantityHeadToe Head To
>Toe Price = $extended_2  \n  Sixty and UP Tapes = $QuantitySixtyandUP  60
>Price = $extended_3 \n  WheelChair Tapes = $QuantityWheelChair Wheel
>Chair Price = $extended_4\n  Back Pain Tapes= $QuantityBack Back Pain
>Price = $extended_5\n  ShapeUP Areas Tapes = $QuantityShapeUP  Shape Up
>Price = $extended_6\n  Package Deal = $QuantityPackage Package Price 
>$extended_7\n Subtotal = $sub_total\n PA Tax = $extended_8\n Total 
>$totalorder\n cardno = $cardno MCVISA = $MCVISA\n";
>
>
>mail ("someaddress@x...", "Order", "$mailinfo",
>"$mailFrom");
>		 

Thanks
-- 
Jefferis Kent Peterson
www.PetersonSales.net
Flash, Web Design and Marketing 
ICQ 19112253
_______
"Happy is the person who finds wisdom, and the one who gets
understanding, for the gain from it is better than gain from silver and
its profit better than gold."  - Proverbs 3:13,14.

  Return to Index  
About Wrox  |  Contact Us  |  Subscribe to an RSS Feed of New Wrox Titles
Copyright © 2000-2004 by John Wiley & Sons, Inc. or related companies. All rights reserved. Please read our Privacy Policy