validation issue and question on cookie handling

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

validation issue and question on cookie handling

Post by m3rajk »

from my code (what i think is relevant)

Code: Select all

# variables for step 4
$conf=$_POST['conf']; # confirmation code, uploaded files dealt with in processing
   # error logging
$err=NULL; $errs=array(); $warn=NULL; $warns[]=array();

# check for errors/add to db
if((isset($step))&&($step>1)){
/* checks on steps 1 2 3 and 4 */
  elseif($step==5){ # make sure the validation code is correct and "pictures" are pictures
    $validate=$_COOKIE['confcode'];
    if($conf!==$validate){
      $err=TRUE; $step=4;
      $errs[]='Your Confirmation Code did not match. Your e-mail MUST be validated to proceed.<br> You will need to resubmit your pictures as well.<br />'; 
    }

    else{ #only bother if the confcode is right
      # process the uploaded files (if any)

      if($_FILES['main']['name']){ # if they uploaded a file
	if(153600<$_FILES['main']['size']){ # make sure it isn't over 150 KB
	  $err=TRUE; $step=4; $merr=TRUE;
	  $errs[]='Your Main picture was too large. You may not upload a file over 153600 Bytes (150 KB)';
	}
	if('image/jpeg'!==$_FILES['main']['type']){ # only accept jpegs
	  $err=TRUE; $step=4; $merr=TRUE;
	  $errs[]='Your Main picture was not a JPEG. JPEG encoded files traditionally end with .jpe, .jpg, and .jpeg on windows.';
	}
	if($_FILES['main']['error'] !== (0 || 'UPLOAD_ERR_OK')){ # if there was an error
	  $err=TRUE; $step=4; $error=$_FILES['main']['error']; $merr=TRUE;
	  $errs[]='Uploading your Main Picture caused an error: '.$error;
	}
	if(!($merr)){ # if there wasn't an issue, move to the awaiting approval bin -- humans will check it's ok
	  $un=$_COOKIE['un']; $to='/var/www/html/findyourdesire/unapproved/'.$un.'.jpg';
	  move_uploaded_file($_FILES['main']['tmp'], $to);
	  $errs[]='main was uploaded sucessfully'; # incase something else went wrong
	}
      }

      if($_FILES['t1']['name']){ # if they uploaded a file
	if(153600<$_FILES['t1']['size']){ # make sure it isn't over 150 KB
	  $err=TRUE; $step=4; $t1err=TRUE;
	  $errs[]='Your 1st thumb was too large. You may not upload a file over 153600 Bytes (150 KB)';
	}
	if('image/jpeg'!==$_FILES['t1']['type']){ # only accept jpegs
	  $err=TRUE; $step=4; $t1err=TRUE;
	  $errs[]='Your 1st thumb was not a JPEG. JPEG encoded files traditionally end with .jpe, .jpg, and .jpeg on windows.';
	}
	if($_FILES['t1']['error'] !== (0 || 'UPLOAD_ERR_OK')){ # if there was an error
	  $err=TRUE; $step=4; $error=$_FILES['t1']['error']; $t1err=TRUE;
	  $errs[]='Uploading your 1st thumb caused an error: '.$error;
	}
	if(!($t1err)){ # if there wasn't an issue, move to the awaiting approval bin -- humans will check it's ok
	  $un=$_COOKIE['un']; $to='/var/www/html/findyourdesire/unapproved/t1.'.$un.'.jpg';
	  move_uploaded_file($_FILES['t1']['tmp'], $to);
	  $errs[]='thumb 1 was uploaded sucessfully'; # incase something else went wrong
	}
      }

      if($_FILES['t2']['name']){ # if they uploaded a file
	if(153600<$_FILES['t2']['size']){ # make sure it isn't over 150 KB
	  $err=TRUE; $step=4; $t2err=TRUE;
	  $errs[]='Your 2nd thumb was too large. You may not upload a file over 153600 Bytes (150 KB)';
	}
	if('image/jpeg'!==$_FILES['t2']['type']){ # only accept jpegs
	  $err=TRUE; $step=4; $t2err=TRUE;
	  $errs[]='Your 2nd thumb was not a JPEG. JPEG encoded files traditionally end with .jpe, .jpg, and .jpeg on windows.';
	}
	if($_FILES['t2']['error'] !== (0 || 'UPLOAD_ERR_OK')){ # if there was an error
	  $err=TRUE; $step=4; $error=$_FILES['t2']['error']; $t2err=TRUE;
	  $errs[]='Uploading your 2nd thumb caused an error: '.$error;
	}
	if(!($t2err)){ # if there wasn't an issue, move to the awaiting approval bin -- humans will check it's ok
	  $un=$_COOKIE['un']; $to='/var/www/html/findyourdesire/unapproved/t2.'.$un.'.jpg';
	  move_uploaded_file($_FILES['t2']['tmp'], $to);
	  $errs[]='thumb 2 was uploaded sucessfully'; # incase something else went wrong
	}
      }

      if($_FILES['t3']['name']){ # if they uploaded a file
	if(153600<$_FILES['t3']['size']){ # make sure it isn't over 150 KB
	  $err=TRUE; $step=4; $t3err=TRUE;
	  $errs[]='Your 3rd thumb was too large. You may not upload a file over 153600 Bytes (150 KB)';
	}
	if('image/jpeg'!==$_FILES['t3']['type']){ # only accept jpegs
	  $err=TRUE; $step=4; $t3err=TRUE;
	  $errs[]='Your 3rd thumb was not a JPEG. JPEG encoded files traditionally end with .jpe, .jpg, and .jpeg on windows.';
	}
	if($_FILES['t3']['error'] !== (0 || 'UPLOAD_ERR_OK')){ # if there was an error
	  $err=TRUE; $step=4; $error=$_FILES['t3']['error']; $t3err=TRUE;
	  $errs[]='Uploading your 3rd thumb caused an error: '.$error;
	}
	if(!($t3err)){ # if there wasn't an issue, move to the awaiting approval bin -- humans will check it's ok
	  $un=$_COOKIE['un']; $to='/var/www/html/findyourdesire/unapproved/t3.'.$un.'.jpg';
	  move_uploaded_file($_FILES['t3']['tmp'], $to);
	  $errs[]='thumb 3 was uploaded sucessfully'; # incase something else went wrong
	}
      }

      if($_FILES['t4']['name']){ # if they uploaded a file
	if(153600<$_FILES['t4']['size']){ # make sure it isn't over 150 KB
	  $err=TRUE; $step=4; $t4err=TRUE;
	  $errs[]='Your 4th thumb was too large. You may not upload a file over 153600 Bytes (150 KB)';
	}
	if('image/jpeg'!==$_FILES['t4']['type']){ # only accept jpegs
	  $err=TRUE; $step=4; $t4err=TRUE;
	  $errs[]='Your 4th thumb was not a JPEG. JPEG encoded files traditionally end with .jpe, .jpg, and .jpeg on windows.';
	}
	if($_FILES['t4']['error'] !== (0 || 'UPLOAD_ERR_OK')){ # if there was an error
	  $err=TRUE; $step=4; $error=$_FILES['t4']['error']; $t4err=TRUE;
	  $errs[]='Uploading your 4th thumb caused an error: '.$error;
	}
	if(!($t4err)){ # if there wasn't an issue, move to the awaiting approval bin -- humans will check it's ok
	  $un=$_COOKIE['un']; $to='/var/www/html/findyourdesire/unapproved/t4.'.$un.'.jpg';
	  move_uploaded_file($_FILES['t4']['tmp'], $to);
	  $errs[]='thumb 4 was uploaded sucessfully'; # incase something else went wrong
	}
      }

      if($_FILES['salute']['name']){ # if they uploaded a file
	if(153600<$_FILES['salute']['size']){ # make sure it isn't over 150 KB
	  $err=TRUE; $step=4; $serr=TRUE;
	  $errs[]='Your Salute picture was too large. You may not upload a file over 153600 Bytes (150 KB)';
	}
	if('image/jpeg'!==$_FILES['salute']['type']){ # only accept jpegs
	  $err=TRUE; $step=4; $serr=TRUE;
	  $errs[]='Your Salute picture was not a JPEG. JPEG encoded files traditionally end with .jpe, .jpg, and .jpeg on windows.';
	}
	if($_FILES['salute']['error'] !== (0 || 'UPLOAD_ERR_OK')){ # if there was an error
	  $err=TRUE; $step=4; $error=$_FILES['salute']['error']; $serr=TRUE;
	  $errs[]='Uploading your Salute caused an error: '.$error;
	}
	if(!($serr)){ # if there wasn't an issue, move to the awaiting approval bin -- humans will check it's ok
	  $un=$_COOKIE['un']; $to='/var/www/html/findyourdesire/unapproved/s.'.$un.'.jpg';
	  move_uploaded_file($_FILES['s']['tmp'], $to);
	  $errs[]='salute was uploaded sucessfully'; # incase something else went wrong
	}
      }
    }
  }
}

# find where we are
if(isset($step)){
  if(($step==1)&&($err)){ # an error was found in step 1
    bgnpg('no', $step); errreport($step, $errs); s1();
  }elseif($step==1){ # signup hasn't started yet
    bgnpg('yes', $step); s1();
  }elseif(($step==2)&&($err)){ # an error was found in step 2
    bgnpg('no', $step); errreport($step, $errs); s2();
  }elseif($step==2){ # we need a username, pw, and e-mail
    bgnpg('no', $step); s2();
  }elseif($step==3){ # see if they want a bio/misc interests
    bgnpg('no', $step); s3($un, $pw, $email);
  }elseif(($step==4)&&($err)){ # an error was found in step4
    bgnpg('no', $step); errreport($step, $errs); s4();
  }elseif($step==4){ # get the validation code and let them upload pics
    bgnpg('no', $step); s4();
  }elseif($step==5){ # thank them for joining
    bgnpg('no', $step); s5();
  }
}else{ # they are starting signup
  bgnpg('yes', '1'); s1();
}

#functions that make the pages
function bgnpg($cookie, $step){
  if($cookie=='yes'){ # set the cookie with the validation code
    $conf=md5(uniqid(microtime(),1)); # make unique id
    $expire=time()+60*60; # set expiration an hour from now
    setcookie(confcode, $conf, $expire); #create cookie
  }
  if($step==3){
    $un=md5($_POST['un']);
    $expire=time()+60*60; # set expiration an hour from now
    setcookie(un, $un, $expire);
  }
  ?><html>
  <head>
    <title>FindYourDesire.com Signup page -- <? echo $step; ?></title>
    <meta name="Author" content="coded by: Josh Perlmutter; images by Morgan O'Brien-Bledsow & Tamara Collette all rights reserved">
    <style type="text/css">
      <!-- this comment is for non-css compliant browsers
      {text-decoration=none}
      end of css -->
    </style>
  </head>
  <body bgcolor="#000000" text="#c8c8c8" alink="#fc00ff" vlink="#00e0c4" link="#ffffff">
    <center><p>&nbsp;</p>
      <!-- banner goes here -->
      <!-- ad bar goes here -->
 <?php
}

function errreport($step, $errs){
  if($step==1){ # report errors in step1
    foreach($errs as $err){
      echo "      <h1><font color="#ff0000">YOU MUST AGREE TO THE $err!</font></h1>";
    }
  }elseif($step==2){ # report errors in step2
    foreach($errs as $err){
      echo "      <h1><font color="#ff0000">$err</font></h1>";
    }
  }else{ # report errors of step4
    foreach($errs as $err){
      $val=$_POST['conf'];
      echo "<h1>debug line: validation code submitted: $val</h1>";
      echo "      <h1><font color="#ff0000">$err</font></h1>";
    }
  }
}

function s4(){
  ?>      <h1>THIS IS A TEST. IT DOES NOT HAVE A DATABASE CONNECTION NOR DOES IT CHECK USERNAMES. THIS LINE WILL BE REMOVED IN THE REAL ONE </h1>
      
      <p>Thank you for your interest in joining FindYourDesire.com. We need to know some things about you in order to make your profile here. Any feild in <font color="#ff0000">RED</font> is required. Any feild marked with an * is confidential and will NOT show up in your user stats. Any feild with a &#176; will not show up in your user stats, but is collected for future features. You will be notified before they are used.</p>
      <h2>NOTE: MAXIMUM PICTURE SIZE IS 150 KB</h2>
      <form enctype="multipart/form-data" action="<?php echo $_SERVER[PHP_SELF]; ?>" method="POST">
	<input type="hidden" name="step" value="5"><input type="hidden" name="MAX_FILE_SIZE" value="153600">
	<table frame="void" bgcolor="#000000" border="0" cellpadding="0" cellspacing="0" text="#c8c8c8">
	    <tr><td>Your <a name="#confcode" href="#confcode" onClick="window.open('faq.php?seek=confcode', 'faq', 'width=500,height=250,scrollbars=yes');">Confirmation Code</a></td><td><input type="text" name="conf" size="25"></td></tr>
	    <tr><td>Upload your main picture</td><td><input type="file"  accept="image/jpeg" name="main" size="25"></td></tr>
	    <tr><td>Upload Thumb 1</td><td><input type="file"  accept="image/jpeg" name="t1" size="25"></td></tr>
	    <tr><td>Upload Thumb 2</td><td><input type="file"  accept="image/jpeg" name="t2" size="25"></td></tr>
	    <tr><td>Upload Thumb 3</td><td><input type="file"  accept="image/jpeg" name="t3" size="25"></td></tr>
	    <tr><td>Upload Thumb 4</td><td><input type="file"  accept="image/jpeg" name="t4" size="25"></td></tr>
	    <tr><td>Upload your <a name="#salute" href="#salute" onClick="window.open('faq.php?seek=salute', 'faq', 'width=500,height=250,scrollbars=yes');">salute</a></td><td><input type="file"  accept="image/jpeg" name="salute" size="25"></td></tr>
	    <tr><td><input type="submit" value="Go To The Next Step"></td><td><input type="reset" value="Restart This Step"></td></tr>
	</table>
    </center>
  </body>
</html>
 <?php
}
seems that even with the code set (i had it print it out when it made it so i could copy it at one point) that it doesn't work. nothing ever validates

also, i want to mask the cookies somehow so people can't rip it from the cookie files. i'm wondering if anyone has any suggestions of how to do that. i'm thinking of using crypt() on anything (and if possible md5) before placing it in the cookie, then calling crypt on the arguments to see if they are the same, but figure it's worth it to find out what those that have more experience think.

it's not like thisis going to be overly sensitive data or anything since it's just goingto be a rateme site, but i want to make it diffcult to try to be a different user.

-Josh

code updated 6-27
Last edited by m3rajk on Fri Jun 27, 2003 9:15 am, edited 1 time in total.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

m3rajk wrote: also, i want to mask the cookies somehow so people can't rip it from the cookie files. i'm wondering if anyone has any suggestions of how to do that. i'm thinking of using crypt() on anything (and if possible md5) before placing it in the cookie, then calling crypt on the arguments to see if they are the same, but figure it's worth it to find out what those that have more experience think.
What are you trying to accomplish? Do you wish to prevent the user from seeing what is in the cookie? Or do you want to prevent the user from changing the values in the cookie? Or both?

To stop the user from changing the cookie you would do something like $_COOKIE["Name"]=$valueToProtect."+".MD5($valueToProtect."SERVER SECRET") when you set it. And then explode it on the '+' when you get it back and re-MD5 the value and the secret to check for tampering.

To stop the user from seeing the cookie value, you'ld have to use the mcrypt library or some other two way algorithm.

If you want both (integrity and privacy) you'ld have to use both methods, in the order listed above (MD5, then mcrypt on setting, mcrypt then MD% on reading.) NOTE: mcrypt IS NOT crypt.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

i want to stop people from being able to modify the cookie in order to appear to the server as if they are someone else. so from what you've said it sounds like to really do that i need both. i wasn't sure how to mask it to stop people from doing that, which is why i asked that. the other thing is that when i post eh validation code into the form it doesn't validate. the cvalidation codes genereated by the unique id function have decimal points. i realized that wheni woke up this morning. i'm guessing here, but this means the browser gives the input wrong when it gives me the validation code... right?i know the cookie doesn't change because i receive it in the mail correctly
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I don't understand most of your follow-up. However if you are only worried about stopping the user from changing the value, then you only have to use the MD5 method and not the mcrypt method. Using this method you can detect any attempt to change.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

ok. what about the issue with passing the validation code?

right now i know the value stored in the cookie is the same as the one generated. i also know when i e-mail it it's the same as the initial generation, yet when i test the user input against the cookie it never returns true

i figure this is something in the post method's submission. so that i know for future things, can anyone tell me what and why? (this is important since i have a different place where spaces, _ and . and & are all things i want to accept)
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

You might need to look at using urlencode, urldecode in you have characters that aren't allowed in the url.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

ok. i'm gonna try something testing which is which if the php.net look up is as confused as orielly. they starte saying raw is %20 and then reverse...in all three places they talk aboutit in the programming book and the two places in the cookbook are contradictory!
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

arg. it wont get to step 5 or do the step four errors correctly anymore. i don't know why. i can't find why. i think i'm too close to the code to see why it wont give me the error i want (the code i supplied in step4) so that i know which encode to use

if you wanna try it: http://people.brandeis.edu/~m3rajk/JMT/ ... signup.php

if you wanna see the code: http://people.brandeis.edu/~m3rajk/JMT/ ... signup.txt

the second one misses the begining <?php
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

*bump*


HELP!!!!!!!

please
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

I'm looking at this again, give me a few minutes, maybe I'll find something...

Note: You aren't checking if the username is already in use... this is probably a problem, but it wouldn't cause your current problem.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Another problem "4un" instead of "$un" in function bgnpg, step 3 branch

Hmm making the user type in a long confirmation code may be a problem, are you positive you're typing it in correctly? You might want to consider:

Saving the confirmation code into the DB, and sending the user a URL with a GET-style URL link that has the conf code embedded. Then have the user login to that page to activate the account.
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Another thing. I've gone through the registration process twice. The email arrives with a " " (space) instead of the "+" that should be in the confirmation code. When I cut and paste the code from my browser's cookie manager I get sent back to step1. I don't receive a step 4 error, but I don't get sent to step5. Is this what happens to you?
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

nielsene wrote:I'm looking at this again, give me a few minutes, maybe I'll find something...

Note: You aren't checking if the username is already in use... this is probably a problem, but it wouldn't cause your current problem.
i'm not sure how to implement that and i want to get it registering names first, then i'm going to try to add that

also, i thinki got the 4un/$un issue already:
}elseif($step==3){ # see if they want a bio/misc interests
bgnpg('no', $step); s3($un, $pw, $email);
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

nielsene wrote:Another thing. I've gone through the registration process twice. The email arrives with a " " (space) instead of the "+" that should be in the confirmation code. When I cut and paste the code from my browser's cookie manager I get sent back to step1. I don't receive a step 4 error, but I don't get sent to step5. Is this what happens to you?
yeah. i added the debugging lines to find the difference between the code sent tot he e-mail and the code as it's taken in, and that's whant happes to me now. without that i get told the validation code doesn't work.

i'm also now sure how to use the encond() or rawencode() functions... it strikes me that if i use it on what's posted it gets encoded with the + that the form gives.

i'm thinking of parsing the validation code to change the + to a space or using the encode before storing in the cookie
User avatar
nielsene
DevNet Resident
Posts: 1834
Joined: Fri Aug 16, 2002 8:57 am
Location: Watertown, MA

Post by nielsene »

Try adding a MD5 call around the uniqid call when you first create the conf code

Code: Select all

$conf = MD5(uniqid(microtime(),1));
That should fix it up a little.
Post Reply