Page 1 of 1

Securing guestbook

Posted: Tue Sep 21, 2010 1:32 am
by clonemaster
Hi all,
I need a bit help here..
I have a guestbook page(gasten.php) with a form, redirected to action.php then written to gastenboek.txt
action.php file:

Code: Select all

<?php
//error_reporting(E_ALL);
  $amount=15;
  if ($_POST['action']=='write') {
    $file=fopen('gastenboek.txt','a');

    $message=$_POST['message'];
    $message=str_replace("\r",'', $message);
    $message=str_replace("\n",'{{',$message);
    fwrite($file,$_POST['name'].'|||'.$_POST['email'].'|||'.date('d-m-Y').'|||'.$_POST['url'].'|||'.$message."\n");
    fclose($file);
  }
  $start=(isset($_POST['start'])?$_POST['start']:0);
  $gastenboek=Array();
  $gastenboek=file('gastenboek.txt');
  header('location: '.$_POST['return']);
?>
On the gasten.php page there is javascript validation

Code: Select all

<?php
//error_reporting(E_ALL);
  $amount=15;
    $file=fopen('gastenboek.txt','a');
    $start=(isset($_GET['start'])?$_GET['start']:0);
  $gastenboek=Array();
  $gastenboek=file('gastenboek.txt');
 ?>
 
<SCRIPT language="JavaScript">
    function validate(form) 
  {
      if (form.name.value=="") 
    {
      alert("Vul je naam in");
      return false;
    } 
    else if (form.message.value=="") 
    {
      alert("Vul je bericht in");
      return false;
    } 
    else if (form.url.value=="") 
    {
      return true;
    } 
    else 
    {
     return false;
    }
  }
</SCRIPT>
              </p>
<TABLE width="100%" cellspacing="0" cellpadding="0">
  <TR>
      <TD class="side"> Berichten <? echo $start+1; ?> tot en met <? echo min($start+$amount,sizeof($gastenboek)); ?>.
        <HR> <TABLE width="100%" >
          <?
          $gastenboek=array_reverse($gastenboek);
          for ($i=$start;$i<$start+$amount && $i<sizeof($gastenboek);$i++) {
            list($name,$email,$date,$url,$message)=explode('|||',$gastenboek[$i]);
            $message=str_replace('{{',"\n",$message);
            echo '<TR><TD><B>'.($email!=""?'<A href="mailto:'.$email.'">'.$name.'</A>':$name).'</B></TD><TD align="right"><B>'.$date.'</B></TD></TR>'."\n";
            echo ($url!=""?'<TR><TD colspan="2"><A href="'.$url.'" target="_blank">'.$url.'</A></TD></TR>':'')."\n";
            echo '<TR><TD colspan="2"><SPAN>'.str_replace("\n",'<BR>',htmlspecialchars($message)).'</SPAN></TD></TR>'."\n";
            echo '<TR><TD colspan="2"><HR></TD></TR>'."\n";
          }
        ?>
        </TABLE>
        <CENTER>
          <?
          if ($start>0) echo '<A href="gasten.php?start='.max(0,$start-$amount).'"><<<</A> ';
          if ($start+$amount<sizeof($gastenboek)) echo ' <A href="gasten.php?start='.($start+$amount).'">>>></A>';
        ?>   </CENTER></TD>
    </TR>
</TABLE>
  <TABLE width="100%" cellspacing="0" cellpadding="0" >
    <TR>
      <TD class="side">Nieuw bericht</TD>
    </TR>
  </TABLE>
  <TABLE width="100%" cellspacing="0" cellpadding="0" >
    <TR>
      <TD class="side"> <TD class="side"> <FORM action="action.php" method="POST" onSubmit="return validate(this);">
          <INPUT type="hidden" name="action" value="write">
           <TABLE class="side">
            <TR>
              <TD>Naam:</TD>
              <TD><INPUT type="text" name="name" size="30"></TD>
            </TR>
            <TR>
              <TD>E-Mail:</TD>
              <TD><INPUT type="text" name="email" size="30">
                (optioneel)</TD>
            </TR>
            <TR>
              <TD><p class="antispam">Leave this empty:
            <br /><input name="url"/></p></TD>
            </TR>
            <TR>
              <TD>Bericht:</TD>
              <TD><TEXTAREA name="message" cols="50" rows="5"></TEXTAREA></TD>
            </TR>
          </TABLE>
          <INPUT type="submit" value="Verstuur" form onsubmit="document.form.name.value=''; document.form.message.value=''; ">
          <input type="hidden" name="return" value="<?php echo 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'] ?>" /> 
        </FORM>
          </TD>
    </TR>
  </TABLE>
This isn't working as I thougth.. is there a way to say in the action file:
"If the field URL is filled in, do not post the message"
The URL field is not visible to users..
Thanks