Page 1 of 1

Can anyone help this newbe secure the following code?

Posted: Mon Apr 07, 2008 10:19 am
by macman1
If anyone can help teach me how to secure the following code I would be really greatful!

Code: Select all

<?php
include("global.inc.php");
$errors=0;
$error="The following errors occured while processing your form input.<ul>";
pt_register('POST','Nameasitisoncard');
pt_register('POST','BillingAddress');
pt_register('POST','City');
pt_register('POST','State');
pt_register('POST','Zip');
pt_register('POST','PhoneNumber');
pt_register('POST','EmailAddress');
pt_register('POST','VerifyEmail');
pt_register('POST','CreditCardNumber');
pt_register('POST','CreditCardType');
pt_register('POST','CCV');
pt_register('POST','ExpirationDate');
pt_register('POST','HisFirstName');
pt_register('POST','HisLastName');
pt_register('POST','HisStreetAddress');
pt_register('POST','HisCity');
pt_register('POST','HisState');
pt_register('POST','HisZip');
pt_register('POST','HisEmail');
pt_register('POST','HisPhoneNumber');
pt_register('POST','HisGrade');
pt_register('POST','HisSchool');
pt_register('POST','HerFirstName');
pt_register('POST','HerLastName');
pt_register('POST','HerStreetAddress');
pt_register('POST','HerCity');
pt_register('POST','HerState');
pt_register('POST','HerZip');
pt_register('POST','HerEmail');
pt_register('POST','HerPhoneNumber');
pt_register('POST','HerGrade');
pt_register('POST','HerSchool');
pt_register('POST','TheSupremeComboA');
pt_register('POST','TheDeluxeComboB');
pt_register('POST','TheStandardComboC');
pt_register('POST','TheSupreme');
pt_register('POST','TheDeluxe');
pt_register('POST','TheStandard');
pt_register('POST','TheEconomy');
pt_register('POST','TheBudget');
pt_register('POST','extra1');
pt_register('POST','extra2');
if($Nameasitisoncard=="" || $BillingAddress=="" || $City=="" || $State=="" || $Zip=="" || $PhoneNumber=="" || $EmailAddress=="" || $VerifyEmail=="" || $CreditCardNumber=="" || $CreditCardType=="" || $CCV=="" || $ExpirationDate=="" || $HisFirstName=="" || $HisLastName=="" || $HisStreetAddress=="" || $HisCity=="" || $HisState=="" || $HisZip=="" || $HisEmail=="" || $HisPhoneNumber=="" || $HisGrade=="" || $HisSchool=="" || $HerFirstName=="" || $HerLastName=="" || $HerStreetAddress=="" || $HerCity=="" || $HerState=="" || $HerZip=="" || $HerEmail=="" || $HerPhoneNumber=="" || $HerGrade=="" || $HerSchool=="" ){
$errors=1;
$error.="<li>You did not enter one or more of the required fields. Please go back and try again.";
}
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$EmailAddress)){
$error.="<li>Invalid email address entered";
$errors=1;
}
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$VerifyEmail)){
$error.="<li>Invalid email address entered";
$errors=1;
}
if(!eregi("^[a-z0-9]+([_\\.-][a-z0-9]+)*" ."@"."([a-z0-9]+([\.-][a-z0-9]+)*)+"."\\.[a-z]{2,}"."$",$HerEmail)){
$error.="<li>Invalid email address entered";
$errors=1;
}
if($errors==1) echo $error;
else{
$where_form_is="http".($HTTP_SERVER_VARS["HTTPS"]=="on"?"s":"")."://".$SERVER_NAME.strrev(strstr(strrev($PHP_SELF),"/"));
$message="Name as it is on card: ".$Nameasitisoncard."
Billing Address: ".$BillingAddress."
City: ".$City."
State: ".$State."
Zip: ".$Zip."
Phone Number: ".$PhoneNumber."
Email Address: ".$EmailAddress."
Verify Email: ".$VerifyEmail."
Credit Card Number: ".$CreditCardNumber."
Credit Card Type: ".$CreditCardType."
CCV: ".$CCV."
Expiration Date: ".$ExpirationDate."
His First Name: ".$HisFirstName."
His Last Name: ".$HisLastName."
His Street Address: ".$HisStreetAddress."
His City: ".$HisCity."
His State: ".$HisState."
His Zip: ".$HisZip."
His Email: ".$HisEmail."
His Phone Number: ".$HisPhoneNumber."
His Grade: ".$HisGrade."
His School: ".$HisSchool."
Her First Name: ".$HerFirstName."
Her Last Name: ".$HerLastName."
Her Street Address: ".$HerStreetAddress."
Her City: ".$HerCity."
Her State: ".$HerState."
Her Zip: ".$HerZip."
Her Email: ".$HerEmail."
Her Phone Number: ".$HerPhoneNumber."
Her Grade: ".$HerGrade."
Her School: ".$HerSchool."
The Supreme Combo A: ".$TheSupremeComboA."
The Deluxe Combo B: ".$TheDeluxeComboB."
The Standard Combo C: ".$TheStandardComboC."
The Supreme: ".$TheSupreme."
The Deluxe: ".$TheDeluxe."
The Standard: ".$TheStandard."
The Economy: ".$TheEconomy."
The Budget: ".$TheBudget."
extra1: ".$extra1."
extra2: ".$extra2."
";
 
$link = mysql_connect("database.net","xxxxxxxx","xxxxxxxx");
mysql_select_db("personal_touch",$link);
$query="insert into prom_pictures (Name_as_it_is_on_card,Billing_Address,City,State,Zip,Phone_Number,Email_Address,Verify_Email,Credit_Card_Number,Credit_Card_Type,CCV,Expiration_Date,His_First_Name,His_Last_Name,His_Street_Address,His_City,His_State,His_Zip,His_Email,His_Phone_Number,His_Grade,His_School,Her_First_Name,Her_Last_Name,Her_Street_Address,Her_City,Her_State,Her_Zip,Her_Email,Her_Phone_Number,Her_Grade,Her_School,The_Supreme_Combo_A,The_Deluxe_Combo_B,The_Standard_Combo_C,The_Supreme,The_Deluxe,The_Standard,The_Economy,The_Budget,extra1,extra2) values ('".$Nameasitisoncard."','".$BillingAddress."','".$City."','".$State."','".$Zip."','".$PhoneNumber."','".$EmailAddress."','".$VerifyEmail."','".$CreditCardNumber."','".$CreditCardType."','".$CCV."','".$ExpirationDate."','".$HisFirstName."','".$HisLastName."','".$HisStreetAddress."','".$HisCity."','".$HisState."','".$HisZip."','".$HisEmail."','".$HisPhoneNumber."','".$HisGrade."','".$HisSchool."','".$HerFirstName."','".$HerLastName."','".$HerStreetAddress."','".$HerCity."','".$HerState."','".$HerZip."','".$HerEmail."','".$HerPhoneNumber."','".$HerGrade."','".$HerSchool."','".$TheSupremeComboA."','".$TheDeluxeComboB."','".$TheStandardComboC."','".$TheSupreme."','".$TheDeluxe."','".$TheStandard."','".$TheEconomy."','".$TheBudget."','".$extra1."','".$extra2."')";
mysql_query($query);
 
header("Refresh: 0;url=http://www.ptps.com/fastpass/thankyou.html");
?>
also the global

Code: Select all

<?php
 
function pt_register()
{
  $num_args = func_num_args();
   $vars = array();
 
   if ($num_args >= 2) {
       $method = strtoupper(func_get_arg(0));
 
       if (($method != 'SESSION') && ($method != 'GET') && ($method != 'POST') && ($method != 'SERVER') && ($method != 'COOKIE') && ($method != 'ENV')) {
           die('The first argument of pt_register must be one of the following: GET, POST, SESSION, SERVER, COOKIE, or ENV');
     }
 
       $varname = "HTTP_{$method}_VARS";
      global ${$varname};
 
       for ($i = 1; $i < $num_args; $i++) {
           $parameter = func_get_arg($i);
 
           if (isset(${$varname}[$parameter])) {
               global $$parameter;
               $$parameter = ${$varname}[$parameter];
          }
 
       }
 
   } else {
       die('You must specify at least two arguments');
   }
 
}
 
?>