Skip to content

Instantly share code, notes, and snippets.

@oritromax

oritromax/db.php

Created November 9, 2012 20:05
Show Gist options
  • Save oritromax/4047901 to your computer and use it in GitHub Desktop.
Save oritromax/4047901 to your computer and use it in GitHub Desktop.
Download ZIP
PHP Secure Form Project-Oritro Ahmed
Raw
db.php
<?php
// PHP Simple Secure Form Project- Oritro Ahmed
// 11 November, 2012
// Released Under Mozilla Public license (http://www.mozilla.org/MPL/2.0/)
// We are using some Constant to work easily everywhere
define('DB_HOST', 'localhost'); // Database host
define('DB_USER', 'root'); // Database User
define('DB_PASSWORD', ''); // Database User Password
define('DB_DATABASE', 'secureform'); // Database Name
?>
Raw
form.php
<?php
// PHP Simple Secure Form Project- Oritro Ahmed
// 11 November, 2012
// Released Under Mozilla Public license (http://www.mozilla.org/MPL/2.0/)
// First, Call the Function page
include 'valid.php';
// Check if the ID and HASH value through POST method is available or not?
if(isset($_POST['id'])&& isset($_POST['hash'])){
// If available, then Declare two VARIABLE
$id= clean($_POST['id']);
$hash= clean($_POST['hash']);
// Now call the Form Valid Function and Check The Hash if its associated with this ID or not?
valid_form($id, $hash);
} else {
// If not, Then Redirect the visitor to index page where a pre generated Error MSG is waiting
header("Location: index.php");
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>The Form Submission</title>
</head>
<body>
<!-- Below here, You can do whatever you like to Do with your Code, this is just a simple demo -->
<p> Your Name: <strong><?php echo clean($_POST['name']); ?></strong> <br/>
Your MSG: <code> <?php echo clean(($_POST['text'])); ?></code>
</p>
</body>
</html>
Raw
form_hash.sql
-- And Here is The Database Table
-- Just paste the code in phpMyadmin SQL box and you will get your table
-- PHP Simple Secure Form Project - Oritro Ahmed
-- 11 November, 2012
-- Released Under Mozilla Public license (http://www.mozilla.org/MPL/2.0/)
CREATE TABLE IF NOT EXISTS `form_hash` (
`form_id` int(4) NOT NULL AUTO_INCREMENT,
`form_hash` varchar(50) COLLATE utf8_unicode_ci NOT NULL,
`form_status` int(11) NOT NULL,
PRIMARY KEY (`form_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci;
Raw
index.php
<?php
// PHP Simple Secure Form Project- Oritro Ahmed
// 11 November, 2012
// Released Under Mozilla Public license (http://www.mozilla.org/MPL/2.0/)
// Include The PHP file Contain All the Relative Function
include 'valid.php';
// Call the gen_formhash() Function and Get the Hash
$data= gen_formhash();
// Start The Session, It will be Needed for Any Error MSG
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>The Form</title>
</head>
<body>
<?php
// Check if the ERROR MSG Availabe Through Session
if( isset($_SESSION['ERROR']) && count($_SESSION['ERROR']) >0 ) {
// If Error Available, Then Display it
echo '<ul class="err">';
echo '<li>',$_SESSION['ERROR'],'</li>';
echo '</ul>';
unset($_SESSION['ERROR']);
}
?> <br/>
<form action="form.php" method="post" enctype="application/x-www-form-urlencoded" dir="ltr" lang="en">
<input name="name" type="text" value="Your Name" size="20" maxlength="30" />
<br/>
<textarea name="text" cols="30" rows="8"></textarea>
<br/>
<!-- we will use hidden Value To Keep the Form ID and HASH-->
<input name="id" type="hidden" value="<?php echo $data['id']; ?>" />
<input name="hash" type="hidden" value="<?php echo $data['hash']; ?>" />
<!-- We are using hidden value that doesn't mean no one can see this. Its actually visible while viewing the source. We just don't want to bother the visitor with some Dizzy Text that have absolutely no meaning for the visitor-->
<input name="submit" type="submit" value="Submit" />
</form>
</body>
</html>
Raw
valid.php
<?php
// PHP Simple Secure Form Project- Oritro Ahmed
// 11 November, 2012
// Released Under Mozilla Public license (http://www.mozilla.org/MPL/2.0/)
// First, Create a function that will generated the Hash
function gen_formhash(){
// Get the Database Configuration file
require_once 'db.php';
// Get Ready to Get Connected
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);
// Before Proceed, Check whether the connection is working or not !
if (mysqli_connect_errno()) {
$err="Database Connection Failed :(";
$_SESSION['ERROR'] = $err;
session_write_close();
header("location: index.php");
exit();
}
// Now Pick a Hash that has to be Unique in Every Way
$form_hash= time().uniqid();
// Make it more complicated using MD5
$form_hash= md5($form_hash);
// Now make a VAR that contain the MySQL Command
$sql=mysqli_query($link,"INSERT INTO form_hash(form_hash,form_status) VALUES ('$form_hash','1')");
if(!$sql){
// This is a Error MSG, That will Redirect the user to the index file and show the error
$err="SomeThing Wrong With The Database". mysqli_error();
$_SESSION['ERROR'] = $err;
session_write_close();
header("location: index.php");
exit();
} else {
// Get the Database Insert ID
$id=mysqli_insert_id($link);
// Now Declare A array that contain both the ID and the HASH
$data=array("id"=>$id, "hash"=>$form_hash);
}
// Send it back
return $data;
}
// This function will check the form validity
function valid_form($id,$hash){
// First Check The session
session_start();
require_once 'db.php';
$link = mysqli_connect(DB_HOST, DB_USER, DB_PASSWORD, DB_DATABASE);
if (mysqli_connect_errno()) {
$err="Database Connection Failed :(";
$_SESSION['ERROR'] = $err;
session_write_close();
header("location: index.php");
exit();
}
// Now using the ID that comes with the function call, Fetch the Hash Belongs to this ID
$sql=mysqli_query($link,"SELECT form_hash,form_status FROM form_hash WHERE form_id=$id");
if(!$sql){
// Otherwise, The mighty Error
$err="SomeThing Wrong With The Database". mysqli_error();
$_SESSION['ERROR'] = $err;
session_write_close();
header("location: index.php");
exit();
} else {
// Fetch The result into an VAR
$result=mysqli_fetch_row($sql);
// Now Check whether the hash match with the Value saved in the Database or not?
// $hash is came with the function call and $result[0] is the hash previously
// inserted in the database while viewing the form to the User.
if($hash==$result[0]&&$result[1]==1){
// Now if they matched, Set the Form_hash to 0, in that case, no one can use the same hash
// again, everytime the form load, it will have a new set of hash and ID and no one can
// Reuse it. Its the most effective way to prevent remote POST data by changing the Header or
// Using CURL.
mysqli_query($link,"UPDATE form_hash SET form_status=0 WHERE form_id=$id") or die ("Error:".mysqli_error());
} else {
// Again, If failed, Error
$err="Sorry, Your Submission Wasn't Valid, Try again";
$_SESSION['ERROR'] = $err;
session_write_close();
header("location: index.php");
exit();
}
}
}
// This is a simple Function to Clean the Data, This will help you to
// Erase Blank space in the start and end, Will Strip Slash (/) and Will
// Escape And mysql command Patch Through the Text
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysqli_real_escape_string($str);
}
?>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment