Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Categories

Welcome to the new platform of Programmer's Heaven! We apologize for the inconvenience caused, if you visited us from a broken link of the previous version. The main reason to move to a new platform is to provide more effective and collaborative experience to you all. Please feel free to experience the new platform and use its exciting features. Contact us for any issue that you need to get clarified. We are more than happy to help you.

Need helps ! wif my php scripts

rinkarinka Posts: 9Member
hey all ^^. currently i doing a creditcard webpage. the coding all looks fine but now the problem is i cant link the data to my database. i dunno where is my mistake, can some1 kindly check for me ? Pls !!
my table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.

<?php

ob_start();
session_start();
include ("dbconnect.php");
include ("topbar.php");

// query command to insert record into creditcard table

$query = "INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";
$mysql_result = mysql_query($query, $mysql_connection);


?>



K-star KTV Pte Ltd








function validateForm()
{
var cardNumber = trimBetweenSpaces(trimBegEndSpaces(document.ccform.UMnumber.value));
var expire = trimBetweenSpaces(trimBegEndSpaces(stripOffNonDigit(document.ccform.UMexpirM.value + document.ccform.UMexpirY.value)));
}



function mod10( cardNumber ) { // LUHN Formula for validation of credit card numbers.
var ar = new Array( cardNumber.length );
var i = 0,sum = 0;


for( i = 0; i < cardNumber.length; ++i ) {
ar[i] = parseInt(cardNumber.charAt(i));
}
for( i = ar.length -2; i >= 0; i-=2 ) { // you have to start from the right, and work back.
ar[i] *= 2; // every second digit starting with the right most (check digit)
if( ar[i] > 9 ) ar[i]-=9; // will be doubled, and summed with the skipped digits.
} // if the double digit is > 9, ADD those individual digits together


for( i = 0; i < ar.length; ++i ) {
sum += ar[i]; // if the sum is divisible by 10 mod10 succeeds
}
return (((sum%10)==0)?true:false);
}


function expired( month, year ) {
var now = new Date(); // this function is designed to be Y2K compliant.
var expiresIn = new Date(year,month,0,0,0); // create an expired on date object with valid thru expiration date
expiresIn.setMonth(expiresIn.getMonth()+1); // adjust the month, to first day, hour, minute & second of expired month
if( now.getTime() < expiresIn.getTime() ) return false;
return true; // then we get the miliseconds, and do a long integer comparison
}


function validateCard(cardNumber,cardType,cardMonth,cardYear) {
if( cardNumber.length == 0 ) { //most of these checks are self explanitory
alert("Please enter a valid card number.");
document.ccform.cardNumber.focus == true;
return false;
}
for( var i = 0; i < cardNumber.length; ++i ) { // make sure the number is all digits.. (by design)
var c = cardNumber.charAt(i);


if( c < '0' || c > '9' ) {
alert("Please enter a valid card number. Use only digits. Do not use spaces or hyphens.");
document.ccform.cardNumber.focus == true;
return false;
}
}
var length = cardNumber.length; //perform card specific length and prefix tests


switch( cardType ) {
case 'a':


if( length != 15 ) {
alert("Please enter a valid American Express Card number.");
return false;
}
var prefix = parseInt( cardNumber.substring(0,2));


if( prefix != 34 && prefix != 37 ) {
alert("Please enter a valid American Express Card number.");
return false;
}
break;

case 'm':


if( length != 16 ) {
alert("Please enter a valid MasterCard number.");
return false;
}
var prefix = parseInt( cardNumber.substring(0,2));


if( prefix < 51 || prefix > 55) {
alert("Please enter a valid MasterCard number.");
return false;
}
break;
case 'v':


if( length != 16 && length != 13 ) {
alert("Please enter a valid Visa Card number.");
return false;
}
var prefix = parseInt( cardNumber.substring(0,1));


if( prefix != 4 ) {
alert("Please enter a valid Visa Card number.");
return false;
}
break;
}

if( !mod10( cardNumber ) ) { // run the check digit algorithm
alert("Sorry! this is not a valid credit card number.");
document.ccform.cardNumber.focus == true;
return false;
}

if( expired( cardMonth, cardYear ) ) { // check if entered date is already expired.
alert("Sorry! The expiration date you have entered would make this card invalid.");
document.ccform.cardNumber.focus == true;
return false;
}

function bank
else
{
alert ("Congratulations! Your credit card has been verified.");
return true;
}
}











 





 





 





 





 


  Card Type

:



-Please Select-
American Express
MasterCard
Visa

  Card Number

:

example: ( 1234567890123456 )

  Expiration Date

:



01
02
03
04
05
06
07
08
09
10
11
12


05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20


example: ( MM YY )

  Issuing Bank

:



-Please Select-
POSB
UOB
CITIBANK
DBS
OCBC

  Deposit

:

 S$10



<?php
include ("bottombar.php");
include ("dbdisconnect.php");
?>



Comments

  • daviestrachandaviestrachan Posts: 26Member
    Hi
    Two Points
    1.table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    but SQL query is
    INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";ie SQL query does not conform to fields in table
    2. Syntax for INSERT in MySQL is
    INSERT INTO table (a,b,c) VALUES (1,2,3)

    Your query should be
    INSERT INTO creditcard(creditcardno,issuing_bank,card_type,expiry_date) VALUES ($creditcardno,$issuing_bank,$card_type,$expiry_date)

    Regards Davie

    : hey all ^^. currently i doing a creditcard webpage. the coding all looks fine but now the problem is i cant link the data to my database. i dunno where is my mistake, can some1 kindly check for me ? Pls !!
    : my table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    :
    : <?php
    :
    : ob_start();
    : session_start();
    : include ("dbconnect.php");
    : include ("topbar.php");
    :
    : // query command to insert record into creditcard table
    :
    : $query = "INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";
    : $mysql_result = mysql_query($query, $mysql_connection);
    :
    :
    : ?>
    :
    :
    :
    : K-star KTV Pte Ltd
    :
    :
    :
    :
    :
    :
    :
    :
    : function validateForm()
    : {
    : var cardNumber = trimBetweenSpaces(trimBegEndSpaces(document.ccform.UMnumber.value));
    : var expire = trimBetweenSpaces(trimBegEndSpaces(stripOffNonDigit(document.ccform.UMexpirM.value + document.ccform.UMexpirY.value)));
    : }
    :
    :
    :
    : function mod10( cardNumber ) { // LUHN Formula for validation of credit card numbers.
    : var ar = new Array( cardNumber.length );
    : var i = 0,sum = 0;
    :
    :
    : for( i = 0; i < cardNumber.length; ++i ) {
    : ar[i] = parseInt(cardNumber.charAt(i));
    : }
    : for( i = ar.length -2; i >= 0; i-=2 ) { // you have to start from the right, and work back.
    : ar[i] *= 2; // every second digit starting with the right most (check digit)
    : if( ar[i] > 9 ) ar[i]-=9; // will be doubled, and summed with the skipped digits.
    : } // if the double digit is > 9, ADD those individual digits together
    :
    :
    : for( i = 0; i < ar.length; ++i ) {
    : sum += ar[i]; // if the sum is divisible by 10 mod10 succeeds
    : }
    : return (((sum%10)==0)?true:false);
    : }
    :
    :
    : function expired( month, year ) {
    : var now = new Date(); // this function is designed to be Y2K compliant.
    : var expiresIn = new Date(year,month,0,0,0); // create an expired on date object with valid thru expiration date
    : expiresIn.setMonth(expiresIn.getMonth()+1); // adjust the month, to first day, hour, minute & second of expired month
    : if( now.getTime() < expiresIn.getTime() ) return false;
    : return true; // then we get the miliseconds, and do a long integer comparison
    : }
    :
    :
    : function validateCard(cardNumber,cardType,cardMonth,cardYear) {
    : if( cardNumber.length == 0 ) { //most of these checks are self explanitory
    : alert("Please enter a valid card number.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    : for( var i = 0; i < cardNumber.length; ++i ) { // make sure the number is all digits.. (by design)
    : var c = cardNumber.charAt(i);
    :
    :
    : if( c < '0' || c > '9' ) {
    : alert("Please enter a valid card number. Use only digits. Do not use spaces or hyphens.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    : }
    : var length = cardNumber.length; //perform card specific length and prefix tests
    :
    :
    : switch( cardType ) {
    : case 'a':
    :
    :
    : if( length != 15 ) {
    : alert("Please enter a valid American Express Card number.");
    : return false;
    : }
    : var prefix = parseInt( cardNumber.substring(0,2));
    :
    :
    : if( prefix != 34 && prefix != 37 ) {
    : alert("Please enter a valid American Express Card number.");
    : return false;
    : }
    : break;
    :
    : case 'm':
    :
    :
    : if( length != 16 ) {
    : alert("Please enter a valid MasterCard number.");
    : return false;
    : }
    : var prefix = parseInt( cardNumber.substring(0,2));
    :
    :
    : if( prefix < 51 || prefix > 55) {
    : alert("Please enter a valid MasterCard number.");
    : return false;
    : }
    : break;
    : case 'v':
    :
    :
    : if( length != 16 && length != 13 ) {
    : alert("Please enter a valid Visa Card number.");
    : return false;
    : }
    : var prefix = parseInt( cardNumber.substring(0,1));
    :
    :
    : if( prefix != 4 ) {
    : alert("Please enter a valid Visa Card number.");
    : return false;
    : }
    : break;
    : }
    :
    : if( !mod10( cardNumber ) ) { // run the check digit algorithm
    : alert("Sorry! this is not a valid credit card number.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    :
    : if( expired( cardMonth, cardYear ) ) { // check if entered date is already expired.
    : alert("Sorry! The expiration date you have entered would make this card invalid.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    :
    : function bank
    : else
    : {
    : alert ("Congratulations! Your credit card has been verified.");
    : return true;
    : }
    : }
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :  
    :
    :
    :
    :
    :
    :  
    :
    :
    :
    :
    :
    :  
    :
    :
    :
    :
    :
    :  
    :
    :
    :
    :
    :
    :  
    :
    :
    :

      Card Type

    :


    :
    : -Please Select-
    : American Express
    : MasterCard
    : Visa
    :
    :

      Card Number

    :


    :

    example: ( 1234567890123456 )

    :

      Expiration Date

    :


    :


    :
    : 01
    : 02
    : 03
    : 04
    : 05
    : 06
    : 07
    : 08
    : 09
    : 10
    : 11
    : 12
    :
    :
    : 05
    : 06
    : 07
    : 08
    : 09
    : 10
    : 11
    : 12
    : 13
    : 14
    : 15
    : 16
    : 17
    : 18
    : 19
    : 20
    :
    :
    : example: ( MM YY )
    :

    :

      Issuing Bank

    :


    :


    :
    : -Please Select-
    : POSB
    : UOB
    : CITIBANK
    : DBS
    : OCBC
    :
    :

      Deposit

    :


    :

     S$10

    :
    :
    :
    : <?php
    : include ("bottombar.php");
    : include ("dbdisconnect.php");
    : ?>
    :
    :
    :
    :

  • Eraser9486Eraser9486 Posts: 32Member
    Also, please be more careful about security... that is very unsecure - and I only read over it for like 30 seconds..

    : Hi
    : Two Points
    : 1.table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    : but SQL query is
    : INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";ie SQL query does not conform to fields in table
    : 2. Syntax for INSERT in MySQL is
    : INSERT INTO table (a,b,c) VALUES (1,2,3)
    :
    : Your query should be
    : INSERT INTO creditcard(creditcardno,issuing_bank,card_type,expiry_date) VALUES ($creditcardno,$issuing_bank,$card_type,$expiry_date)
    :
    : Regards Davie
    :
    : : hey all ^^. currently i doing a creditcard webpage. the coding all looks fine but now the problem is i cant link the data to my database. i dunno where is my mistake, can some1 kindly check for me ? Pls !!
    : : my table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    : :
    : : <?php
    : :
    : : ob_start();
    : : session_start();
    : : include ("dbconnect.php");
    : : include ("topbar.php");
    : :
    : : // query command to insert record into creditcard table
    : :
    : : $query = "INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";
    : : $mysql_result = mysql_query($query, $mysql_connection);
    : :
    : :
    : : ?>
    : :
    : :
    : :
    : : K-star KTV Pte Ltd
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : : function validateForm()
    : : {
    : : var cardNumber = trimBetweenSpaces(trimBegEndSpaces(document.ccform.UMnumber.value));
    : : var expire = trimBetweenSpaces(trimBegEndSpaces(stripOffNonDigit(document.ccform.UMexpirM.value + document.ccform.UMexpirY.value)));
    : : }
    : :
    : :
    : :
    : : function mod10( cardNumber ) { // LUHN Formula for validation of credit card numbers.
    : : var ar = new Array( cardNumber.length );
    : : var i = 0,sum = 0;
    : :
    : :
    : : for( i = 0; i < cardNumber.length; ++i ) {
    : : ar[i] = parseInt(cardNumber.charAt(i));
    : : }
    : : for( i = ar.length -2; i >= 0; i-=2 ) { // you have to start from the right, and work back.
    : : ar[i] *= 2; // every second digit starting with the right most (check digit)
    : : if( ar[i] > 9 ) ar[i]-=9; // will be doubled, and summed with the skipped digits.
    : : } // if the double digit is > 9, ADD those individual digits together
    : :
    : :
    : : for( i = 0; i < ar.length; ++i ) {
    : : sum += ar[i]; // if the sum is divisible by 10 mod10 succeeds
    : : }
    : : return (((sum%10)==0)?true:false);
    : : }
    : :
    : :
    : : function expired( month, year ) {
    : : var now = new Date(); // this function is designed to be Y2K compliant.
    : : var expiresIn = new Date(year,month,0,0,0); // create an expired on date object with valid thru expiration date
    : : expiresIn.setMonth(expiresIn.getMonth()+1); // adjust the month, to first day, hour, minute & second of expired month
    : : if( now.getTime() < expiresIn.getTime() ) return false;
    : : return true; // then we get the miliseconds, and do a long integer comparison
    : : }
    : :
    : :
    : : function validateCard(cardNumber,cardType,cardMonth,cardYear) {
    : : if( cardNumber.length == 0 ) { //most of these checks are self explanitory
    : : alert("Please enter a valid card number.");
    : : document.ccform.cardNumber.focus == true;
    : : return false;
    : : }
    : : for( var i = 0; i < cardNumber.length; ++i ) { // make sure the number is all digits.. (by design)
    : : var c = cardNumber.charAt(i);
    : :
    : :
    : : if( c < '0' || c > '9' ) {
    : : alert("Please enter a valid card number. Use only digits. Do not use spaces or hyphens.");
    : : document.ccform.cardNumber.focus == true;
    : : return false;
    : : }
    : : }
    : : var length = cardNumber.length; //perform card specific length and prefix tests
    : :
    : :
    : : switch( cardType ) {
    : : case 'a':
    : :
    : :
    : : if( length != 15 ) {
    : : alert("Please enter a valid American Express Card number.");
    : : return false;
    : : }
    : : var prefix = parseInt( cardNumber.substring(0,2));
    : :
    : :
    : : if( prefix != 34 && prefix != 37 ) {
    : : alert("Please enter a valid American Express Card number.");
    : : return false;
    : : }
    : : break;
    : :
    : : case 'm':
    : :
    : :
    : : if( length != 16 ) {
    : : alert("Please enter a valid MasterCard number.");
    : : return false;
    : : }
    : : var prefix = parseInt( cardNumber.substring(0,2));
    : :
    : :
    : : if( prefix < 51 || prefix > 55) {
    : : alert("Please enter a valid MasterCard number.");
    : : return false;
    : : }
    : : break;
    : : case 'v':
    : :
    : :
    : : if( length != 16 && length != 13 ) {
    : : alert("Please enter a valid Visa Card number.");
    : : return false;
    : : }
    : : var prefix = parseInt( cardNumber.substring(0,1));
    : :
    : :
    : : if( prefix != 4 ) {
    : : alert("Please enter a valid Visa Card number.");
    : : return false;
    : : }
    : : break;
    : : }
    : :
    : : if( !mod10( cardNumber ) ) { // run the check digit algorithm
    : : alert("Sorry! this is not a valid credit card number.");
    : : document.ccform.cardNumber.focus == true;
    : : return false;
    : : }
    : :
    : : if( expired( cardMonth, cardYear ) ) { // check if entered date is already expired.
    : : alert("Sorry! The expiration date you have entered would make this card invalid.");
    : : document.ccform.cardNumber.focus == true;
    : : return false;
    : : }
    : :
    : : function bank
    : : else
    : : {
    : : alert ("Congratulations! Your credit card has been verified.");
    : : return true;
    : : }
    : : }
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : :
    : :  
    : :
    : :
    : :
    : :
    : :
    : :  
    : :
    : :
    : :
    : :
    : :
    : :  
    : :
    : :
    : :
    : :
    : :
    : :  
    : :
    : :
    : :
    : :
    : :
    : :  
    : :
    : :
    : :

      Card Type

    :


    : :
    : : -Please Select-
    : : American Express
    : : MasterCard
    : : Visa
    : :
    : :

      Card Number

    :


    : :

    example: ( 1234567890123456 )

    : :

      Expiration Date

    :


    : :


    : :
    : : 01
    : : 02
    : : 03
    : : 04
    : : 05
    : : 06
    : : 07
    : : 08
    : : 09
    : : 10
    : : 11
    : : 12
    : :
    : :
    : : 05
    : : 06
    : : 07
    : : 08
    : : 09
    : : 10
    : : 11
    : : 12
    : : 13
    : : 14
    : : 15
    : : 16
    : : 17
    : : 18
    : : 19
    : : 20
    : :
    : :
    : : example: ( MM YY )
    : :

    : :

      Issuing Bank

    :


    : :


    : :
    : : -Please Select-
    : : POSB
    : : UOB
    : : CITIBANK
    : : DBS
    : : OCBC
    : :
    : :

      Deposit

    :


    : :

     S$10

    : :
    : :
    : :
    : : <?php
    : : include ("bottombar.php");
    : : include ("dbdisconnect.php");
    : : ?>
    : :
    : :
    : :
    : :
    :
    :

  • tvientitvienti Posts: 230Member
    [b][red]This message was edited by tvienti at 2005-12-16 7:55:22[/red][/b][hr]
    [b][red]This message was edited by tvienti at 2005-12-16 7:49:37[/red][/b][hr]
    Perhaps it would be more appropriate to enlighten him as to the source of these insecurities, rather than admonishing him for them.

    Rinka, I believe he's referring to your use of input ($creditcardno, $card_type, etc...) with presumably no input validation. You don't know what those variables contain, and thus are open to a SQL injection. A short example of what this is and how to avoid it:

    [code]
    $dirty_input = $_GET['somevar']; // input from the URL
    $rows = mysql_query ("SELECT * FROM `harmless` WHERE `id` = $dirty_input" );
    [/code]

    That seems to be a harmless SELECT using somevar, passed in through the URL, to determine the ID that we're SELECTing. But somebody could use this as the value of somevar:

    [code]1; DELETE FROM `harmless`;[/code]

    Thus, when you concatenate that value into your code, your SQL query becomes:

    [code]
    SELECT * FROM `harmless` WHERE `id` = 1; DELETE FROM `harmless`;
    [/code]

    Effectively deleting your entire table. There's two methods to protect yourself from this.

    1. If the value is expected to be an integer (as in my example above), cast it to an integer. This way if it's a string, it will be converted to an integer value, removing any possible SQL injection (the attack attempt above would've reduced to '1' and ran smoothly)
    2. If the value is expected to be a string, make sure you escape any single or double quotes using built-in PHP function addslashes()

    So your code might wind up looking like this:
    [code]
    $creditcardno = (int)$creditcardno;
    $card_type = (int)$card_type;
    $expiry_date = (int)$expiry_date;

    $query = "INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";
    $mysql_result = mysql_query($query, $mysql_connection);
    [/code]

    A note on addslashes(). This escapes all ', ", /, and NUL characters. PHP also has functionality called magic quotes which will auto-escape data coming in through various channels, such as GPC (Get, Post, and Cookies). If your PHP is configured to have GPC magic quotes on, then your input will automatically be escaped before you get to it, thus calling addslashes will escape it yet AGAIN, producing somewhat flaky results. In essence:

    [code]
    // User submits somevar as hello "world"
    $input = $_GET['somevar']; // right now $input = hello "world"
    $input = addslashes($input); // now $input = hello \"world\"
    [/code]

    If you submit that to your DB, then hello "world" will be stored, instead of hello "world". The solution? Either know how PHP is configured and develop according to that, OR if you want your code to be less config dependant and more portable, use get_magic_quotes_gpc(), which returns true only if magic quotes for GPC is turned on.

    [code]
    // User submits somevar as hello "world"
    $input = $_GET['somevar']; // right now $input = hello "world"
    if (!get_magic_quotes_gpc())
    {
    // we'll only get to this point of GPC magic quotes
    // are turned off, thus addslashes won't duplicate
    // effort
    $input = addslashes();
    }
    [/code]


    T

    [red][b]Edit:[/b]
    In reviewing my post, I realized I should've pointed out that using the cast-to-int method is the very least you can do to keep safe, and in most situations is appropriate. But sometimes non-int values will be given in situations where it's not a hack attempt, but user error. If you cast to an int but the user enters a string, a lot of times you'll end up with a 0. If the user entered a string because they misunderstood what you were looking for, they will likely be surprised by the results if you treat their input as if they'd entered a 0.

    If the situation warrants it, you can put more effort into validating input and being graceful about it if it's not an int. In particular, you can use is_numeric to see if a value is..well.. numeric. So, something like this:

    [code]
    $input = $_GET['somevar'];
    if (is_numeric($input))
    {
    // user supplied what you expected, carry on
    }
    else
    {
    // invalid input, let the user know
    echo "I'm sorry, $input is not a valid [whatever]".
    }
    [/code]
    [/red]

    : Also, please be more careful about security... that is very unsecure - and I only read over it for like 30 seconds..
    :
    : : hey all ^^. currently i doing a creditcard webpage. the coding all looks fine but now the problem is i cant link the data to my database. i dunno where is my mistake, can some1 kindly check for me ? Pls !!
    : : my table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    : :
    : : <?php
    : :
    : : ob_start();
    : : session_start();
    : : include ("dbconnect.php");
    : : include ("topbar.php");
    : :
    : : // query command to insert record into creditcard table
    : :
    : : $query = "INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";
    : : $mysql_result = mysql_query($query, $mysql_connection);
    : :
    : :
    : : ?>





  • daviestrachandaviestrachan Posts: 26Member
    The problem was incorrect syntax for the SQL query ,not security
    I would probably been "wiser" to say until you are more conversant with PHP/MySQL you should not be trying to write applications where security is essential ie credit card transactions
    Regards Davie
    : Two Points
    : 1.table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    : but SQL query is
    : INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";ie SQL query does not conform to fields in table
    : 2. Syntax for INSERT in MySQL is
    : INSERT INTO table (a,b,c) VALUES (1,2,3)
    :
    : Your query should be
    : INSERT INTO creditcard(creditcardno,issuing_bank,card_type,expiry_date) VALUES ($creditcardno,$issuing_bank,$card_type,$expiry_date)
    :
    : Regards Davie
    :
  • tvientitvienti Posts: 230Member
    Also solid advice. The deplorable syntax and structure errors implies that privacy-critical applications may not be within this person's grasp. It's worth pointing out that there are a lot of open source (some free) shopping cart applications that handle these things for you. I don't know of any myself, though, so I'm not much help there =/

    T

    : The problem was incorrect syntax for the SQL query ,not security
    : I would probably been "wiser" to say until you are more conversant with PHP/MySQL you should not be trying to write applications where security is essential ie credit card transactions
    : Regards Davie
    : : Two Points
    : : 1.table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    : : but SQL query is
    : : INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";ie SQL query does not conform to fields in table
    : : 2. Syntax for INSERT in MySQL is
    : : INSERT INTO table (a,b,c) VALUES (1,2,3)
    : :
    : : Your query should be
    : : INSERT INTO creditcard(creditcardno,issuing_bank,card_type,expiry_date) VALUES ($creditcardno,$issuing_bank,$card_type,$expiry_date)
    : :
    : : Regards Davie
    : :
    :

  • rinkarinka Posts: 9Member
    hey there. I already put this query "INSERT INTO creditcard(creditcardno,issuing_bank,card_type,expiry_date) VALUES ($creditcardno,$issuing_bank,$card_type,$expiry_date)" into my page, but it still cant work. Some more, how come when i insert the php thingy, the credit card validation all gone ? there's no validation at all and it proceed to the next page instead. Pls advice ^^

    By Rinka


    : Also, please be more careful about security... that is very unsecure - and I only read over it for like 30 seconds..
    :
    : : Hi
    : : Two Points
    : : 1.table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    : : but SQL query is
    : : INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";ie SQL query does not conform to fields in table
    : : 2. Syntax for INSERT in MySQL is
    : : INSERT INTO table (a,b,c) VALUES (1,2,3)
    : :
    : : Your query should be
    : : INSERT INTO creditcard(creditcardno,issuing_bank,card_type,expiry_date) VALUES ($creditcardno,$issuing_bank,$card_type,$expiry_date)
    : :
    : : Regards Davie
    : :
    : : : hey all ^^. currently i doing a creditcard webpage. the coding all looks fine but now the problem is i cant link the data to my database. i dunno where is my mistake, can some1 kindly check for me ? Pls !!
    : : : my table is "creditcard", the attributes are creditcardno, issuing_bank, card_type and expiry_date.
    : : :
    : : : <?php
    : : :
    : : : ob_start();
    : : : session_start();
    : : : include ("dbconnect.php");
    : : : include ("topbar.php");
    : : :
    : : : // query command to insert record into creditcard table
    : : :
    : : : $query = "INSERT INTO creditcard SET bookingID =-1, cardNumber = $creditcardno, cardType = $card_type, expire = $expiry_date";
    : : : $mysql_result = mysql_query($query, $mysql_connection);
    : : :
    : : :
    : : : ?>
    : : :
    : : :
    : : :
    : : : K-star KTV Pte Ltd
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : : function validateForm()
    : : : {
    : : : var cardNumber = trimBetweenSpaces(trimBegEndSpaces(document.ccform.UMnumber.value));
    : : : var expire = trimBetweenSpaces(trimBegEndSpaces(stripOffNonDigit(document.ccform.UMexpirM.value + document.ccform.UMexpirY.value)));
    : : : }
    : : :
    : : :
    : : :
    : : : function mod10( cardNumber ) { // LUHN Formula for validation of credit card numbers.
    : : : var ar = new Array( cardNumber.length );
    : : : var i = 0,sum = 0;
    : : :
    : : :
    : : : for( i = 0; i < cardNumber.length; ++i ) {
    : : : ar[i] = parseInt(cardNumber.charAt(i));
    : : : }
    : : : for( i = ar.length -2; i >= 0; i-=2 ) { // you have to start from the right, and work back.
    : : : ar[i] *= 2; // every second digit starting with the right most (check digit)
    : : : if( ar[i] > 9 ) ar[i]-=9; // will be doubled, and summed with the skipped digits.
    : : : } // if the double digit is > 9, ADD those individual digits together
    : : :
    : : :
    : : : for( i = 0; i < ar.length; ++i ) {
    : : : sum += ar[i]; // if the sum is divisible by 10 mod10 succeeds
    : : : }
    : : : return (((sum%10)==0)?true:false);
    : : : }
    : : :
    : : :
    : : : function expired( month, year ) {
    : : : var now = new Date(); // this function is designed to be Y2K compliant.
    : : : var expiresIn = new Date(year,month,0,0,0); // create an expired on date object with valid thru expiration date
    : : : expiresIn.setMonth(expiresIn.getMonth()+1); // adjust the month, to first day, hour, minute & second of expired month
    : : : if( now.getTime() < expiresIn.getTime() ) return false;
    : : : return true; // then we get the miliseconds, and do a long integer comparison
    : : : }
    : : :
    : : :
    : : : function validateCard(cardNumber,cardType,cardMonth,cardYear) {
    : : : if( cardNumber.length == 0 ) { //most of these checks are self explanitory
    : : : alert("Please enter a valid card number.");
    : : : document.ccform.cardNumber.focus == true;
    : : : return false;
    : : : }
    : : : for( var i = 0; i < cardNumber.length; ++i ) { // make sure the number is all digits.. (by design)
    : : : var c = cardNumber.charAt(i);
    : : :
    : : :
    : : : if( c < '0' || c > '9' ) {
    : : : alert("Please enter a valid card number. Use only digits. Do not use spaces or hyphens.");
    : : : document.ccform.cardNumber.focus == true;
    : : : return false;
    : : : }
    : : : }
    : : : var length = cardNumber.length; //perform card specific length and prefix tests
    : : :
    : : :
    : : : switch( cardType ) {
    : : : case 'a':
    : : :
    : : :
    : : : if( length != 15 ) {
    : : : alert("Please enter a valid American Express Card number.");
    : : : return false;
    : : : }
    : : : var prefix = parseInt( cardNumber.substring(0,2));
    : : :
    : : :
    : : : if( prefix != 34 && prefix != 37 ) {
    : : : alert("Please enter a valid American Express Card number.");
    : : : return false;
    : : : }
    : : : break;
    : : :
    : : : case 'm':
    : : :
    : : :
    : : : if( length != 16 ) {
    : : : alert("Please enter a valid MasterCard number.");
    : : : return false;
    : : : }
    : : : var prefix = parseInt( cardNumber.substring(0,2));
    : : :
    : : :
    : : : if( prefix < 51 || prefix > 55) {
    : : : alert("Please enter a valid MasterCard number.");
    : : : return false;
    : : : }
    : : : break;
    : : : case 'v':
    : : :
    : : :
    : : : if( length != 16 && length != 13 ) {
    : : : alert("Please enter a valid Visa Card number.");
    : : : return false;
    : : : }
    : : : var prefix = parseInt( cardNumber.substring(0,1));
    : : :
    : : :
    : : : if( prefix != 4 ) {
    : : : alert("Please enter a valid Visa Card number.");
    : : : return false;
    : : : }
    : : : break;
    : : : }
    : : :
    : : : if( !mod10( cardNumber ) ) { // run the check digit algorithm
    : : : alert("Sorry! this is not a valid credit card number.");
    : : : document.ccform.cardNumber.focus == true;
    : : : return false;
    : : : }
    : : :
    : : : if( expired( cardMonth, cardYear ) ) { // check if entered date is already expired.
    : : : alert("Sorry! The expiration date you have entered would make this card invalid.");
    : : : document.ccform.cardNumber.focus == true;
    : : : return false;
    : : : }
    : : :
    : : : function bank
    : : : else
    : : : {
    : : : alert ("Congratulations! Your credit card has been verified.");
    : : : return true;
    : : : }
    : : : }
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :  
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :  
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :  
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :  
    : : :
    : : :
    : : :
    : : :
    : : :
    : : :  
    : : :
    : : :
    : : :

      Card Type

    :


    : : :
    : : : -Please Select-
    : : : American Express
    : : : MasterCard
    : : : Visa
    : : :
    : : :

      Card Number

    :


    : : :

    example: ( 1234567890123456 )

    : : :

      Expiration Date

    :


    : : :


    : : :
    : : : 01
    : : : 02
    : : : 03
    : : : 04
    : : : 05
    : : : 06
    : : : 07
    : : : 08
    : : : 09
    : : : 10
    : : : 11
    : : : 12
    : : :
    : : :
    : : : 05
    : : : 06
    : : : 07
    : : : 08
    : : : 09
    : : : 10
    : : : 11
    : : : 12
    : : : 13
    : : : 14
    : : : 15
    : : : 16
    : : : 17
    : : : 18
    : : : 19
    : : : 20
    : : :
    : : :
    : : : example: ( MM YY )
    : : :

    : : :

      Issuing Bank

    :


    : : :


    : : :
    : : : -Please Select-
    : : : POSB
    : : : UOB
    : : : CITIBANK
    : : : DBS
    : : : OCBC
    : : :
    : : :

      Deposit

    :


    : : :

     S$10

    : : :
    : : :
    : : :
    : : : <?php
    : : : include ("bottombar.php");
    : : : include ("dbdisconnect.php");
    : : : ?>
    : : :
    : : :
    : : :
    : : :
    : :
    : :
    :
    :



  • rinkarinka Posts: 9Member
    hey there, my coding still got problems.
    1) the variables are undefined.
    2) after adding the php coding before the java script, there's no validation. it directly proceed to next page without any validation.
    Pls advise. Tq^^

    <?php

    ob_start();
    session_start();
    include ("dbconnect.php");
    include ("topbar.php");

    // query command to insert record into creditcard table

    $card_type = $_GET['cardType'];
    if (!get_magic_quotes_gpc())
    {
    // we'll only get to this point of GPC magic quotes
    // are turned off, thus addslashes won't duplicate
    // effort
    $card_type = addslashes();
    }

    $creditcardno = $_GET['cardNumber'];
    if (!get_magic_quotes_gpc())
    {
    // we'll only get to this point of GPC magic quotes
    // are turned off, thus addslashes won't duplicate
    // effort
    $creditcardno = addslashes();
    }

    $expiry_date = $_GET['expiry'];
    if (!get_magic_quotes_gpc())
    {
    // we'll only get to this point of GPC magic quotes
    // are turned off, thus addslashes won't duplicate
    // effort
    $expiry_date = addslashes();
    }

    $mysql_result = mysql_query($query, $mysql_connection);


    ?>



    K-star KTV Pte Ltd
















     





     





     





     


















    function validateForm()
    {
    var cardNumber = trimBetweenSpaces(trimBegEndSpaces(document.ccform.UMnumber.value));
    var expire = trimBetweenSpaces(trimBegEndSpaces(stripOffNonDigit(document.ccform.UMexpirM.value + document.ccform.UMexpirY.value)));
    }



    function mod10( cardNumber ) { // LUHN Formula for validation of credit card numbers.
    var ar = new Array( cardNumber.length );
    var i = 0,sum = 0;


    for( i = 0; i < cardNumber.length; ++i ) {
    ar[i] = parseInt(cardNumber.charAt(i));
    }
    for( i = ar.length -2; i >= 0; i-=2 ) { // you have to start from the right, and work back.
    ar[i] *= 2; // every second digit starting with the right most (check digit)
    if( ar[i] > 9 ) ar[i]-=9; // will be doubled, and summed with the skipped digits.
    } // if the double digit is > 9, ADD those individual digits together


    for( i = 0; i < ar.length; ++i ) {
    sum += ar[i]; // if the sum is divisible by 10 mod10 succeeds
    }
    return (((sum%10)==0)?true:false);
    }


    function expired( month, year ) {
    var now = new Date(); // this function is designed to be Y2K compliant.
    var expiresIn = new Date(year,month,0,0,0); // create an expired on date object with valid thru expiration date
    expiresIn.setMonth(expiresIn.getMonth()+1); // adjust the month, to first day, hour, minute & second of expired month
    if( now.getTime() < expiresIn.getTime() ) return false;
    return true; // then we get the miliseconds, and do a long integer comparison
    }


    function validateCard(cardNumber,cardType,cardMonth,cardYear) {
    if( cardNumber.length == 0 ) { //most of these checks are self explanitory
    alert("Please enter a valid card number.");
    document.ccform.cardNumber.focus == true;
    return false;
    }
    for( var i = 0; i < cardNumber.length; ++i ) { // make sure the number is all digits.. (by design)
    var c = cardNumber.charAt(i);


    if( c < '0' || c > '9' ) {
    alert("Please enter a valid card number. Use only digits. Do not use spaces or hyphens.");
    document.ccform.cardNumber.focus == true;
    return false;
    }
    }
    var length = cardNumber.length; //perform card specific length and prefix tests


    switch( cardType ) {
    case 'a':


    if( length != 15 ) {
    alert("Please enter a valid American Express Card number.");
    return false;
    }
    var prefix = parseInt( cardNumber.substring(0,2));


    if( prefix != 34 && prefix != 37 ) {
    alert("Please enter a valid American Express Card number.");
    return false;
    }
    break;

    case 'm':


    if( length != 16 ) {
    alert("Please enter a valid MasterCard number.");
    return false;
    }
    var prefix = parseInt( cardNumber.substring(0,2));


    if( prefix < 51 || prefix > 55) {
    alert("Please enter a valid MasterCard number.");
    return false;
    }
    break;
    case 'v':


    if( length != 16 && length != 13 ) {
    alert("Please enter a valid Visa Card number.");
    return false;
    }
    var prefix = parseInt( cardNumber.substring(0,1));


    if( prefix != 4 ) {
    alert("Please enter a valid Visa Card number.");
    return false;
    }
    break;
    }

    if( !mod10( cardNumber ) ) { // run the check digit algorithm
    alert("Sorry! this is not a valid credit card number.");
    document.ccform.cardNumber.focus == true;
    return false;
    }

    if( expired( cardMonth, cardYear ) ) { // check if entered date is already expired.
    alert("Sorry! The expiration date you have entered would make this card invalid.");
    document.ccform.cardNumber.focus == true;
    return false;
    }

    function bank
    else
    {
    alert ("Congratulations! Your credit card has been verified.");
    return true;
    }
    }












     
    image

    image
       

      Card Type

    :



    -Please Select-
    American Express
    MasterCard
    Visa

      Card Number

    :

    example: ( 1234567890123456 )

      Expiration Date

    :



    01
    02
    03
    04
    05
    06
    07
    08
    09
    10
    11
    12


    05
    06
    07
    08
    09
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20


    example: ( MM YY )

      Issuing Bank

    :



    -Please Select-
    POSB
    UOB
    CITIBANK
    DBS
    OCBC

      Deposit

    :

     S$10















    image
    image
    image




     




    <?php
    include ("bottombar.php");
    include ("dbdisconnect.php");
    ?>



  • rinkarinka Posts: 9Member
    Need help urgently. Pls assist. TQ


    : hey there, my coding still got problems.
    : 1) the variables are undefined.
    : 2) after adding the php coding before the java script, there's no validation. it directly proceed to next page without any validation.
    : Pls advise. Tq^^
    :
    : <?php
    :
    : ob_start();
    : session_start();
    : include ("dbconnect.php");
    : include ("topbar.php");
    :
    : // query command to insert record into creditcard table
    :
    : $card_type = $_GET['cardType'];
    : if (!get_magic_quotes_gpc())
    : {
    : // we'll only get to this point of GPC magic quotes
    : // are turned off, thus addslashes won't duplicate
    : // effort
    : $card_type = addslashes();
    : }
    :
    : $creditcardno = $_GET['cardNumber'];
    : if (!get_magic_quotes_gpc())
    : {
    : // we'll only get to this point of GPC magic quotes
    : // are turned off, thus addslashes won't duplicate
    : // effort
    : $creditcardno = addslashes();
    : }
    :
    : $expiry_date = $_GET['expiry'];
    : if (!get_magic_quotes_gpc())
    : {
    : // we'll only get to this point of GPC magic quotes
    : // are turned off, thus addslashes won't duplicate
    : // effort
    : $expiry_date = addslashes();
    : }
    :
    : $mysql_result = mysql_query($query, $mysql_connection);
    :
    :
    : ?>
    :
    :
    :
    : K-star KTV Pte Ltd
    :
    :
    :
    :
    :
    :
    :
    :
    :

    :
    :
    :
    :
    :
    :
    :
    :
    :  
    :
    :
    :
    :
    :
    :  
    :
    :
    :
    :
    :
    :  
    :
    :
    :
    :
    :
    :  
    :
    :
    :

    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    : function validateForm()
    : {
    : var cardNumber = trimBetweenSpaces(trimBegEndSpaces(document.ccform.UMnumber.value));
    : var expire = trimBetweenSpaces(trimBegEndSpaces(stripOffNonDigit(document.ccform.UMexpirM.value + document.ccform.UMexpirY.value)));
    : }
    :
    :
    :
    : function mod10( cardNumber ) { // LUHN Formula for validation of credit card numbers.
    : var ar = new Array( cardNumber.length );
    : var i = 0,sum = 0;
    :
    :
    : for( i = 0; i < cardNumber.length; ++i ) {
    : ar[i] = parseInt(cardNumber.charAt(i));
    : }
    : for( i = ar.length -2; i >= 0; i-=2 ) { // you have to start from the right, and work back.
    : ar[i] *= 2; // every second digit starting with the right most (check digit)
    : if( ar[i] > 9 ) ar[i]-=9; // will be doubled, and summed with the skipped digits.
    : } // if the double digit is > 9, ADD those individual digits together
    :
    :
    : for( i = 0; i < ar.length; ++i ) {
    : sum += ar[i]; // if the sum is divisible by 10 mod10 succeeds
    : }
    : return (((sum%10)==0)?true:false);
    : }
    :
    :
    : function expired( month, year ) {
    : var now = new Date(); // this function is designed to be Y2K compliant.
    : var expiresIn = new Date(year,month,0,0,0); // create an expired on date object with valid thru expiration date
    : expiresIn.setMonth(expiresIn.getMonth()+1); // adjust the month, to first day, hour, minute & second of expired month
    : if( now.getTime() < expiresIn.getTime() ) return false;
    : return true; // then we get the miliseconds, and do a long integer comparison
    : }
    :
    :
    : function validateCard(cardNumber,cardType,cardMonth,cardYear) {
    : if( cardNumber.length == 0 ) { //most of these checks are self explanitory
    : alert("Please enter a valid card number.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    : for( var i = 0; i < cardNumber.length; ++i ) { // make sure the number is all digits.. (by design)
    : var c = cardNumber.charAt(i);
    :
    :
    : if( c < '0' || c > '9' ) {
    : alert("Please enter a valid card number. Use only digits. Do not use spaces or hyphens.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    : }
    : var length = cardNumber.length; //perform card specific length and prefix tests
    :
    :
    : switch( cardType ) {
    : case 'a':
    :
    :
    : if( length != 15 ) {
    : alert("Please enter a valid American Express Card number.");
    : return false;
    : }
    : var prefix = parseInt( cardNumber.substring(0,2));
    :
    :
    : if( prefix != 34 && prefix != 37 ) {
    : alert("Please enter a valid American Express Card number.");
    : return false;
    : }
    : break;
    :
    : case 'm':
    :
    :
    : if( length != 16 ) {
    : alert("Please enter a valid MasterCard number.");
    : return false;
    : }
    : var prefix = parseInt( cardNumber.substring(0,2));
    :
    :
    : if( prefix < 51 || prefix > 55) {
    : alert("Please enter a valid MasterCard number.");
    : return false;
    : }
    : break;
    : case 'v':
    :
    :
    : if( length != 16 && length != 13 ) {
    : alert("Please enter a valid Visa Card number.");
    : return false;
    : }
    : var prefix = parseInt( cardNumber.substring(0,1));
    :
    :
    : if( prefix != 4 ) {
    : alert("Please enter a valid Visa Card number.");
    : return false;
    : }
    : break;
    : }
    :
    : if( !mod10( cardNumber ) ) { // run the check digit algorithm
    : alert("Sorry! this is not a valid credit card number.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    :
    : if( expired( cardMonth, cardYear ) ) { // check if entered date is already expired.
    : alert("Sorry! The expiration date you have entered would make this card invalid.");
    : document.ccform.cardNumber.focus == true;
    : return false;
    : }
    :
    : function bank
    : else
    : {
    : alert ("Congratulations! Your credit card has been verified.");
    : return true;
    : }
    : }
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :  
    image

    :
    image
       

      Card Type

    :


    :
    : -Please Select-
    : American Express
    : MasterCard
    : Visa
    :
    :

      Card Number

    :


    :

    example: ( 1234567890123456 )

    :

      Expiration Date

    :


    :


    :
    : 01
    : 02
    : 03
    : 04
    : 05
    : 06
    : 07
    : 08
    : 09
    : 10
    : 11
    : 12
    :
    :
    : 05
    : 06
    : 07
    : 08
    : 09
    : 10
    : 11
    : 12
    : 13
    : 14
    : 15
    : 16
    : 17
    : 18
    : 19
    : 20
    :
    :
    : example: ( MM YY )
    :

    :

      Issuing Bank

    :


    :


    :
    : -Please Select-
    : POSB
    : UOB
    : CITIBANK
    : DBS
    : OCBC
    :
    :

      Deposit

    :


    :

     S$10

    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    :
    image
    image
    image
    :
    :
    :
    :

    :  
    :
    :
    :
    :
    : <?php
    : include ("bottombar.php");
    : include ("dbdisconnect.php");
    : ?>
    :
    :
    :
    :

Sign In or Register to comment.