Sunday 26 February 2017

php - How to protect $_POST and params from hackers

I'm using this with html2canvas.js to generate and save images from HTML.




I use url params to make this work - eg: website.com/?price=10&name=xxx



All ok untill here - the script works fine - images are saved in /cart/ dir



$image = $_POST['image'];
$username = $_POST['username'];
$front_class = $_POST['front_plass'];
$decoded = base64_decode(str_replace('data:image/png;base64,', '', $image));
$date = date('d-M-Y-h-i-a', time());

$curdir = getcwd();
$cartDir = $curdir ."/cart";
$userDir = $cartDir.'/'.$username;
if (!file_exists($userDir)) {
mkdir($cartDir.'/'.$username, 0777);
}
$name = $front_class."-front-".$date.".png";
$full_path = $userDir.'/'.$name;
$name1 = 'cart/'.$username.'/'.$name;
function ImageFillAlpha($image, $color) {

imagefilledrectangle($image, 0, 0, imagesx($image), imagesy($image), $color);
}
function imageCreateCorners($sourceImageFile, $name, $radius) {
...
}
file_put_contents($full_path, $decoded);
imageCreateCorners($full_path, $name, 25);
echo 'front';
?>



And the js



 html2canvas($('#front'), {
"logging": true,
//"proxy":"html2canvasproxy.php",
"onrendered": function(canvas){
var dataURL = canvas.toDataURL("image/png");
$.post('image_front.php',{
image: dataURL,

username: username,
front_class: frontClass
},function(data){
$('.imageHolder_front').html(data);
});
}
});


The problem is that someone hacked me twice yesterday thought this and I need to protect the $_POST or the params can be the problem?




Any help here please? I'm not really good with backend development - more with frontend.



Thanks.

No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...