Check the latitude and longitude of user on form

Question

I'm a beginner in PHP. I have a problem in a form, i have to verify if the user is sending me an adress of Paris or not.

<?php
    $msg="";
    $db = mysqli_connect("localhost", "root", "", "dbname");
    if (isset($_FILES["image"]) AND !empty($_FILES['image']['name']))
    {
        $tailleMax = 3097152;
        $extensionsValides = array('jpg', 'jpeg', 'png');
        if($_FILES['image']['size'] <= $tailleMax)
        {
            $extensionUpload = strtolower(substr(strrchr($_FILES['image']['name'], '.'), 1));
            if(in_array($extensionUpload, $extensionsValides))
            {
                $newName =  uniqid(mt_rand(1, 5));
                $imageName = $newName.".".$extensionUpload;
                $chemin = "images/".$imageName;
                $resultat = move_uploaded_file($_FILES['image']['tmp_name'],$chemin);
            }else{
                $msg = "Le format doit être jpg, jpeg ou png";
            }
        }else{
            $msg = "Photo trop grande";
        }
    }
    if (isset($_POST['upload'])) {
        $image = $_FILES["image"]["name"];
        $about = $_POST["about"];
        $name = $_POST["name"];
        $adress = $_POST["adress"];
        $category = $_POST["category"];
        $latitude = $_POST["lat"];
        $longitude = $_POST["lng"];
        if($longitude > 48.7 and $longitude < 49 and $latitude > 2.2 and $latitude < 2.5){
            $sql = "INSERT INTO paristable 
                                (picture, name, about, adress, category, latitude, longitude) 
                        VALUES ('$imageName', '$name', '$about', '$adress', '$category', '$latitude', '$longitude')";
            mysqli_query($db, $sql);
            $msg = "Envoi réussi";
        }else{
            $smg= "Veuillez rentrer une adresse parisienne";
        }
    }else{
        $msg= "L'envoi a échoué";
    }
?>

So I added this line

if($longitude > 48.7 and $longitude < 49 and $latitude > 2.2 and $latitude < 2.5){

Because when the user post the adress I have a script which come out the latitude and longitude into hidden input. So I tried to check if he is inside Paris or not with this line. Because if the adress is not in Paris, I don't want to send the datas.

Today my form send it anyway, so i guess i have an error in this line. But i couldn't find it.

And here is my script

<script>
function showAlert(){
 var getLocation = function (address) {
    var geocoder = new google.maps.Geocoder();
    geocoder.geocode({
        'address': address
    }, function (results, status) {

        if (status == google.maps.GeocoderStatus.OK) {
            var latitude = results[0].geometry.location.lat();
            var longitude = results[0].geometry.location.lng();
            console.log(latitude, longitude);
    document.getElementById('lat').value = latitude;
            console.log(latitude);
    document.getElementById('lng').value = longitude;
            console.log(longitude);
        }
    });
};
document.getElementById('location').value = getLocation(document.getElementById('adress').value);
console.log(document.getElementById('location').value);
    document.getElementById('lat').value = latitude;
    document.getElementById('lng').value = longitude;
    console.log(document.getElementById('lat').value);
}
</script>

Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) — RiggsFolly, Jul 17 '17 at 11:35
so you ask users to enter their latlongs then you trust them with what they entered ? — Masivuye Cokile, Jul 17 '17 at 11:35
In fact it's a private form on a site. We are going to display 60 000 pictures of Paris during the two world wars. And no, people will not enter their latitude and longitude but only the adress. — Alexandre Roussel, Jul 17 '17 at 11:38
Seems to me your doing everything backwards. You store what they send you and then you check if the lat/long are correct — RiggsFolly, Jul 17 '17 at 11:38
@RiggsFolly considering operator precedence, `AND` === `&&` is not really `true` ;-) (Although in this specific case it might not make a difference.) — CBroe, Jul 17 '17 at 11:38
@CBroe But in this code, it would make no difference, Right? — RiggsFolly, Jul 17 '17 at 11:39
You may also have an issue if I send you a picture of London, but say its address is the `bois du boulogne` — RiggsFolly, Jul 17 '17 at 11:41
So I have to check directly in my script? I'll edit my post to add it — Alexandre Roussel, Jul 17 '17 at 11:43
why don't you use their IP address? instead of em entering their address? then use the Ip address to find their city? — Masivuye Cokile, Jul 17 '17 at 11:43
the form (and full html) for this is also unknown, and not sure if that failed at all. Do all POST arrays contain value? — Funk Forty Niner, Jul 17 '17 at 11:44
The form works well People from india can post post a photo if the adress is behind the eiffel tower, so the IP adress don't work — Alexandre Roussel, Jul 17 '17 at 11:46
And I can still post a photo while I'm in South Africa, by entering an address that is in Paris — Masivuye Cokile, Jul 17 '17 at 11:48
Yes exactly, it's to display images from the two world wars on a map — Alexandre Roussel, Jul 17 '17 at 11:49

score 1 · Accepted Answer · answered Jul 17 '17 at 12:18

Because when the user post the adress I have a script which come out the latitude and longitude into hidden input. So I tried to check if he is inside Paris or not with this line. Because if the adress is not in Paris, I don't want to send the datas.

Now that you have the user's Latlongs you can now be able to use google's geocode API to get the name of the city the coordinates are from, then if the city is Paris you can then post or else display the error Also use prepared statements to prevent against sql injections:

<?php
$msg = "";
$db  = mysqli_connect("localhost", "root", "", "dbname");
if (isset($_FILES["image"]) AND !empty($_FILES['image']['name'])) {
    $tailleMax         = 3097152;
    $extensionsValides = array(
        'jpg',
        'jpeg',
        'png'
    );
    if ($_FILES['image']['size'] <= $tailleMax) {
        $extensionUpload = strtolower(substr(strrchr($_FILES['image']['name'], '.'), 1));
        if (in_array($extensionUpload, $extensionsValides)) {
            $newName   = uniqid(mt_rand(1, 5));
            $imageName = $newName . "." . $extensionUpload;
            $chemin    = "images/" . $imageName;
            $resultat  = move_uploaded_file($_FILES['image']['tmp_name'], $chemin);
        } else {
            $msg = "Le format doit être jpg, jpeg ou png";
        }
    } else {
        $msg = "Photo trop grande";
    }
}
if (isset($_POST['upload'])) {
    $image     = $_FILES["image"]["name"];
    $about     = $_POST["about"];
    $name      = $_POST["name"];
    $adress    = $_POST["adress"];
    $category  = $_POST["category"];
    $latitude  = $_POST["lat"];
    $longitude = $_POST["lng"];

    //get geographical info of the latlongs
    $geocode = file_get_contents('http://maps.googleapis.com/maps/api/geocode/json?latlng=' . $latitude . ',' . $longitude . '&sensor=false');
    $output  = json_decode($geocode);
    for ($j = 0; $j < count($output->results[0]->address_components); $j++) {

        $city = array(
            $output->results[0]->address_components[$j]->types[0]
        );
        //get the city name
        if (in_array("locality", $city)) {
            $cityName = $output->results[0]->address_components[$j]->long_name;
        }
    }

    if ($cityName == "Paris") {
        $sql  = "INSERT INTO paristable (picture, name, about, adress, category, latitude, longitude) VALUES(?,?,?,?,?,?,?)";
        $stmt = mysqli_prepare($db, $sql);
        mysqli_stmt_bind_param($stmt, 'sssssss', $imageName, $name, $about, $adress, $category, $latitude, $longitude);

        if (mysqli_stmt_execute($stmt)) {

            $msg = "Envoi réussi";
        } else {

            $msg = mysqli_stmt_error($stmt);
        }

    } else {

        $msg = "L'envoi a échoué";
    }


} else {
    $msg = "L'envoi a échoué";
}
?>

Exact, It doesn't work for an adress of Barcelona and works for an adress in Paris. Thanks a lot Masivuye — Alexandre Roussel, Jul 17 '17 at 12:26

Check the latitude and longitude of user on form

1 Answers1