elijahkan14 Posted February 14, 2014 Share Posted February 14, 2014 (edited) The following code is what my team uses on our site to allow members to sign up for an account. The person that wrote it is no longer with us. One of the I'm having is im getting people with usernames like ""; show tables; --". I would like to disallow every character except a-z, numbers, _ , and -. Is this possible? The second problem I'm having is that users are no longer able to sign up... they get the error: Warning: mysqli_connect() [function.mysqli-connect]: (HY000/2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /home4/teamct/public_html/join/join-request.php on line 49 It failed. The other problem that existed while the registration still worked is that if the username already existed they get: Fatal error: Call to undefined function mysqli_exit() in /home4/teamct/public_html/join/join-request.php on line 63 If I delete line 63 then the page refreshes without informing the user that anything went wrong. I would like it to say something like "Sorry that username already exists. I have attached the entire join-request file (with usernames/passwords changed for security) Any help would be appreciated, let me know if you need anything else. UPDATE: The registration randomly works again O_o join-request.php Edited February 14, 2014 by elijahkan14 Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted February 15, 2014 Share Posted February 15, 2014 (edited) One of the I'm having is im getting people with usernames like ""; show tables; --". Seems like someone is trying to find an vulnerability in you code to perform SQL Injection. mysqli_real_escape_string is what is helping to prevent such attacks. A better aproach would be to use mysqli prepared statements I would like to disallow every character except a-z, numbers, _ , and -. Is this possible? Currently you are allowing any input for the username, including nothing at all. This is because you are not validating the username. if you want to only allow letters, numbers, underscores and hyphens then use the following regex if(preg_match('~[^\w-]+~i', $username)) { echo 'You have invalid characters in your username. Please only use letters, numbers, underscores or hypens'; } The second problem I'm having is that users are no longer able to sign up... they get the error: Warning: mysqli_connect() [function.mysqli-connect]: (HY000/2002): Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2) in /home4/teamct/public_html/join/join-request.php on line 49 It failed. Not sure on linux sockets. But the first thing I think of is to make sure that MySQL is running, and your mysql credentials are correct. he other problem that existed while the registration still worked is that if the username already existed they get: Fatal error: Call to undefined function mysqli_exit() in /home4/teamct/public_html/join/join-request.php on line 63 That is because there isn't a mysqli_exit() function. Maybe you meant to use mysqli_close I would like it to say something like "Sorry that username already exists. You are saving the error message to the $_SESSION and then redirecting to site.com/join/. You will have to echo $_SESSION['ERROR1'] to display the error on that page. Edited February 15, 2014 by Ch0cu3r Quote Link to comment Share on other sites More sharing options...
elijahkan14 Posted February 18, 2014 Author Share Posted February 18, 2014 Alright I got it working, thanks! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.