sql injections...

[ardyandkari]

trying to teach myself how to prevent sql injections.

found lots of info online, but am unsure as to how to go about it.

 

here is a sample of my code:

<?php 
session_start();
include "dbconnect.php";

if ((isset($_POST['user'])) || (isset($_POST['pass']))) {
$user=mysql_real_escape_string($_POST['user']);   //this line...
$pass=mysql_real_escape_string($_POST['pass']);  //and this line are what i have changed...

$sql="SELECT * FROM login WHERE username='$user' and password='$pass'";
$result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql

 

it goes on, but that is the basics of what i am trying to do.

is this correct? would that sanitize my inputs enough to make the site secure?

 

this will hopefully be a forum in the end...just a project that will hopefully teach me a lot about php and sql.

until then, i want to make sure that i am learning the correct and safe way to do things and am not starting out with bad habits.

thanks a lot and i am sure that i will have many more questions and hopefully will learn something with this project.

[awpti]

That should cover you for the most part.

 

Pull apart some XSS filters and look into how they deal with input sanitizing. I'd point you to the CodeIgniter Framework and their XSS Filter as a place to start. It's huge.

[Fadion]

Actually mysql_real_escape_string() is the best and easiest way to prevent injection, but it all depends in the case. In yours, ure ok as long as the input doesnt contain characters which can break the sql query. In other cases u should consider other types of validation. Ex in a forum post or comment, a good way to sanitize input from xss is htmlentities(). Or when having a get id=10 a good way is to intval() it or check if is_numeric(). The scenarios are infinite, but the ways to prevent attacks revolve around mostly the same methods. One thing though, a good practice is to hash passwords using md5() or preferably sha1().

[ardyandkari]

continuing on this forum idea, and not wanting to clutter up the forum with repeat threads, i have been doing some work. 

 

here is the code i have for a user sign up system:

<?php
if ((!isset($_POST[name]) || ($_POST[user]) || ($_POST[email]) || ($_POST[pass]))) {
echo "<div align='center'ALL FIELDS MUST BE FILLED IN</div><br><br>";
include 'includes/signup.php';	}

else {
$name = htmlentities($_POST[name]);
$user = htmlentities($_POST[user]);
$email = htmlentities($_POST[email]);
$pass = MD5($_POST[pass]);
echo "$name<br>$user<br>$email<br>$pass";}	
?>

very basic.  just a name, username, email and password...but i cant seem to get it to work.  it only echoes anything if i have nothing in the fields of the form...very confused, because i thought that the !isset would prevent that...what have i done wrong here?  i know it will be something stupid, but i am lost and dont know what to do.

 

working on this in steps, have a login system, now working on the signup...i appreciate all of the help from everyone.

thanks

[DarkWater]

echo "<div align='center'>ALL FIELDS MUST BE FILLED IN</div><br><br>";

 

You missed a bracket around the DIV tag. =P

[ardyandkari]

wow....stoopid i am...does the rest of the code look ok (the php i mean)?

[Fadion]

Uve used only htmlentities() to clean post data and thats fine to prevent xss, but quotes or double quotes will still break your query. Add ENT_QUOTES as a second parameter to htmlentities() or even better add mysql_real_escape_string, so it will look:

 

htmlentities(mysql_real_escape_string($_POST['name']));

[ardyandkari]

great info guiltygear, thanks a lot.  will definately use that.

 

i am still having the problem of the script not working...i will post it online on a misc. test server located here:

http://www.minnesotamomandpop.com/testforum/forum/usrsignup.php

 

when you fill in the form, nothing happens.  when you just click submit, nothing happens.  very confused.

 

again, thanks a lot for everything.

[DeanWhitehouse]

can u show your signup code

[ardyandkari]

usrsignup.php:

<?php
if ((!isset($_POST[name]) || ($_POST[user]) || ($_POST[email]) || ($_POST[pass]))) {
echo "<div align='center'>ALL FIELDS MUST BE FILLED IN</div><br><br>";
include 'includes/signup.php';	}

else {
$name = htmlentities($_POST[name]);
$user = htmlentities($_POST[user]);
$email = htmlentities($_POST[email]);
$pass = MD5($_POST[pass]);
echo "$name<br>$user<br>$email<br>$pass";}	
?>

 

includes/signup.php:

<form name="signup" method="post" action="usrsignup.php">
  <table width="250" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <th scope="col">USER SIGNUP </th>
    </tr>
    <tr>
      <td> </td>
    </tr>
    <tr>
      <td>Name: 
      <input name="name" type="text" id="name"></td>
    </tr>
    <tr>
      <td>Username: 
      <input name="user" type="text" id="user"></td>
    </tr>
    <tr>
      <td>Password: 
      <input name="pass" type="password" id="pass"></td>
    </tr>
    <tr>
      <td>Email: 
      <input name="email" type="text" id="email"></td>
    </tr>
    <tr>
      <td><div align="center">
        <input type="submit" name="Submit" value="Submit">
      </div></td>
    </tr>
  </table>
</form>

[darkfreaks]

<?php
if (!isset($_POST['name']) || !isset($_POST['user']) || empty($_POST['email']) || empty($_POST['pass'])) {
echo "<div align='center'>ALL FIELDS MUST BE FILLED IN</div><br><br>";
include ('includes/signup.php');	}

else {
$name = strip_tags($_POST['name']);
$user = strip_tags($_POST['user']);
$email = $_POST['email'];
$pass = MD5($_POST['pass']);
echo "$name<br>$user<br>$email<br>$pass";}	
?>

[Ne.OnZ]

o.o tables are bad.

[darkfreaks]

not really but CSS is abit faster and doesnt bog down your code

[ardyandkari]

just looking to make a fast and easy forum, but i cant even sign up!  wondering if i have something wrong with the php code that makes nothing happen...

[darkfreaks]

what exactly is the problem now ???

[ardyandkari]

when i input info into the form and click submit, it is as if i dont input anything. visit the example site i have posted above to see.

[Fadion]

when i input info into the form and click submit, it is as if i dont input anything. visit the example site i have posted above to see.

 

Try darkfreaks's code, it should work. U had written array indexes without quotes, so that should have caused the problem.

[ardyandkari]

wow...sorry darkfreak, i must have skipped over your code....works great now. 

 

now, i have a question about the code:

if (!isset($_POST['name']) || !isset($_POST['user']) || empty($_POST['email']) || empty($_POST['pass']))

 

what is the difference between !isset and empty?  i thought that !isset checked to see if the fields were empty...am i wrong?

 

EDIT---

also, now i want to be able to make the "all fields required" portion come up only after they dont input them.

i added session_start() to the top and $_SESSION[signupAttempts] = 0.  how would i have the script add a signup attempt?

[Fadion]

isset() will return true if the variable exists, being it empty or not. empty() will return true only if the variable is empty. Consider the following:

 

<?php
$str = '123';
echo isset($str); //will return 1
echo empty($str); //will return nothing (meaning false)
?>

 

For the "all requried" and "signup attempts":

<?php
session_start();
if(isset($_POST['name']){
    if(empty($_POST['name'] and empty($_POST['user']) and empty($_POST['email']) and empty($_POST['pass'])){
        echo 'All fields are required';
    } else{
        $signupAttempts = $_SESSION['signupattempts'];
        $signupAttempts++;
        $_SESSION['signupattempts'] = $singupattempts;
    }
}
?>

[ardyandkari]

ok never mind.

 

google helped me.  STUPID ARDY!

 

anyways, here is the code now:

<?php
session_start();
if(isset($_SESSION['SignupAttempts'])) {
    $_SESSION['SignupAttempts'] = $_SESSION['SignupAttempts']+ 1;}
else
    {$_SESSION['SignupAttempts'] = 1;}

if ((!isset($_POST['name']) || !isset($_POST['user']) || empty($_POST['email']) || empty($_POST['pass']))) {
if ($_SESSION[signupAttempts] > 1) {
echo "<div align='center'><font color = 'red'>ALL FIELDS MUST BE FILLED IN</font></div><br><br>";
include ('includes/signup.php');	}

else {include ('includes/signup.php');}
}
else {
$name = htmlentities($_POST['name']);
$user = htmlentities($_POST['user']);
$email = htmlentities($_POST['email']);
$pass = md5($_POST['pass']);
echo "$name<br>$user<br>$email<br>$pass";
unset($_SESSION['SignupAttempts']);
}	
?>

 

thanks a lot for all of the help and i am sure that i will be back with another portion of the project!

[ardyandkari]

hello, i'm back!

 

ok, i am adding a check email function so as to avoid random stupid crap coming in...

i copied and pasted this function into a file called funcs.php (my functions file):

<?php
function checkEmail($email) 
{
   if(eregi("^[a-zA-Z0-9_]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$]", $email)) 
   {
      return FALSE;
   }

   list($Username, $Domain) = split("@",$email);

   if(getmxrr($Domain, $MXHost)) //this line throws the error: Fatal error: Call to undefined function getmxrr() in 
                                             //                                   C:\wamp\www\forum\includes\funcs.php on line 11
   {
      return TRUE;
   }
   else 
   {
      if(fsockopen($Domain, 25, $errno, $errstr, 30)) 
      {
         return TRUE; 
      }
      else 
      {
         return FALSE; 
      }
   }
}
?>

 

is getmxrr something that i have to enable in php.ini?  or should it work just fine on its own?  i looked on the php website and it is there, so i think that it should work automatically.

 

using php version 5.2.5 if that helps.