Jump to content

Recommended Posts

trying to teach myself how to prevent sql injections.

found lots of info online, but am unsure as to how to go about it.

 

here is a sample of my code:

<?php 
session_start();
include "dbconnect.php";

if ((isset($_POST['user'])) || (isset($_POST['pass']))) {
$user=mysql_real_escape_string($_POST['user']);   //this line...
$pass=mysql_real_escape_string($_POST['pass']);  //and this line are what i have changed...

$sql="SELECT * FROM login WHERE username='$user' and password='$pass'";
$result=mysql_query($sql) or die ("Error in query" . mysql_error());// this will throw an error if there is one in the sql

 

it goes on, but that is the basics of what i am trying to do.

is this correct? would that sanitize my inputs enough to make the site secure?

 

this will hopefully be a forum in the end...just a project that will hopefully teach me a lot about php and sql.

until then, i want to make sure that i am learning the correct and safe way to do things and am not starting out with bad habits.

thanks a lot and i am sure that i will have many more questions and hopefully will learn something with this project.

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/
Share on other sites

Actually mysql_real_escape_string() is the best and easiest way to prevent injection, but it all depends in the case. In yours, ure ok as long as the input doesnt contain characters which can break the sql query. In other cases u should consider other types of validation. Ex in a forum post or comment, a good way to sanitize input from xss is htmlentities(). Or when having a get id=10 a good way is to intval() it or check if is_numeric(). The scenarios are infinite, but the ways to prevent attacks revolve around mostly the same methods. One thing though, a good practice is to hash passwords using md5() or preferably sha1().

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-525644
Share on other sites

continuing on this forum idea, and not wanting to clutter up the forum with repeat threads, i have been doing some work. 

 

here is the code i have for a user sign up system:

<?php
if ((!isset($_POST[name]) || ($_POST[user]) || ($_POST[email]) || ($_POST[pass]))) {
echo "<div align='center'ALL FIELDS MUST BE FILLED IN</div><br><br>";
include 'includes/signup.php';	}

else {
$name = htmlentities($_POST[name]);
$user = htmlentities($_POST[user]);
$email = htmlentities($_POST[email]);
$pass = MD5($_POST[pass]);
echo "$name<br>$user<br>$email<br>$pass";}	
?>

very basic.  just a name, username, email and password...but i cant seem to get it to work.  it only echoes anything if i have nothing in the fields of the form...very confused, because i thought that the !isset would prevent that...what have i done wrong here?  i know it will be something stupid, but i am lost and dont know what to do.

 

working on this in steps, have a login system, now working on the signup...i appreciate all of the help from everyone.

thanks

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-527815
Share on other sites

Uve used only htmlentities() to clean post data and thats fine to prevent xss, but quotes or double quotes will still break your query. Add ENT_QUOTES as a second parameter to htmlentities() or even better add mysql_real_escape_string, so it will look:

 

htmlentities(mysql_real_escape_string($_POST['name']));

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-527942
Share on other sites

great info guiltygear, thanks a lot.  will definately use that.

 

i am still having the problem of the script not working...i will post it online on a misc. test server located here:

http://www.minnesotamomandpop.com/testforum/forum/usrsignup.php

 

when you fill in the form, nothing happens.  when you just click submit, nothing happens.  very confused.

 

again, thanks a lot for everything.

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-527987
Share on other sites

usrsignup.php:

<?php
if ((!isset($_POST[name]) || ($_POST[user]) || ($_POST[email]) || ($_POST[pass]))) {
echo "<div align='center'>ALL FIELDS MUST BE FILLED IN</div><br><br>";
include 'includes/signup.php';	}

else {
$name = htmlentities($_POST[name]);
$user = htmlentities($_POST[user]);
$email = htmlentities($_POST[email]);
$pass = MD5($_POST[pass]);
echo "$name<br>$user<br>$email<br>$pass";}	
?>

 

includes/signup.php:

<form name="signup" method="post" action="usrsignup.php">
  <table width="250" border="0" align="center" cellpadding="0" cellspacing="0">
    <tr>
      <th scope="col">USER SIGNUP </th>
    </tr>
    <tr>
      <td> </td>
    </tr>
    <tr>
      <td>Name: 
      <input name="name" type="text" id="name"></td>
    </tr>
    <tr>
      <td>Username: 
      <input name="user" type="text" id="user"></td>
    </tr>
    <tr>
      <td>Password: 
      <input name="pass" type="password" id="pass"></td>
    </tr>
    <tr>
      <td>Email: 
      <input name="email" type="text" id="email"></td>
    </tr>
    <tr>
      <td><div align="center">
        <input type="submit" name="Submit" value="Submit">
      </div></td>
    </tr>
  </table>
</form>

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-528148
Share on other sites

<?php
if (!isset($_POST['name']) || !isset($_POST['user']) || empty($_POST['email']) || empty($_POST['pass'])) {
echo "<div align='center'>ALL FIELDS MUST BE FILLED IN</div><br><br>";
include ('includes/signup.php');	}

else {
$name = strip_tags($_POST['name']);
$user = strip_tags($_POST['user']);
$email = $_POST['email'];
$pass = MD5($_POST['pass']);
echo "$name<br>$user<br>$email<br>$pass";}	
?>

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-528151
Share on other sites

when i input info into the form and click submit, it is as if i dont input anything. visit the example site i have posted above to see.

 

Try darkfreaks's code, it should work. U had written array indexes without quotes, so that should have caused the problem.

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-528332
Share on other sites

wow...sorry darkfreak, i must have skipped over your code....works great now. 

 

now, i have a question about the code:

if (!isset($_POST['name']) || !isset($_POST['user']) || empty($_POST['email']) || empty($_POST['pass']))

 

what is the difference between !isset and empty?  i thought that !isset checked to see if the fields were empty...am i wrong?

 

EDIT---

also, now i want to be able to make the "all fields required" portion come up only after they dont input them.

i added session_start() to the top and $_SESSION[signupAttempts] = 0.  how would i have the script add a signup attempt?

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-528349
Share on other sites

isset() will return true if the variable exists, being it empty or not. empty() will return true only if the variable is empty. Consider the following:

 

<?php
$str = '123';
echo isset($str); //will return 1
echo empty($str); //will return nothing (meaning false)
?>

 

For the "all requried" and "signup attempts":

<?php
session_start();
if(isset($_POST['name']){
    if(empty($_POST['name'] and empty($_POST['user']) and empty($_POST['email']) and empty($_POST['pass'])){
        echo 'All fields are required';
    } else{
        $signupAttempts = $_SESSION['signupattempts'];
        $signupAttempts++;
        $_SESSION['signupattempts'] = $singupattempts;
    }
}
?>

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-528358
Share on other sites

ok never mind.

 

google helped me.  STUPID ARDY!

 

anyways, here is the code now:

<?php
session_start();
if(isset($_SESSION['SignupAttempts'])) {
    $_SESSION['SignupAttempts'] = $_SESSION['SignupAttempts']+ 1;}
else
    {$_SESSION['SignupAttempts'] = 1;}

if ((!isset($_POST['name']) || !isset($_POST['user']) || empty($_POST['email']) || empty($_POST['pass']))) {
if ($_SESSION[signupAttempts] > 1) {
echo "<div align='center'><font color = 'red'>ALL FIELDS MUST BE FILLED IN</font></div><br><br>";
include ('includes/signup.php');	}

else {include ('includes/signup.php');}
}
else {
$name = htmlentities($_POST['name']);
$user = htmlentities($_POST['user']);
$email = htmlentities($_POST['email']);
$pass = md5($_POST['pass']);
echo "$name<br>$user<br>$email<br>$pass";
unset($_SESSION['SignupAttempts']);
}	
?>

 

thanks a lot for all of the help and i am sure that i will be back with another portion of the project!

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-528362
Share on other sites

hello, i'm back!

 

ok, i am adding a check email function so as to avoid random stupid crap coming in...

i copied and pasted this function into a file called funcs.php (my functions file):

<?php
function checkEmail($email) 
{
   if(eregi("^[a-zA-Z0-9_]+@[a-zA-Z0-9\-]+\.[a-zA-Z0-9\-\.]+$]", $email)) 
   {
      return FALSE;
   }

   list($Username, $Domain) = split("@",$email);

   if(getmxrr($Domain, $MXHost)) //this line throws the error: Fatal error: Call to undefined function getmxrr() in 
                                             //                                   C:\wamp\www\forum\includes\funcs.php on line 11
   {
      return TRUE;
   }
   else 
   {
      if(fsockopen($Domain, 25, $errno, $errstr, 30)) 
      {
         return TRUE; 
      }
      else 
      {
         return FALSE; 
      }
   }
}
?>

 

is getmxrr something that i have to enable in php.ini?  or should it work just fine on its own?  i looked on the php website and it is there, so i think that it should work automatically.

 

using php version 5.2.5 if that helps.

Link to comment
https://forums.phpfreaks.com/topic/102638-sql-injections/#findComment-528807
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.