Orionsbelter Posted July 18, 2008 Share Posted July 18, 2008 hi i know the mysql_espace_string() and the addslashes() but what i need to know is are there any other ways and also can i use these for username string for example if someone logs in to my websites and it addslashes wont it just totally change the username? e.g. username's login would change to username'/s login then my website would think its a invaild username wouldn't it ? and is there a fucntion to remove these slashes? Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/ Share on other sites More sharing options...
awpti Posted July 18, 2008 Share Posted July 18, 2008 Use regular expression. Best to force usernames to be A-Z a-z 0-9. Match that and you'll be fine for usernames. Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/#findComment-593212 Share on other sites More sharing options...
Orionsbelter Posted July 18, 2008 Author Share Posted July 18, 2008 thanks but not very helpful Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/#findComment-593215 Share on other sites More sharing options...
nadeemshafi9 Posted July 18, 2008 Share Posted July 18, 2008 use ereg to find characters from an arrray that u impliment. Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/#findComment-593230 Share on other sites More sharing options...
Jmz Posted July 18, 2008 Share Posted July 18, 2008 Well if you used addslashes on the register page the username would be "username'/s login" if you also use addslashes on the login page then it would still be "username'/s login" so it would work. You could then use stripslashes() to remove the ' if you wanted to print it to the screen. But like awpti said, you should keep it alphanumeric if you can. Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/#findComment-593235 Share on other sites More sharing options...
JasonLewis Posted July 18, 2008 Share Posted July 18, 2008 Regular Expressions: if(preg_match("/^[a-zA-Z0-9]+$/",$username)){ die("Good username"); }else{ die("Bad username"); } Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/#findComment-593240 Share on other sites More sharing options...
waynew Posted July 18, 2008 Share Posted July 18, 2008 DO NOT use addslashes. Always use mysql_real_escape_string() instead while a mySQL connection is in existence. addslashes is open to being fooled. As the guys above said, try to force usernames into being only A-Z 0-9. On list menu forms, give you options corresponding numbers and then check if they are numeric with is_numeric() which returns a 1 if it is. Try to use only numerical values for GET values and check to see if they are numerical (also use strip_tags). Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/#findComment-593248 Share on other sites More sharing options...
waynew Posted July 18, 2008 Share Posted July 18, 2008 Also check out prepared statements with sprintf(). Also, see http://www.homeandlearn.co.uk/php/php13p5.html Link to comment https://forums.phpfreaks.com/topic/115391-mysql-injection-how-to-stop-it/#findComment-593250 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.