Russia Posted October 7, 2009 Share Posted October 7, 2009 I would like to secure this code: <?php $date2 = date(\"F j Y\"); $ip = $_SERVER[\'REMOTE_ADDR\']; require(\"inc/config.php\"); $sql=\"INSERT INTO accounts (username, password, ip, addeddate) VALUES(\'$_POST[username]\',\'$_POST[Password]\',\'$ip\',\'$date2\')\"; if (!mysql_query($sql)) { die(\'Error: \' . mysql_error()); } echo \"Thank You for registering.\"; $result = mysql_query(\"SELECT email FROM admin WHERE id = \'1\'\"); if (!$result) { echo \'Could not run query: \' . mysql_error(); exit; } $row = mysql_fetch_row($result); $to = $row[0]; mysql_close(); $subject = \"New Registered User\"; $from = \"myself\"; $message = \"A new user has signed up and has been added to the database Username: $_POST[username] Password: $_POST[Password] IP Address: $ip Date: $date2 \"; $headers = \"From: $to\"; $sent = mail($to, $subject, $message, $headers) ; ?> So only characters a-z(lowecase), A-Z (capitals) and, numbers are allowed. That means to disable any symbols that might be used for injections. Can someone help me out? Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/ Share on other sites More sharing options...
Garethp Posted October 7, 2009 Share Posted October 7, 2009 if(preg_match("~[^a-zA-Z0-9]~", $input) { //There are characters other than numbers and letters in $input } Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932389 Share on other sites More sharing options...
Mchl Posted October 7, 2009 Share Posted October 7, 2009 For escaping mysql_real_escape. That's what's it for. Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932395 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 Okay, so your saying that when someone clicks submit it will tell him that to only use characters and numbers? What I need is that it only posts the numbers and letters into the database and takes out all the other symbols. if(preg_match(\"~[^a-zA-Z0-9]~\", $input) { //There are characters other than numbers and letters in $input } Where would I add that into my code? Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932399 Share on other sites More sharing options...
hamza Posted October 7, 2009 Share Posted October 7, 2009 If you like to secure the above code. You need to validate the whatever you want for validation you need to use the PHP validation function. Search for regular expression functions. n other alpha numaric filters Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932400 Share on other sites More sharing options...
MadTechie Posted October 7, 2009 Share Posted October 7, 2009 What I need is that it only posts the numbers and letters into the database and takes out all the other symbols. No you don't need that.. Please READ For escaping mysql_real_escape. That's what's it for. but if you insist you do it like this.. $string = preg_replace('/[^a-z0-9]/sim', '', $string); Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932407 Share on other sites More sharing options...
Psycho Posted October 7, 2009 Share Posted October 7, 2009 If there is a reason you do not want to allow certain characters for a particular field (e.g. alpha characters in a date) then you need to create validation for that. But, you do not need to do that type of validation to prevent SQL Injection. As Mchl has already stated you need to use mysql_real_escape() for any user data that is included in a query. That function will make the appropriate "escapes" in the value to ensure it is safe for a query. So, you can allow any and all characters (as appropriate for the data) as input and still be secure. Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932408 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 Okay, where would I insert that into my php code? Can you guys an updated version of my code? Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932411 Share on other sites More sharing options...
MadTechie Posted October 7, 2009 Share Posted October 7, 2009 If you put it in the freelance section and pay me then maybe! this isn't hard //Set a variable from post $Username = $_POST['Username']; //filter out any characters that are not A-Z or 0-9 $Username = preg_replace('/[^a-z0-9]/sim', '', $Username); echo $Username; //echo clean version Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932415 Share on other sites More sharing options...
Garethp Posted October 7, 2009 Share Posted October 7, 2009 12. All request for code to be written for you should be posted under the freelance section. No exceptions. This is the "PHP Coding Help" section, not the "PHP Let's Do Your Code For You" section. We give you the pieces, you put it together. He's another hint $input = preg_replace("~[^a-zA-Z0-9]~", "", $input); or $input = mysql_real_escape_string($input); That's how you secure an input. Now figure the rest out yourself And MadTechie, your regex would get rid of all uppercase aswell Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932419 Share on other sites More sharing options...
MadTechie Posted October 7, 2009 Share Posted October 7, 2009 And MadTechie, your regex would get rid of all uppercase aswell Wanna bet money on that ? EDIT: Let say 5 buck, deal ? Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932424 Share on other sites More sharing options...
Garethp Posted October 7, 2009 Share Posted October 7, 2009 Oooh, I get it, I didn't see the sim on the end. Sorry XD Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932427 Share on other sites More sharing options...
MadTechie Posted October 7, 2009 Share Posted October 7, 2009 Yeah personal preference, the i make is case insensitive. Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932430 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 Okay Il try myself. But as a hint, where would i insert it? Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932432 Share on other sites More sharing options...
Garethp Posted October 7, 2009 Share Posted October 7, 2009 And m makes it go over line by line, while s matches the dot to everything, right? Why use the s and m? And why do you use / as your deliminator? As your hint, insert it where you declare your variable, or anytime before you use it. Basically right around the part of the script that you want to make it secure Tell you what, if you really want help, do it yourself, come back, and I'll tell you if you're warm or cold Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932433 Share on other sites More sharing options...
MadTechie Posted October 7, 2009 Share Posted October 7, 2009 @Garethp s = dot matched new lines (kinda pointless in the example given) i = make is case insensitive. m = mean ^$ matches line breaks (instead of full string) so only i was needed, but I have been working on some large files so I have typed sim on most of them and didn't review my post so they creped in .. I use / by default, if my regex has a / then I use % just a habit no real reason for it Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932440 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 <?php $Username = $_POST[\\\'Username\\\']; $Username = preg_replace(\\\'/[^a-z0-9]/sim\\\', \\\'\\\', $Username); $Password = $_POST[\\\'Password\\\']; $Password = preg_replace(\\\'/[^a-z0-9]/sim\\\', \\\'\\\', $Password); $date2 = date(\\\"F j Y\\\\\\\"); $ip = $_SERVER[\\\\\\\'REMOTE_ADDR\\\\\\\']; require(\\\\\\\"inc/config.php\\\\\\\"); $sql=\\\\\\\"INSERT INTO accounts (username, password, ip, addeddate) VALUES(\\\\\\\'$Username\\\\\\\',\\\\\\\'$Password\\\\\\\',\\\\\\\'$ip\\\\\\\',\\\\\\\'$date2\\\\\\\')\\\\\\\"; if (!mysql_query($sql)) { die(\\\\\\\'Error: \\\\\\\' . mysql_error()); } echo \\\\\\\"Thank You for registering.\\\\\\\"; $result = mysql_query(\\\\\\\"SELECT email FROM admin WHERE id = \\\\\\\'1\\\\\\\'\\\\\\\"); if (!$result) { echo \\\\\\\'Could not run query: \\\\\\\' . mysql_error(); exit; } $row = mysql_fetch_row($result); $to = $row[0]; mysql_close(); $subject = \\\\\\\"New Registered User\\\\\\\"; $from = \\\\\\\"myself\\\\\\\"; $message = \\\\\\\"A new user has signed up and has been added to the database Username: $Username Password: $Password IP Address: $ip Date: $date2 \\\\\\\"; $headers = \\\\\\\"From: $to\\\\\\\"; $sent = mail($to, $subject, $message, $headers) ; ?> I think this is correct? Look what I added to the top of the code and what I changed for the VALUES of the INSERT Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932452 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 HERE IS THE FIXED CODE. THE OTHER ONE FOR SOME REASON HAD TONS OF ////// <?php $Username = $_POST[\'Username\']; $Username = preg_replace(\'/[^a-z0-9]/sim\', \'\', $Username); $Password = $_POST[\'Password\']; $Password = preg_replace(\'/[^a-z0-9]/sim\', \'\', $Password); $date2 = date(\"F j Y\"); $ip = $_SERVER[\'REMOTE_ADDR\']; require(\"inc/config.php\"); $sql=\"INSERT INTO accounts (username, password, ip, addeddate) VALUES(\'$Username\',\'$Password\',\'$ip\',\'$date2\')\"; if (!mysql_query($sql)) { die(\'Error: \' . mysql_error()); } echo \"Thank You for registering.\"; $result = mysql_query(\"SELECT email FROM admin WHERE id = \'1\'\"); if (!$result) { echo \'Could not run query: \' . mysql_error(); exit; } $row = mysql_fetch_row($result); $to = $row[0]; mysql_close(); $subject = \"New Registered User\"; $from = \"myself\"; $message = \"A new user has signed up and has been added to the database Username: $_POST[username] Password: $_POST[Password] IP Address: $ip Date: $date2 \"; $headers = \"From: $to\"; $sent = mail($to, $subject, $message, $headers) ; ?> Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932456 Share on other sites More sharing options...
MadTechie Posted October 7, 2009 Share Posted October 7, 2009 So solved (doesn't look like it)? if so click the topic solved button Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932467 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 Thats the thing, I dont know if what i did is correct? Is it? Current code: <?php $Username = $_POST[username]; $Username = preg_replace(/[^a-z0-9]/sim, , $Username); $Password = $_POST[Password]; $Password = preg_replace(/[^a-z0-9]/sim, , $Password); $date2 = date("F j Y"); $ip = $_SERVER['REMOTE_ADDR']; require("inc/config.php"); $sql="INSERT INTO accounts (username, password, ip, addeddate) VALUES('$Username','$Password','$ip','$date2')"; if (!mysql_query($sql)) { die('Error: ' . mysql_error()); } echo "Thank You for registering."; $result = mysql_query("SELECT email FROM admin WHERE id = '1'"); if (!$result) { echo 'Could not run query: ' . mysql_error(); exit; } $row = mysql_fetch_row($result); $to = $row[0]; mysql_close(); $subject = "New Registered User"; $from = "myself"; $message = "A new user has signed up and has been added to the database Username: $_POST[username] Password: $_POST[Password] IP Address: $ip Date: $date2 "; $headers = "From: $to"; $sent = mail($to, $subject, $message, $headers) ; ?> Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932505 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 Bump. Is my code correct? Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932515 Share on other sites More sharing options...
newbtophp Posted October 7, 2009 Share Posted October 7, 2009 yes its correct, all you had to do wad add the code MadTechie or Garethp provided. Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932519 Share on other sites More sharing options...
Russia Posted October 7, 2009 Author Share Posted October 7, 2009 <?php $Username = $_POST[username]; $Username = preg_replace(/[^a-z0-9]/sim, , $Username); $Password = $_POST[Password]; $Password = preg_replace(/[^a-z0-9]/sim, , $Password); $date2 = date("F j Y"); $ip = $_SERVER['REMOTE_ADDR']; require("inc/config.php"); $sql="INSERT INTO accounts (username, password, ip, addeddate) VALUES('$Username','$Password','$ip','$date2')"; if (!mysql_query($sql)) { die('Error: ' . mysql_error()); } echo "Thank You for registering."; $result = mysql_query("SELECT email FROM admin WHERE id = '1'"); if (!$result) { echo 'Could not run query: ' . mysql_error(); exit; } $row = mysql_fetch_row($result); $to = $row[0]; mysql_close(); $subject = "New Registered User"; $from = "myself"; $message = "A new user has signed up and has been added to the database Username: $_POST[username] Password: $_POST[Password] IP Address: $ip Date: $date2 "; $headers = "From: $to"; $sent = mail($to, $subject, $message, $headers) ; ?> Is this code correct? I have updated it with the codes that the 2 other MadTechie or Garethp. Will it work? Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932522 Share on other sites More sharing options...
MadTechie Posted October 7, 2009 Share Posted October 7, 2009 $Username = preg_replace(/[^a-z0-9]/sim, , $Username); isn't valid it should be $Username = preg_replace('/[^a-z0-9]/i','', $Username); *nb: i removed the pointless s & m (my bad) but you need the quotes also $Username = $_POST[username]; should really be $Username = $_POST['Username']; (not sure what happening with your single quotes Quote Link to comment https://forums.phpfreaks.com/topic/176838-secure-this-code/#findComment-932533 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.