Jump to content

Secure this code


Russia

Recommended Posts

I would like to secure this code:

<?php
$date2 = date(\"F j Y\");
$ip = $_SERVER[\'REMOTE_ADDR\'];
require(\"inc/config.php\");
$sql=\"INSERT INTO accounts (username, password, ip, addeddate)
VALUES(\'$_POST[username]\',\'$_POST[Password]\',\'$ip\',\'$date2\')\";
if (!mysql_query($sql))
{
die(\'Error: \' . mysql_error());
}
echo \"Thank You for registering.\";
$result = mysql_query(\"SELECT email FROM admin WHERE id = \'1\'\");
if (!$result) {
    echo \'Could not run query: \' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = \"New Registered User\";
$from = \"myself\";
$message = \"A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

\";
$headers = \"From: $to\";
$sent = mail($to, $subject, $message, $headers) ;
?> 

 

So only characters a-z(lowecase), A-Z (capitals) and, numbers are allowed.

 

That means to disable any symbols that might be used for injections.

 

Can someone help me out?

Link to comment
Share on other sites

Okay, so your saying that when someone clicks submit it will tell him that to only use characters and numbers?

 

What I need is that it only posts the numbers and letters into the database and takes out all the other symbols.

 

if(preg_match(\"~[^a-zA-Z0-9]~\", $input)
{
//There are characters other than numbers and letters in $input
}

 

Where would I add that into my code?

Link to comment
Share on other sites

If there is a reason you do not want to allow certain characters for a particular field (e.g. alpha characters in a date) then you need to create validation for that. But, you do not need to do that type of validation to prevent SQL Injection. As Mchl has already stated you need to use mysql_real_escape() for any user data that is included in a query. That function will make the appropriate "escapes" in the value to ensure it is safe for a query. So, you can allow any and all characters (as appropriate for the data) as input and still be secure.

Link to comment
Share on other sites

If you put it in the freelance section and pay me then maybe!

 

this isn't hard

//Set a variable from post 
$Username = $_POST['Username'];
//filter out any characters that are not A-Z or 0-9 
$Username = preg_replace('/[^a-z0-9]/sim', '', $Username);
echo $Username; //echo clean version

Link to comment
Share on other sites

12. All request for code to be written for you should be posted under the freelance section. No exceptions.

 

This is the "PHP Coding Help" section, not the "PHP Let's Do Your Code For You" section. We give you the pieces, you put it together. He's another hint

 

$input = preg_replace("~[^a-zA-Z0-9]~", "", $input);

 

or

 

$input = mysql_real_escape_string($input);

 

That's how you secure an input. Now figure the rest out yourself

 

And MadTechie, your regex would get rid of all uppercase aswell

Link to comment
Share on other sites

And m makes it go over line by line, while s matches the dot to everything, right?

 

Why use the s and m? And why do you use / as your deliminator?

 

As your hint, insert it where you declare your variable, or anytime before you use it. Basically right around the part of the script that you want to make it secure

 

Tell you what, if you really want help, do it yourself, come back, and I'll tell you if you're warm or cold

Link to comment
Share on other sites

@Garethp

s = dot matched new lines (kinda pointless in the example given)

i = make is case insensitive.

m = mean ^$ matches line breaks (instead of full string)

so only i was needed, but I have been working on some large files so I have typed sim on most of them and didn't review my post so they creped in ..  ::)

 

I use / by default, if my regex has a / then I use % just a habit no real reason for it

 

Link to comment
Share on other sites

<?php
$Username = $_POST[\\\'Username\\\'];
$Username = preg_replace(\\\'/[^a-z0-9]/sim\\\', \\\'\\\', $Username);
$Password = $_POST[\\\'Password\\\'];
$Password = preg_replace(\\\'/[^a-z0-9]/sim\\\', \\\'\\\', $Password);
$date2 = date(\\\"F j Y\\\\\\\");
$ip = $_SERVER[\\\\\\\'REMOTE_ADDR\\\\\\\'];
require(\\\\\\\"inc/config.php\\\\\\\");
$sql=\\\\\\\"INSERT INTO accounts (username, password, ip, addeddate)
VALUES(\\\\\\\'$Username\\\\\\\',\\\\\\\'$Password\\\\\\\',\\\\\\\'$ip\\\\\\\',\\\\\\\'$date2\\\\\\\')\\\\\\\";
if (!mysql_query($sql))
{
die(\\\\\\\'Error: \\\\\\\' . mysql_error());
}
echo \\\\\\\"Thank You for registering.\\\\\\\";
$result = mysql_query(\\\\\\\"SELECT email FROM admin WHERE id = \\\\\\\'1\\\\\\\'\\\\\\\");
if (!$result) {
    echo \\\\\\\'Could not run query: \\\\\\\' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = \\\\\\\"New Registered User\\\\\\\";
$from = \\\\\\\"myself\\\\\\\";
$message = \\\\\\\"A new user has signed up and has been added to the database
Username: $Username
Password: $Password
IP Address: $ip
Date: $date2

\\\\\\\";
$headers = \\\\\\\"From: $to\\\\\\\";
$sent = mail($to, $subject, $message, $headers) ;
?> 

 

I think this is correct?  Look what I added to the top of the code and what I changed for the VALUES of the INSERT

Link to comment
Share on other sites

HERE IS THE FIXED CODE. THE OTHER ONE FOR SOME REASON HAD TONS OF //////

 

<?php
$Username = $_POST[\'Username\'];
$Username = preg_replace(\'/[^a-z0-9]/sim\', \'\', $Username);
$Password = $_POST[\'Password\'];
$Password = preg_replace(\'/[^a-z0-9]/sim\', \'\', $Password);
$date2 = date(\"F j Y\");
$ip = $_SERVER[\'REMOTE_ADDR\'];
require(\"inc/config.php\");
$sql=\"INSERT INTO accounts (username, password, ip, addeddate)
VALUES(\'$Username\',\'$Password\',\'$ip\',\'$date2\')\";
if (!mysql_query($sql))
{
die(\'Error: \' . mysql_error());
}
echo \"Thank You for registering.\";
$result = mysql_query(\"SELECT email FROM admin WHERE id = \'1\'\");
if (!$result) {
    echo \'Could not run query: \' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = \"New Registered User\";
$from = \"myself\";
$message = \"A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

\";
$headers = \"From: $to\";
$sent = mail($to, $subject, $message, $headers) ;
?> 

Link to comment
Share on other sites

Thats the thing, I dont know if what i did is correct? Is it?

 

Current code:

<?php
$Username = $_POST[username];
$Username = preg_replace(/[^a-z0-9]/sim, , $Username);
$Password = $_POST[Password];
$Password = preg_replace(/[^a-z0-9]/sim, , $Password);
$date2 = date("F j Y");
$ip = $_SERVER['REMOTE_ADDR'];
require("inc/config.php");
$sql="INSERT INTO accounts (username, password, ip, addeddate)
VALUES('$Username','$Password','$ip','$date2')";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo "Thank You for registering.";
$result = mysql_query("SELECT email FROM admin WHERE id = '1'");
if (!$result) {
    echo 'Could not run query: ' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = "New Registered User";
$from = "myself";
$message = "A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

";
$headers = "From: $to";
$sent = mail($to, $subject, $message, $headers) ;
?> 

Link to comment
Share on other sites

<?php
$Username = $_POST[username];
$Username = preg_replace(/[^a-z0-9]/sim, , $Username);
$Password = $_POST[Password];
$Password = preg_replace(/[^a-z0-9]/sim, , $Password);
$date2 = date("F j Y");
$ip = $_SERVER['REMOTE_ADDR'];
require("inc/config.php");
$sql="INSERT INTO accounts (username, password, ip, addeddate)
VALUES('$Username','$Password','$ip','$date2')";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo "Thank You for registering.";
$result = mysql_query("SELECT email FROM admin WHERE id = '1'");
if (!$result) {
    echo 'Could not run query: ' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = "New Registered User";
$from = "myself";
$message = "A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

";
$headers = "From: $to";
$sent = mail($to, $subject, $message, $headers) ;
?> 

 

Is this code correct? I have updated it with the codes that the 2 other MadTechie or Garethp.

 

Will it work?

Link to comment
Share on other sites

$Username = preg_replace(/[^a-z0-9]/sim, , $Username);

isn't valid

 

it should be

$Username = preg_replace('/[^a-z0-9]/i','', $Username);

 

*nb: i removed the pointless s & m (my bad) but you need the quotes

 

also

$Username = $_POST[username];

should really be

$Username = $_POST['Username'];

(not sure what happening with your single quotes

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.