Secure this code

[Russia]

I would like to secure this code:

<?php
$date2 = date(\"F j Y\");
$ip = $_SERVER[\'REMOTE_ADDR\'];
require(\"inc/config.php\");
$sql=\"INSERT INTO accounts (username, password, ip, addeddate)
VALUES(\'$_POST[username]\',\'$_POST[Password]\',\'$ip\',\'$date2\')\";
if (!mysql_query($sql))
{
die(\'Error: \' . mysql_error());
}
echo \"Thank You for registering.\";
$result = mysql_query(\"SELECT email FROM admin WHERE id = \'1\'\");
if (!$result) {
    echo \'Could not run query: \' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = \"New Registered User\";
$from = \"myself\";
$message = \"A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

\";
$headers = \"From: $to\";
$sent = mail($to, $subject, $message, $headers) ;
?> 

 

So only characters a-z(lowecase), A-Z (capitals) and, numbers are allowed.

 

That means to disable any symbols that might be used for injections.

 

Can someone help me out?

[Garethp]

if(preg_match("~[^a-zA-Z0-9]~", $input)

{

//There are characters other than numbers and letters in $input

}

[Mchl]

For escaping mysql_real_escape. That's what's it for.

[Russia]

Okay, so your saying that when someone clicks submit it will tell him that to only use characters and numbers?

 

What I need is that it only posts the numbers and letters into the database and takes out all the other symbols.

 

if(preg_match(\"~[^a-zA-Z0-9]~\", $input)
{
//There are characters other than numbers and letters in $input
}

 

Where would I add that into my code?

[hamza]

If you like to secure the above code.

You need to validate the whatever you want

for validation you need to use the

PHP validation function.

 

 

Search for regular expression functions.

n other alpha numaric filters

[MadTechie]

What I need is that it only posts the numbers and letters into the database and takes out all the other symbols.

No you don't need that..

 

Please READ

For escaping mysql_real_escape. That's what's it for.

 

 

 

but if you insist you do it like this..

$string = preg_replace('/[^a-z0-9]/sim', '', $string);

[Psycho]

If there is a reason you do not want to allow certain characters for a particular field (e.g. alpha characters in a date) then you need to create validation for that. But, you do not need to do that type of validation to prevent SQL Injection. As Mchl has already stated you need to use mysql_real_escape() for any user data that is included in a query. That function will make the appropriate "escapes" in the value to ensure it is safe for a query. So, you can allow any and all characters (as appropriate for the data) as input and still be secure.

[Russia]

Okay, where would I insert that into my php code? 

 

Can you guys an updated version of my code?

[MadTechie]

If you put it in the freelance section and pay me then maybe!

 

this isn't hard

//Set a variable from post 
$Username = $_POST['Username'];
//filter out any characters that are not A-Z or 0-9 
$Username = preg_replace('/[^a-z0-9]/sim', '', $Username);
echo $Username; //echo clean version

[Garethp]

12. All request for code to be written for you should be posted under the freelance section. No exceptions.

 

This is the "PHP Coding Help" section, not the "PHP Let's Do Your Code For You" section. We give you the pieces, you put it together. He's another hint

 

$input = preg_replace("~[^a-zA-Z0-9]~", "", $input);

 

or

 

$input = mysql_real_escape_string($input);

 

That's how you secure an input. Now figure the rest out yourself

 

And MadTechie, your regex would get rid of all uppercase aswell

[MadTechie]

And MadTechie, your regex would get rid of all uppercase aswell

 

Wanna bet money on that ?

 

EDIT:

Let say 5 buck, deal ?

[Garethp]

Oooh, I get it, I didn't see the sim on the end. Sorry XD

[MadTechie]

Yeah personal preference, the i make is case insensitive.

[Russia]

Okay Il try myself.

 

But as a hint, where would i insert it?

[Garethp]

And m makes it go over line by line, while s matches the dot to everything, right?

 

Why use the s and m? And why do you use / as your deliminator?

 

As your hint, insert it where you declare your variable, or anytime before you use it. Basically right around the part of the script that you want to make it secure

 

Tell you what, if you really want help, do it yourself, come back, and I'll tell you if you're warm or cold

[MadTechie]

@Garethp

s = dot matched new lines (kinda pointless in the example given)

i = make is case insensitive.

m = mean ^$ matches line breaks (instead of full string)

so only i was needed, but I have been working on some large files so I have typed sim on most of them and didn't review my post so they creped in .. 

 

I use / by default, if my regex has a / then I use % just a habit no real reason for it

 

[Russia]

<?php
$Username = $_POST[\\\'Username\\\'];
$Username = preg_replace(\\\'/[^a-z0-9]/sim\\\', \\\'\\\', $Username);
$Password = $_POST[\\\'Password\\\'];
$Password = preg_replace(\\\'/[^a-z0-9]/sim\\\', \\\'\\\', $Password);
$date2 = date(\\\"F j Y\\\\\\\");
$ip = $_SERVER[\\\\\\\'REMOTE_ADDR\\\\\\\'];
require(\\\\\\\"inc/config.php\\\\\\\");
$sql=\\\\\\\"INSERT INTO accounts (username, password, ip, addeddate)
VALUES(\\\\\\\'$Username\\\\\\\',\\\\\\\'$Password\\\\\\\',\\\\\\\'$ip\\\\\\\',\\\\\\\'$date2\\\\\\\')\\\\\\\";
if (!mysql_query($sql))
{
die(\\\\\\\'Error: \\\\\\\' . mysql_error());
}
echo \\\\\\\"Thank You for registering.\\\\\\\";
$result = mysql_query(\\\\\\\"SELECT email FROM admin WHERE id = \\\\\\\'1\\\\\\\'\\\\\\\");
if (!$result) {
    echo \\\\\\\'Could not run query: \\\\\\\' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = \\\\\\\"New Registered User\\\\\\\";
$from = \\\\\\\"myself\\\\\\\";
$message = \\\\\\\"A new user has signed up and has been added to the database
Username: $Username
Password: $Password
IP Address: $ip
Date: $date2

\\\\\\\";
$headers = \\\\\\\"From: $to\\\\\\\";
$sent = mail($to, $subject, $message, $headers) ;
?> 

 

I think this is correct?  Look what I added to the top of the code and what I changed for the VALUES of the INSERT

[Russia]

HERE IS THE FIXED CODE. THE OTHER ONE FOR SOME REASON HAD TONS OF //////

 

<?php
$Username = $_POST[\'Username\'];
$Username = preg_replace(\'/[^a-z0-9]/sim\', \'\', $Username);
$Password = $_POST[\'Password\'];
$Password = preg_replace(\'/[^a-z0-9]/sim\', \'\', $Password);
$date2 = date(\"F j Y\");
$ip = $_SERVER[\'REMOTE_ADDR\'];
require(\"inc/config.php\");
$sql=\"INSERT INTO accounts (username, password, ip, addeddate)
VALUES(\'$Username\',\'$Password\',\'$ip\',\'$date2\')\";
if (!mysql_query($sql))
{
die(\'Error: \' . mysql_error());
}
echo \"Thank You for registering.\";
$result = mysql_query(\"SELECT email FROM admin WHERE id = \'1\'\");
if (!$result) {
    echo \'Could not run query: \' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = \"New Registered User\";
$from = \"myself\";
$message = \"A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

\";
$headers = \"From: $to\";
$sent = mail($to, $subject, $message, $headers) ;
?> 

[MadTechie]

So solved (doesn't look like it)?

 

if so click the topic solved button

[Russia]

Thats the thing, I dont know if what i did is correct? Is it?

 

Current code:

<?php
$Username = $_POST[username];
$Username = preg_replace(/[^a-z0-9]/sim, , $Username);
$Password = $_POST[Password];
$Password = preg_replace(/[^a-z0-9]/sim, , $Password);
$date2 = date("F j Y");
$ip = $_SERVER['REMOTE_ADDR'];
require("inc/config.php");
$sql="INSERT INTO accounts (username, password, ip, addeddate)
VALUES('$Username','$Password','$ip','$date2')";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo "Thank You for registering.";
$result = mysql_query("SELECT email FROM admin WHERE id = '1'");
if (!$result) {
    echo 'Could not run query: ' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = "New Registered User";
$from = "myself";
$message = "A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

";
$headers = "From: $to";
$sent = mail($to, $subject, $message, $headers) ;
?> 

[Russia]

Bump. Is my code correct?

[newbtophp]

yes its correct, all you had to do wad add the code MadTechie or Garethp provided.

[Russia]

<?php
$Username = $_POST[username];
$Username = preg_replace(/[^a-z0-9]/sim, , $Username);
$Password = $_POST[Password];
$Password = preg_replace(/[^a-z0-9]/sim, , $Password);
$date2 = date("F j Y");
$ip = $_SERVER['REMOTE_ADDR'];
require("inc/config.php");
$sql="INSERT INTO accounts (username, password, ip, addeddate)
VALUES('$Username','$Password','$ip','$date2')";
if (!mysql_query($sql))
{
die('Error: ' . mysql_error());
}
echo "Thank You for registering.";
$result = mysql_query("SELECT email FROM admin WHERE id = '1'");
if (!$result) {
    echo 'Could not run query: ' . mysql_error();
    exit;
}
$row = mysql_fetch_row($result);
$to = $row[0];
mysql_close();
$subject = "New Registered User";
$from = "myself";
$message = "A new user has signed up and has been added to the database
Username: $_POST[username] 
Password: $_POST[Password]
IP Address: $ip
Date: $date2

";
$headers = "From: $to";
$sent = mail($to, $subject, $message, $headers) ;
?> 

 

Is this code correct? I have updated it with the codes that the 2 other MadTechie or Garethp.

 

Will it work?

[MadTechie]

$Username = preg_replace(/[^a-z0-9]/sim, , $Username);

isn't valid

 

it should be

$Username = preg_replace('/[^a-z0-9]/i','', $Username);

 

*nb: i removed the pointless s & m (my bad) but you need the quotes

 

also

$Username = $_POST[username];

should really be

$Username = $_POST['Username'];

(not sure what happening with your single quotes