Jump to content

Noob help

msjrules03

By msjrules03
in PHP Coding Help

 Share

Recommended Posts

msjrules03 Newbie

msjrules03

Posted
Posted

im using a mssql php script to create accounts in the database but im having problems blocking special characters from being sent through the script, as currently if a username or password is set to \\\' delete account_tbl ;-- it will delete all information in the account.

 

this is the php script im using for username and password fields

 

<?php
if ($reg_allow == 1) {
    
    function cleanFormData($text) {
        $data = strtolower($text);
        $data = trim($text);
        $data = htmlentities($text);
        $data = strip_tags($text);
        return $data;
    }

    if(isset($_POST['submit'])) {
        $userName = cleanFormData($_POST['user']);    // Username
        $userPass = cleanFormData($_POST['pass']);    // Password non-encrypted
        $userPass2 = cleanFormData($_POST['pass2']);    // Password non-encrypted
        $captcha = cleanFormData($_POST['captcha']);    // Password non-encrypted
        
        $checkUserName = mssql_query("SELECT account FROM ACCOUNT_TBL WHERE account='".$userName."'");
        
        if(empty($userName) || empty($userPass) || empty($userPass2) || empty($captcha)) {
            echo "Please complete all fields!";
        exit();
        }elseif(mssql_num_rows($checkUserName) >= 1) {
            echo "The username <b>".$_POST['user']."</b> is already in use.";
        exit();
        }elseif($_POST['pass'] != $_POST['pass2']) {
            echo "Passwords do not match.";
        exit();
        }elseif($_POST['captcha'] != $_POST['captcha_check']) {
            echo "Captcha is not true.";
        exit();
        } else {
            $passHash = md5($MD5Code . $userPass);
            
            // Create a new stored prodecure
            $stmt = mssql_init("createaccount", $link);
            
            // Bind the field names
            mssql_bind($stmt, '@account', $userName, SQLVARCHAR, false, false, 15);
            mssql_bind($stmt, '@password', $passHash, SQLVARCHAR, false, false, 15);
            
            // Execute
            mssql_execute($stmt) or die ("Something is wrong on the execution");
            
            // Free statement
            mssql_free_statement($stmt);
            
            echo "The Account <b>".$_POST['user']."</b> was successfully created!<br><br>We wish you much fun playing.";
        }
    } else {
$zahl1 = rand(10,20); //First Number 10-20
$zahl2 = rand(1,10);  //Second number 1-10
$operator = rand(1,2); // + Or --
if($operator == "1"){
   $operatorzeichen = " + ";
   $ergebnis = $zahl1 + $zahl2;
}else{
   $operatorzeichen = " - ";
   $ergebnis = $zahl1 - $zahl2;
}
$rechnung = $zahl1.$operatorzeichen.$zahl2." = ?";
echo'
<form method="post">
    <table border="0" cellpadding="0" cellspacing="0" >
        <tr><td width="75">Username:</td><td><input type="text" name="user" size="15" maxlenght="15" /></td></tr>
        <tr><td>Password:</td><td><input type="password" name="pass" size="15" /></td></tr>
        <tr><td><font size="-2">Password<br>(repeat)<font></td><td><input type="password" name="pass2" size="15" /></td></tr>
        <tr><td>'.$rechnung.'</td><td><input type="text" name="captcha" size="15" /></td></tr>
    <input type="hidden" name="captcha_check" value="'.$ergebnis.'">
    </table>
    <br>
        <tr><td></td><td><input type="submit" name="submit" value="Register" /></td></tr>
</form>';
    }
}
else
{
echo 'Currently, no registrations are available!';
exit();
}
?>

Link to comment
Share on other sites
oni-kun Member

oni-kun

Posted
Posted
    function cleanFormData($text) {

        $data = strtolower($text);

        $data = trim($text);

        $data = htmlentities($text);

        $data = strip_tags($text);

        return $data;

    }

 

Yes indeed. You filter out everything but the most important thing: Slashes. Use this to sanitize the input:

    function cleanFormData($text) {
        $data = trim($text);
        $data = strtolower($text);
        $data = strip_tags($text);
        $data = htmlentities($text);
        $data = mysql_real_escape_string($text);
        return $data;
    }

 

EDIT: And why do you have htmlentities before strip_tags? striptags will do nothing as they're already nullified.

Link to comment
Share on other sites
oni-kun Member

oni-kun

Posted
Posted

thanks for the ideas, but even with that in the command that is being used to delete my accounts is still working

 

i use mssql not mysql, the command that is being used is \\\' delete account_tbl ;--  which just deletes accounts

 

    function cleanFormData($text) {
        $data = trim($text);
        $data = strtolower($text);
        $data = strip_tags($text);
        $data = htmlentities($text);
        if(get_magic_quotes_gpc()) {
             return stripslashes($data);
        } else {
             return $data;
        }
    }

 

The function should still work, if it's not assigned use that code.

 

 

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

...but even with that in the command that is being used to delete my accounts is still working

 

i use mssql not mysql

 

That is because mysql_real_escape_string does not work if there is not active db connection to mysql.

 

Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier  isn't defined, the last MySQL connection is used.

 

oni-kun and monkeypaw probably missed that.

 

Try addslashes as this function mentions that it should be used before db insertions.

 

function cleanFormData($text) {
    $data = trim($text);
    $data = strtolower($text);
    $data = strip_tags($text);
    //$data = htmlentities($text); // by default converts " into &quote; some password's use this character leave it as-is
    $data = addslashes($data); // adds a slash before ", ', and backticks
    return $data;
}

Link to comment
Share on other sites
msjrules03 Newbie

msjrules03

Posted
  • Author
Posted

the add slashes works, thankyou

 

and yes i realised that the mysql would require an active mysql connection which i added to the .php. i managed to delete my account table with it on still x.x

 

but with the addslashes and also the code i put on to only allow 10chars to be wiped, the commands are impossible to type in so taht should stop alot of the wanna be's thanks :D

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.