Noob help

[msjrules03]

im using a mssql php script to create accounts in the database but im having problems blocking special characters from being sent through the script, as currently if a username or password is set to \\\' delete account_tbl ;-- it will delete all information in the account.

 

this is the php script im using for username and password fields

 

<?php
if ($reg_allow == 1) {
    
    function cleanFormData($text) {
        $data = strtolower($text);
        $data = trim($text);
        $data = htmlentities($text);
        $data = strip_tags($text);
        return $data;
    }

    if(isset($_POST['submit'])) {
        $userName = cleanFormData($_POST['user']);    // Username
        $userPass = cleanFormData($_POST['pass']);    // Password non-encrypted
        $userPass2 = cleanFormData($_POST['pass2']);    // Password non-encrypted
        $captcha = cleanFormData($_POST['captcha']);    // Password non-encrypted
        
        $checkUserName = mssql_query("SELECT account FROM ACCOUNT_TBL WHERE account='".$userName."'");
        
        if(empty($userName) || empty($userPass) || empty($userPass2) || empty($captcha)) {
            echo "Please complete all fields!";
        exit();
        }elseif(mssql_num_rows($checkUserName) >= 1) {
            echo "The username <b>".$_POST['user']."</b> is already in use.";
        exit();
        }elseif($_POST['pass'] != $_POST['pass2']) {
            echo "Passwords do not match.";
        exit();
        }elseif($_POST['captcha'] != $_POST['captcha_check']) {
            echo "Captcha is not true.";
        exit();
        } else {
            $passHash = md5($MD5Code . $userPass);
            
            // Create a new stored prodecure
            $stmt = mssql_init("createaccount", $link);
            
            // Bind the field names
            mssql_bind($stmt, '@account', $userName, SQLVARCHAR, false, false, 15);
            mssql_bind($stmt, '@password', $passHash, SQLVARCHAR, false, false, 15);
            
            // Execute
            mssql_execute($stmt) or die ("Something is wrong on the execution");
            
            // Free statement
            mssql_free_statement($stmt);
            
            echo "The Account <b>".$_POST['user']."</b> was successfully created!<br><br>We wish you much fun playing.";
        }
    } else {
$zahl1 = rand(10,20); //First Number 10-20
$zahl2 = rand(1,10);  //Second number 1-10
$operator = rand(1,2); // + Or --
if($operator == "1"){
   $operatorzeichen = " + ";
   $ergebnis = $zahl1 + $zahl2;
}else{
   $operatorzeichen = " - ";
   $ergebnis = $zahl1 - $zahl2;
}
$rechnung = $zahl1.$operatorzeichen.$zahl2." = ?";
echo'
<form method="post">
    <table border="0" cellpadding="0" cellspacing="0" >
        <tr><td width="75">Username:</td><td><input type="text" name="user" size="15" maxlenght="15" /></td></tr>
        <tr><td>Password:</td><td><input type="password" name="pass" size="15" /></td></tr>
        <tr><td><font size="-2">Password<br>(repeat)<font></td><td><input type="password" name="pass2" size="15" /></td></tr>
        <tr><td>'.$rechnung.'</td><td><input type="text" name="captcha" size="15" /></td></tr>
    <input type="hidden" name="captcha_check" value="'.$ergebnis.'">
    </table>
    <br>
        <tr><td></td><td><input type="submit" name="submit" value="Register" /></td></tr>
</form>';
    }
}
else
{
echo 'Currently, no registrations are available!';
exit();
}
?>

[monkeypaw201]

You can use the mysql_real_escape_string() function.

 

http://php.net/manual/en/function.mysql-real-escape-string.php

 

Foreach value, run it through the function;

 

$newvariable = mysql_real_escape_string($oldvariable);

[oni-kun]

    function cleanFormData($text) {

        $data = strtolower($text);

        $data = trim($text);

        $data = htmlentities($text);

        $data = strip_tags($text);

        return $data;

    }

 

Yes indeed. You filter out everything but the most important thing: Slashes. Use this to sanitize the input:

    function cleanFormData($text) {
        $data = trim($text);
        $data = strtolower($text);
        $data = strip_tags($text);
        $data = htmlentities($text);
        $data = mysql_real_escape_string($text);
        return $data;
    }

 

EDIT: And why do you have htmlentities before strip_tags? striptags will do nothing as they're already nullified.

[msjrules03]

thanks for the ideas, but even with that in the command that is being used to delete my accounts is still working

 

i use mssql not mysql, the command that is being used is \\\' delete account_tbl ;--  which just deletes accounts

[oni-kun]

thanks for the ideas, but even with that in the command that is being used to delete my accounts is still working

 

i use mssql not mysql, the command that is being used is \\\' delete account_tbl ;--  which just deletes accounts

 

    function cleanFormData($text) {
        $data = trim($text);
        $data = strtolower($text);
        $data = strip_tags($text);
        $data = htmlentities($text);
        if(get_magic_quotes_gpc()) {
             return stripslashes($data);
        } else {
             return $data;
        }
    }

 

The function should still work, if it's not assigned use that code.

 

 

[ignace]

...but even with that in the command that is being used to delete my accounts is still working

 

i use mssql not mysql

 

That is because mysql_real_escape_string does not work if there is not active db connection to mysql.

 

Note: A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier  isn't defined, the last MySQL connection is used.

 

oni-kun and monkeypaw probably missed that.

 

Try addslashes as this function mentions that it should be used before db insertions.

 

function cleanFormData($text) {
    $data = trim($text);
    $data = strtolower($text);
    $data = strip_tags($text);
    //$data = htmlentities($text); // by default converts " into &quote; some password's use this character leave it as-is
    $data = addslashes($data); // adds a slash before ", ', and backticks
    return $data;
}

[msjrules03]

the add slashes works, thankyou

 

and yes i realised that the mysql would require an active mysql connection which i added to the .php. i managed to delete my account table with it on still x.x

 

but with the addslashes and also the code i put on to only allow 10chars to be wiped, the commands are impossible to type in so taht should stop alot of the wanna be's thanks