feri_soft Posted August 28, 2006 Share Posted August 28, 2006 what would you say:trashinput:[code]function trashinput($input) { $input = strip_tags($input); $input = stripslashes($input); $input = str_replace("=","",$input); $input = str_replace(" ","",$input); $input = str_replace("''","",$input); $input = str_replace("'","",$input); $input = str_replace("%20","",$input);}[/code][code]<?/*if (!defined("imoti")) { die ("Sorry !! You cannot access this file directly.");}*/include 'db.php';include 'funcs.php';// Define post fields into simple variables$first_name = $_REQUEST['first_name'];$last_name = $_REQUEST['last_name'];$email_address = $_REQUEST['email_address'];$username = $_REQUEST['username'];$info = $_REQUEST['info'];$password = $_REQUEST['password'];$gsm = $_REQUEST['gsm'];$tel = $_REQUEST['tel'];$web = $_REQUEST['web'];$first_name = trashinput($first_name)$last_name = trashinput($last_name)$email_address = trashinput($email_address)$username = trashinput($username)$info = trashinput($info)$password = trashinput($password)$gsm = trashinput($gsm)$tel = trashinput($tel)$web = trashinput($web)if(strlen($username) <4 || strlen($password) < 4){echo "Потребителското име и паролата трябва да са по дълги от 4 реда!");//Kick us out of PHP}/* Do some error checking on the form posted fields */if (ereg('[^0-9]', $tel)) { echo "This contains characters other than just numbers";}if (ereg('[^0-9]', $gsm)) { echo "This contains characters other than just numbers";}if((!$gsm) || (!$tel)){ echo "trqbva da vyvedete gsm ili telefon<br />"; }if((!$password) || (!$first_name) || (!$last_name) || (!$email_address) || (!$username)){ echo 'You did not submit the following required information! <br />'; if(!$password){ echo "parolka<br />"; } if(!$first_name){ echo "First Name is a required field. Please enter it below.<br />"; } if(!$last_name){ echo "Last Name is a required field. Please enter it below.<br />"; } if(!$email_address){ echo "Email Address is a required field. Please enter it below.<br />"; } if(!eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email_address)) { echo "<p>Not a valid email address</p>\n";} if(!$username){ echo "Desired Username is a required field. Please enter it below.<br />"; } exit(); // if the error checking has failed, we'll exit the script!} /* Let's do some checking and ensure that the user's email address or username does not exist in the database */ $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'"); $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'"); $email_check = mysql_num_rows($sql_email_check); $username_check = mysql_num_rows($sql_username_check); if(($email_check > 0) || ($username_check > 0)){ echo "Please fix the following errors: <br />"; if($email_check > 0){ echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />"; unset($email_address); } if($username_check > 0){ echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />"; unset($username); } include 'join_form.html'; // Show the form again! exit(); // exit the script so that we do not create this account! }$db_password = md5($password);// Enter info into the Database.$info2 = htmlspecialchars($info);$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, info, signup_date, gsm, tel, web) VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '$info2', now(), '$gsm', '$tel', '$web')") or die (mysql_error());if(!$sql){ echo 'There has been an error creating your account. Please contact the webmaster.';} else { echo 'Success!';}?> [/code]i made some modifications to a register script in the net...adding some security.I think the function trashinput will be fine using on the login two... Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/ Share on other sites More sharing options...
shocker-z Posted August 28, 2006 Share Posted August 28, 2006 add mysql_real_escape_string()[code]function trashinput($input) { $input = strip_tags($input); $input = stripslashes($input); $input = str_replace("=","",$input); $input = str_replace(" ","",$input); $input = str_replace("''","",$input); $input = str_replace("'","",$input); $input = str_replace("%20","",$input); $input = mysql_real_escape_string($input);}[/code]it gets rid of these charactors: \x00, \n, \r, \, ', " and \x1aLiam Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-81688 Share on other sites More sharing options...
feri_soft Posted August 29, 2006 Author Share Posted August 29, 2006 Thank you! ;) Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82187 Share on other sites More sharing options...
Jenk Posted August 29, 2006 Share Posted August 29, 2006 Just a note.. it doesn't get rid, it escapes them so that MySQL uses them as literals, rather than special characters. Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82237 Share on other sites More sharing options...
onlyican Posted August 29, 2006 Share Posted August 29, 2006 I would add trim(); as wellthese deletes the following\t\r\nand offcouse a whitespace(Norm used for Mail Hacking) Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82239 Share on other sites More sharing options...
wildteen88 Posted August 29, 2006 Share Posted August 29, 2006 trim only gets rid of whitspace at the beggining and end of a string, it wont get rid of them if it is not at the begging or end of the string. Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82242 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.