Jump to content

Archived

This topic is now archived and is closed to further replies.

feri_soft

Is that secure??

Recommended Posts



what would you say:
trashinput:
[code]function trashinput($input) {
  $input = strip_tags($input);
  $input = stripslashes($input);
  $input = str_replace("=","",$input);
  $input = str_replace(" ","",$input);
  $input = str_replace("''","",$input);
  $input = str_replace("'","",$input);
  $input = str_replace("%20","",$input);
}[/code]
[code]<?
/*
if (!defined("imoti")) {
    die ("Sorry !! You cannot access this file directly.");
}*/
include 'db.php';
include 'funcs.php';

// Define post fields into simple variables
$first_name = $_REQUEST['first_name'];
$last_name = $_REQUEST['last_name'];
$email_address = $_REQUEST['email_address'];
$username = $_REQUEST['username'];
$info = $_REQUEST['info'];
$password = $_REQUEST['password'];
$gsm = $_REQUEST['gsm'];
$tel = $_REQUEST['tel'];
$web = $_REQUEST['web'];

$first_name = trashinput($first_name)
$last_name = trashinput($last_name)
$email_address = trashinput($email_address)
$username = trashinput($username)
$info = trashinput($info)
$password = trashinput($password)
$gsm = trashinput($gsm)
$tel = trashinput($tel)
$web = trashinput($web)

if(strlen($username) <4 || strlen($password) < 4)
{
echo "Потребителското име и паролата трябва да са по дълги от 4 реда!");//Kick us out of PHP
}
/* Do some error checking on the form posted fields */
if (ereg('[^0-9]', $tel)) {
  echo "This contains characters other than just numbers";
}
if (ereg('[^0-9]', $gsm)) {
  echo "This contains characters other than just numbers";
}
if((!$gsm) || (!$tel)){
        echo "trqbva da vyvedete gsm ili telefon<br />";
    }
if((!$password) || (!$first_name) || (!$last_name) || (!$email_address) || (!$username)){
    echo 'You did not submit the following required information! <br />';
if(!$password){
        echo "parolka<br />";
    }
    if(!$first_name){
        echo "First Name is a required field. Please enter it below.<br />";
    }
    if(!$last_name){
        echo "Last Name is a required field. Please enter it below.<br />";
    }
    if(!$email_address){
        echo "Email Address is a required field. Please enter it below.<br />";
    }
if(!eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email_address)) {
    echo "<p>Not a valid email address</p>\n";
}
    if(!$username){
        echo "Desired Username is a required field. Please enter it below.<br />";
    }
    exit(); // if the error checking has failed, we'll exit the script!
}
   
/* Let's do some checking and ensure that the user's email address or username
does not exist in the database */

$sql_email_check = mysql_query("SELECT email_address FROM users
            WHERE email_address='$email_address'");
$sql_username_check = mysql_query("SELECT username FROM users
            WHERE username='$username'");

$email_check = mysql_num_rows($sql_email_check);
$username_check = mysql_num_rows($sql_username_check);

if(($email_check > 0) || ($username_check > 0)){
    echo "Please fix the following errors: <br />";
    if($email_check > 0){
        echo "<strong>Your email address has already been used by another member
        in our database. Please submit a different Email address!<br />";
        unset($email_address);
    }
    if($username_check > 0){
        echo "The username you have selected has already been used by another member
          in our database. Please choose a different Username!<br />";
        unset($username);
    }
    include 'join_form.html'; // Show the form again!
    exit();  // exit the script so that we do not create this account!
}



$db_password = md5($password);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name,
        email_address, username, password, info, signup_date, gsm, tel, web)
        VALUES('$first_name', '$last_name', '$email_address',
        '$username', '$db_password', '$info2', now(), '$gsm', '$tel', '$web')")
        or die (mysql_error());

if(!$sql){
    echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
    echo 'Success!';
}

?> [/code]

i made some modifications to a register script in the net...adding some security.
I think the function trashinput will be fine using on the login two...

Share this post


Link to post
Share on other sites
add mysql_real_escape_string()

[code]function trashinput($input) {
  $input = strip_tags($input);
  $input = stripslashes($input);
  $input = str_replace("=","",$input);
  $input = str_replace(" ","",$input);
  $input = str_replace("''","",$input);
  $input = str_replace("'","",$input);
  $input = str_replace("%20","",$input);
  $input = mysql_real_escape_string($input);
}[/code]

it gets rid of these charactors: \x00, \n, \r, \, ', " and \x1a

Liam

Share this post


Link to post
Share on other sites
Just a note.. it doesn't get rid, it escapes them so that MySQL uses them as literals, rather than special characters.

Share this post


Link to post
Share on other sites
I would add trim(); as well
these deletes the following
\t
\r
\n
and offcouse a whitespace
(Norm used for Mail Hacking)

Share this post


Link to post
Share on other sites
trim only gets rid of whitspace at the beggining and end of a string, it wont get rid of them if it is not at the begging or end of the string.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.