Jump to content


Photo

Is that secure??


  • Please log in to reply
5 replies to this topic

#1 feri_soft

feri_soft
  • Members
  • PipPipPip
  • Advanced Member
  • 147 posts

Posted 28 August 2006 - 04:05 PM



what would you say:
trashinput:
function trashinput($input) {
   $input = strip_tags($input);
   $input = stripslashes($input);
   $input = str_replace("=","",$input);
   $input = str_replace(" ","",$input);
   $input = str_replace("''","",$input);
   $input = str_replace("'","",$input);
   $input = str_replace("%20","",$input);
}
<?
/*
if (!defined("imoti")) {
    die ("Sorry !! You cannot access this file directly.");
}*/
include 'db.php';
include 'funcs.php';

// Define post fields into simple variables
$first_name = $_REQUEST['first_name'];
$last_name = $_REQUEST['last_name'];
$email_address = $_REQUEST['email_address'];
$username = $_REQUEST['username'];
$info = $_REQUEST['info'];
$password = $_REQUEST['password'];
$gsm = $_REQUEST['gsm'];
$tel = $_REQUEST['tel'];
$web = $_REQUEST['web'];

$first_name = trashinput($first_name)
$last_name = trashinput($last_name)
$email_address = trashinput($email_address)
$username = trashinput($username)
$info = trashinput($info)
$password = trashinput($password)
$gsm = trashinput($gsm)
$tel = trashinput($tel)
$web = trashinput($web)

if(strlen($username) <4 || strlen($password) < 4)
{
echo "Потребителското име и паролата трябва да са по дълги от 4 реда!");//Kick us out of PHP
}
/* Do some error checking on the form posted fields */
if (ereg('[^0-9]', $tel)) {
  echo "This contains characters other than just numbers";
}
if (ereg('[^0-9]', $gsm)) {
  echo "This contains characters other than just numbers";
}
if((!$gsm) || (!$tel)){
        echo "trqbva da vyvedete gsm ili telefon<br />";
    }
if((!$password) || (!$first_name) || (!$last_name) || (!$email_address) || (!$username)){
    echo 'You did not submit the following required information! <br />';
	if(!$password){
        echo "parolka<br />";
    }
    if(!$first_name){
        echo "First Name is a required field. Please enter it below.<br />";
    }
    if(!$last_name){
        echo "Last Name is a required field. Please enter it below.<br />";
    }
    if(!$email_address){
        echo "Email Address is a required field. Please enter it below.<br />";
    }
	if(!eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email_address)) {
     echo "<p>Not a valid email address</p>\n";
}
    if(!$username){
        echo "Desired Username is a required field. Please enter it below.<br />";
    }
    exit(); // if the error checking has failed, we'll exit the script!
}
    
/* Let's do some checking and ensure that the user's email address or username
 does not exist in the database */
 
 $sql_email_check = mysql_query("SELECT email_address FROM users 
             WHERE email_address='$email_address'");
 $sql_username_check = mysql_query("SELECT username FROM users 
             WHERE username='$username'");
 
 $email_check = mysql_num_rows($sql_email_check);
 $username_check = mysql_num_rows($sql_username_check);
 
 if(($email_check > 0) || ($username_check > 0)){
     echo "Please fix the following errors: <br />";
     if($email_check > 0){
         echo "<strong>Your email address has already been used by another member 
         in our database. Please submit a different Email address!<br />";
         unset($email_address);
     }
     if($username_check > 0){
         echo "The username you have selected has already been used by another member 
          in our database. Please choose a different Username!<br />";
         unset($username);
     }
     include 'join_form.html'; // Show the form again!
     exit();  // exit the script so that we do not create this account!
 }



$db_password = md5($password);

// Enter info into the Database.
$info2 = htmlspecialchars($info);
$sql = mysql_query("INSERT INTO users (first_name, last_name, 
        email_address, username, password, info, signup_date, gsm, tel, web)
        VALUES('$first_name', '$last_name', '$email_address', 
        '$username', '$db_password', '$info2', now(), '$gsm', '$tel', '$web')") 
        or die (mysql_error());

if(!$sql){
    echo 'There has been an error creating your account. Please contact the webmaster.';
} else {
    echo 'Success!';
}

?>

i made some modifications to a register script in the net...adding some security.
I think the function trashinput will be fine using on the login two...

#2 shocker-z

shocker-z
  • Members
  • PipPipPip
  • Advanced Member
  • 864 posts
  • LocationNottingham

Posted 28 August 2006 - 04:34 PM

add mysql_real_escape_string()

function trashinput($input) {
   $input = strip_tags($input);
   $input = stripslashes($input);
   $input = str_replace("=","",$input);
   $input = str_replace(" ","",$input);
   $input = str_replace("''","",$input);
   $input = str_replace("'","",$input);
   $input = str_replace("%20","",$input);
   $input = mysql_real_escape_string($input);
}

it gets rid of these charactors: \x00, \n, \r, \, ', " and \x1a

Liam
www: www.ukchat.ws | irc: irc.ukchat.ws chan: #blufudge

#3 feri_soft

feri_soft
  • Members
  • PipPipPip
  • Advanced Member
  • 147 posts

Posted 29 August 2006 - 01:33 PM

Thank you! ;)

#4 Jenk

Jenk
  • Members
  • PipPipPip
  • Advanced Member
  • 778 posts

Posted 29 August 2006 - 02:46 PM

Just a note.. it doesn't get rid, it escapes them so that MySQL uses them as literals, rather than special characters.

#5 onlyican

onlyican
  • Members
  • PipPipPip
  • Advanced Member
  • 921 posts
  • LocationHants - UK

Posted 29 August 2006 - 02:49 PM

I would add trim(); as well
these deletes the following
\t
\r
\n
and offcouse a whitespace
(Norm used for Mail Hacking)
Tell me the problem, I will try tell you the solution

#6 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 29 August 2006 - 02:52 PM

trim only gets rid of whitspace at the beggining and end of a string, it wont get rid of them if it is not at the begging or end of the string.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users