feri_soft Posted August 28, 2006 Share Posted August 28, 2006 what would you say:trashinput:[code]function trashinput($input) { $input = strip_tags($input); $input = stripslashes($input); $input = str_replace("=","",$input); $input = str_replace(" ","",$input); $input = str_replace("''","",$input); $input = str_replace("'","",$input); $input = str_replace("%20","",$input);}[/code][code]<?/*if (!defined("imoti")) { die ("Sorry !! You cannot access this file directly.");}*/include 'db.php';include 'funcs.php';// Define post fields into simple variables$first_name = $_REQUEST['first_name'];$last_name = $_REQUEST['last_name'];$email_address = $_REQUEST['email_address'];$username = $_REQUEST['username'];$info = $_REQUEST['info'];$password = $_REQUEST['password'];$gsm = $_REQUEST['gsm'];$tel = $_REQUEST['tel'];$web = $_REQUEST['web'];$first_name = trashinput($first_name)$last_name = trashinput($last_name)$email_address = trashinput($email_address)$username = trashinput($username)$info = trashinput($info)$password = trashinput($password)$gsm = trashinput($gsm)$tel = trashinput($tel)$web = trashinput($web)if(strlen($username) <4 || strlen($password) < 4){echo "Потребителското име и паролата трябва да са по дълги от 4 реда!");//Kick us out of PHP}/* Do some error checking on the form posted fields */if (ereg('[^0-9]', $tel)) { echo "This contains characters other than just numbers";}if (ereg('[^0-9]', $gsm)) { echo "This contains characters other than just numbers";}if((!$gsm) || (!$tel)){ echo "trqbva da vyvedete gsm ili telefon<br />"; }if((!$password) || (!$first_name) || (!$last_name) || (!$email_address) || (!$username)){ echo 'You did not submit the following required information! <br />'; if(!$password){ echo "parolka<br />"; } if(!$first_name){ echo "First Name is a required field. Please enter it below.<br />"; } if(!$last_name){ echo "Last Name is a required field. Please enter it below.<br />"; } if(!$email_address){ echo "Email Address is a required field. Please enter it below.<br />"; } if(!eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email_address)) { echo "<p>Not a valid email address</p>\n";} if(!$username){ echo "Desired Username is a required field. Please enter it below.<br />"; } exit(); // if the error checking has failed, we'll exit the script!} /* Let's do some checking and ensure that the user's email address or username does not exist in the database */ $sql_email_check = mysql_query("SELECT email_address FROM users WHERE email_address='$email_address'"); $sql_username_check = mysql_query("SELECT username FROM users WHERE username='$username'"); $email_check = mysql_num_rows($sql_email_check); $username_check = mysql_num_rows($sql_username_check); if(($email_check > 0) || ($username_check > 0)){ echo "Please fix the following errors: <br />"; if($email_check > 0){ echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />"; unset($email_address); } if($username_check > 0){ echo "The username you have selected has already been used by another member in our database. Please choose a different Username!<br />"; unset($username); } include 'join_form.html'; // Show the form again! exit(); // exit the script so that we do not create this account! }$db_password = md5($password);// Enter info into the Database.$info2 = htmlspecialchars($info);$sql = mysql_query("INSERT INTO users (first_name, last_name, email_address, username, password, info, signup_date, gsm, tel, web) VALUES('$first_name', '$last_name', '$email_address', '$username', '$db_password', '$info2', now(), '$gsm', '$tel', '$web')") or die (mysql_error());if(!$sql){ echo 'There has been an error creating your account. Please contact the webmaster.';} else { echo 'Success!';}?> [/code]i made some modifications to a register script in the net...adding some security.I think the function trashinput will be fine using on the login two... Quote Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/ Share on other sites More sharing options...
shocker-z Posted August 28, 2006 Share Posted August 28, 2006 add mysql_real_escape_string()[code]function trashinput($input) { $input = strip_tags($input); $input = stripslashes($input); $input = str_replace("=","",$input); $input = str_replace(" ","",$input); $input = str_replace("''","",$input); $input = str_replace("'","",$input); $input = str_replace("%20","",$input); $input = mysql_real_escape_string($input);}[/code]it gets rid of these charactors: \x00, \n, \r, \, ', " and \x1aLiam Quote Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-81688 Share on other sites More sharing options...
feri_soft Posted August 29, 2006 Author Share Posted August 29, 2006 Thank you! ;) Quote Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82187 Share on other sites More sharing options...
Jenk Posted August 29, 2006 Share Posted August 29, 2006 Just a note.. it doesn't get rid, it escapes them so that MySQL uses them as literals, rather than special characters. Quote Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82237 Share on other sites More sharing options...
onlyican Posted August 29, 2006 Share Posted August 29, 2006 I would add trim(); as wellthese deletes the following\t\r\nand offcouse a whitespace(Norm used for Mail Hacking) Quote Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82239 Share on other sites More sharing options...
wildteen88 Posted August 29, 2006 Share Posted August 29, 2006 trim only gets rid of whitspace at the beggining and end of a string, it wont get rid of them if it is not at the begging or end of the string. Quote Link to comment https://forums.phpfreaks.com/topic/18909-is-that-secure/#findComment-82242 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.