Moved Site to Dreamhost From Go-Daddy, Regex not working correctly now :(

[Chezshire]

Hello to one and all,

 

History: I'm a novist (at best) regarding PHP. Recently I moved my site from GoDaddy to Dreamhost's servers and now when someone tries to register on our forum, they usually error out. I believe that this is do to a 'regex' expression issue. Specifically, the problem surfaces when the user submits a mix of single and double quotes. I think that the single and double quotes are being registered as code?(am i saying/describing that correctly?) I'm hoping that I can get some help sorting this problem out - I'm very very confused and very very beyond my abilities to resolve this (thank you very very much for any and all help).

 

TEST MESSAGE/SAMPLE DATA/DATA SUBMITTED:

'test' "test" test's 

 

 

RESULTING ERROR MESSAGE (PHP Error Produced):

 

Error!

There was an error updating the Player database and your changes may not have been made. Provide the following information to the system administator:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'test" test's", "", "", "", "1", "", "test", "", "", "", "", "true", "", "", "", ' at line 1 (1064)

INSERT INTO login (username, password, moderated, name, email, emailprivate, aimprivate, yahooprivate, icqprivate, gtalkprivate, web, city, state, country, comments, sampleLDB, fcRequestLDB, historyLDB, charCount, moderator, aim, gTalk, yahoo, icq, approved, confirmTerms, charApprove, charEdit, charCountApprove, charRemove, memApprove, memAway, memBan, memEdit, memRemove, okCountdown, okDate, okTime, okWeather, postApprove, postEdit, postRemove, postSuspend , lastmodified, dateadded) VALUES("Test02", "dd", "", "Test01", "test02@test.com", "", "", "", "", "", "", "", "", "US", "'test' "test" test's", "", "", "", "1", "", "test", "", "", "", "", "true", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", NOW(), NOW())

 

 

 

EXPECTED RESULT:

 

Profile Submitted Successfully!

Your member profile has been submitted! Once it's approved by a moderator, you will have access to the the site. Click here to return to the main xaviers-children page.

 

 

MY CODE:

// ================ IF THEY SUBMITTED THE CHANGES, MAKE THEM!

$patterns = array ("/([^\n\r\f])[\n\r\f]+([^\n\r\f])/");
$replace = array ("\\1\n\\2");

$allFields = array_merge($fields, $fields_extra);

FOREACH ($allFields as $thisField) {
$THISFIELD = strtoupper($thisField);

if (isset($_POST{$THISFIELD})) { ${$THISFIELD} = $_POST[$THISFIELD]; } else { ${$THISFIELD} = ""; }
${$THISFIELD} = preg_replace ($patterns, $replace, ${$THISFIELD});
} // end FOREACH

if (!$id) {

if ($PASSWORD != $PASSWORD2 || !$PASSWORD) { $errorText="You must choose a password and you must enter it twice for accuracy. Please go back and submit the form again."; }

if (preg_match("/[ \(\)\+\.]/",$AIM) || preg_match("/[ \(\)\+\.]/",$GTALK) || preg_match("/[ \(\)\+\.]/",$YAHOO)) { $errorText="Please only put the screen name in the AIM, Google Talk and Yahoo fields, no comments or special characters."; }

$existTest = readDatabase("SELECT * FROM login WHERE username=\"$USERNAME\" || email = \"$EMAIL\"",$db);

if ($existTest["email"] == $EMAIL) { $errorText = "That email address is already in use, and there's only one account allowed per person!<br />Please go back and submit the form again after making changes."; }

if ($existTest["username"] == $USERNAME) { $errorText = "That username is already in use. You'll have to choose a different one, I'm afraid!<br />Please go back and submit the form again after making changes."; }

} // end if no ID

if (!$USERNAME) { //if they didn't a name for their profile...
$errorText="You must choose a username for this profile.<br />Please go back and submit the form again after making changes.";
} // end if no NAME

 

 

I appologize if i've given too large a code sample of the file, but I'm not sure what is necessary and am trying to provide all necessary detail in hopes of getting an answer that will help me to resolve my problem. I'm hoping that it's just a matter of placing in a new pattern in to $patterns = array ("/([^\n\r\f])[\n\r\f]+([^\n\r\f])/");' on line #88 (I dont' really understand any of this, i'm just the joe-idiot trying to fix/resolve it).

 

Thank you one and alll for any help

thank you thank you thank you.

 

-Chez the novist

 

[DavidAM]

The error message indicates the problem is with the INSERT statement that (apparently) puts the user's information into the database.  That specific message tells me that the values input by the user were not sanitized properly.  The first double-quote mark in the input string caused a problem.  So, I don't think the RegExp failed, but I'm not a RegExpert.

 

Find the code that is building your INSERT statement - according to the error message it starts out as "INSERT INTO login (username, password, moderated," - you need to sanitize the user's input before putting it into the query.  Use mysql_real_escape_string() for mySql databases, other similar functions exist for other databases.  If you need help, post the code and we'll take a look.

 

In the code you posted, we would need to add that function (assuming you are using mySql) in the SELECT statement as well:

// CHANGE THIS STATEMENT
$existTest = readDatabase("SELECT * FROM login WHERE username=\"$USERNAME\" || email = \"$EMAIL\"",$db);

// TO THIS
$existTest = readDatabase("SELECT * FROM login WHERE username=\"" . 
    mysql_real_escape_string($USERNAME) . "\" || email = \"" .
    mysql_real_escape_string($EMAIL) . "\"",$db);

// OR THIS (same thing but using single-quotes inside the string so it's prettier)
$existTest = readDatabase("SELECT * FROM login WHERE username='" . 
    mysql_real_escape_string($USERNAME) . "' || email = '" .
    mysql_real_escape_string($EMAIL) . "'",$db);

// OR THIS (same thing but using sprintf so it's easier to read)
$existTest = readDatabase(sprintf("SELECT * FROM login WHERE username='%s' || email = '%s'",
    mysql_real_escape_string($USERNAME), mysql_real_escape_string($EMAIL)) ,$db);

 

You need to do this in ALL user supplied data that is put into ANY SQL statement.