Jump to content

Recommended Posts

I'm wondering what are the best functions for a registering form where people just don't put random things into your database as a username like: <html> tags,  symbols(@#$%^&*{}[]|\~`?/+), and SQL injection. And can't you put all of these together on the $_POST variable for super protection?

 

These are the ones I know from the top of my head:

<?php

$variable = strip_slashes(strip_tags($_POST['random']));

if(!$variable){

echo "Fill in the blanks yo.";

}else{

mysql_query("INSERT INTO table SET Username = '".mysql_real_escape_string($variable)."'") or trigger_error(mysql_error());

header("Location: youcanfinallyloginbecauseyoursmartandfilledinthetextboxyo.php");
} 

?>

 

Thats about all the security I know, and md5'ing the password but didn't feel like doing that. ;D

First, you should address form validation.  You likely don't want to even accept special characters, and what if someone tries sending the wrong kind of data (say, string data for a field you're anticipating numerical data for)?  Stop the barbarians at the gate, and validate all incoming input.  The most robust/customizable way to do this is to use regular expressions.  Some links:

 

preg_match

http://www.regular-expressions.info/

 

There will be times when you'll want to allow others to supply input with HTML tags (like, say, a forum like this where people post code).  To do that, run htmlspecialchars or htmlentities on the data before you output it to the screen (and not when you store it in your db).  This will help combat XSS attacks.

 

For SQL injection protection, keep using mysql_real_escape_string on string data.  A better, if more complex alternative, is to use either mysqli or pdo for your database needs.  They have prepared statements, which automatically escape all data being injected into those queries.

To add to Nightslyr's comments, in your first post you made the statement

where people just don't put random things into your database as a username like: <html> tags,  symbols(@#$%^&*{}[]|\~`?/+),...

 

There is no technical limitation to allowing such characters in a username. In fact, if you search the member list on this site you will see plenty of people with such characters in their usernames. As long as you are properly validating/escaping the data there is no risk. No matter if you allow the characters or don't allow the characters you still have to create code to handle either situation. So, it is really only a matter as to whether you feel it is appropriate for users to have usernames with such characters. Your two options are

 

1) Don't allow those characters, which means you need to generate code to either strip those characters out or reject the form submission when they do. Stripping out characters without the user's knowledge is typically a bad idea. But, even then you will want to escape the data before running it in a query.

 

2) Allow those characters. In that case you only need to escape the data.

 

Of course, that only applies to string data. If any input is meant for numerical data you need to handle that by validating/enforcing int or float type values.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.