iStriide Posted August 9, 2011 Share Posted August 9, 2011 I'm wondering what are the best functions for a registering form where people just don't put random things into your database as a username like: <html> tags, symbols(@#$%^&*{}[]|\~`?/+), and SQL injection. And can't you put all of these together on the $_POST variable for super protection? These are the ones I know from the top of my head: <?php $variable = strip_slashes(strip_tags($_POST['random'])); if(!$variable){ echo "Fill in the blanks yo."; }else{ mysql_query("INSERT INTO table SET Username = '".mysql_real_escape_string($variable)."'") or trigger_error(mysql_error()); header("Location: youcanfinallyloginbecauseyoursmartandfilledinthetextboxyo.php"); } ?> Thats about all the security I know, and md5'ing the password but didn't feel like doing that. Quote Link to comment Share on other sites More sharing options...
iStriide Posted August 9, 2011 Author Share Posted August 9, 2011 I know that you guys know that I know that you know more security functions for a registration script. Quote Link to comment Share on other sites More sharing options...
KevinM1 Posted August 9, 2011 Share Posted August 9, 2011 First, you should address form validation. You likely don't want to even accept special characters, and what if someone tries sending the wrong kind of data (say, string data for a field you're anticipating numerical data for)? Stop the barbarians at the gate, and validate all incoming input. The most robust/customizable way to do this is to use regular expressions. Some links: preg_match http://www.regular-expressions.info/ There will be times when you'll want to allow others to supply input with HTML tags (like, say, a forum like this where people post code). To do that, run htmlspecialchars or htmlentities on the data before you output it to the screen (and not when you store it in your db). This will help combat XSS attacks. For SQL injection protection, keep using mysql_real_escape_string on string data. A better, if more complex alternative, is to use either mysqli or pdo for your database needs. They have prepared statements, which automatically escape all data being injected into those queries. Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 9, 2011 Share Posted August 9, 2011 To add to Nightslyr's comments, in your first post you made the statement where people just don't put random things into your database as a username like: <html> tags, symbols(@#$%^&*{}[]|\~`?/+),... There is no technical limitation to allowing such characters in a username. In fact, if you search the member list on this site you will see plenty of people with such characters in their usernames. As long as you are properly validating/escaping the data there is no risk. No matter if you allow the characters or don't allow the characters you still have to create code to handle either situation. So, it is really only a matter as to whether you feel it is appropriate for users to have usernames with such characters. Your two options are 1) Don't allow those characters, which means you need to generate code to either strip those characters out or reject the form submission when they do. Stripping out characters without the user's knowledge is typically a bad idea. But, even then you will want to escape the data before running it in a query. 2) Allow those characters. In that case you only need to escape the data. Of course, that only applies to string data. If any input is meant for numerical data you need to handle that by validating/enforcing int or float type values. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.