Jump to content

Is this code secure or could it be made more secure?

jasonc

By jasonc
in PHP Coding Help

 Share

Recommended Posts

lead2gold Member

lead2gold

Posted
Posted
[!--quoteo(post=372993:date=May 10 2006, 01:37 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 01:37 PM) [snapback]372993[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Is this code secure or could it be made more secure?

please advise.

thanks
if ($email != "") {
$res = @mysql_query("select * from members where email='$email' LIMIT 1");
if (@mysql_num_rows($res) == 1) {
$exists = "yes";
} else {
$exists = "no";
}
[/quote]


Unfortuantly thats not very secure at all.
This would be a bit safer for all your inserts.

[code]
$res = @mysql_query("select * from members where email=',mysql_real_escape_string($email),"' LIMIT 1");
    if (@mysql_num_rows($res) == 1) {
    $exists = "yes";
    } else {
    $exists = "no";
        }
[/code]
yonta Newbie

yonta

Posted
Posted
You could use this function for every value that goes in a mysql query:

[code]function prevent_mysql_injection($value){

if (get_magic_quotes_gpc()) { stripslashes($value);}
if (!is_numeric($value)) { mysql_real_escape_string($value);    

}
[/code]
Found it somewhere in php.net.

Sofia
lead2gold Member

lead2gold

Posted
Posted
[!--quoteo(post=373074:date=May 10 2006, 04:01 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 04:01 PM) [snapback]373074[/snapback][/div][div class=\'quotemain\'][!--quotec--]
would this work?

$safeemail=mysql_real_escape_string($email);
$safemembername=mysql_real_escape_string($membername);
thanks
[/quote]

sure you can do it that way...
putting it in a function like the previous person suggested is even better.
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
<?
$email = "abc@def.ghi";
$safeemail = mysql_real_escape_string($email);
echo('.'.$safeemail.'.');
?>

i get the following

..

meaning that it does not store the email, what exactly does this command do?

how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.

thanks





[!--quoteo(post=373078:date=May 10 2006, 09:21 PM:name=lead2gold)--][div class=\'quotetop\']QUOTE(lead2gold @ May 10 2006, 09:21 PM) [snapback]373078[/snapback][/div][div class=\'quotemain\'][!--quotec--]
sure you can do it that way...
putting it in a function like the previous person suggested is even better.
[/quote]
gizmola Prolific Member

gizmola

Posted
Posted
[!--quoteo(post=373120:date=May 10 2006, 03:34 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 03:34 PM) [snapback]373120[/snapback][/div][div class=\'quotemain\'][!--quotec--]
<?
$email = "abc@def.ghi";
$safeemail = mysql_real_escape_string($email);
echo('.'.$safeemail.'.');
?>

i get the following

..

meaning that it does not store the email, what exactly does this command do?

how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.

thanks
[/quote]

Pretty much just what the manual page says it does... escapes a variety of characters. This is a *smart* function in that it is integrated into the mysql API so that it can be intelligent about the mysql character set being used.

So in your example. you are missing a mysql database connection handle. The handle is an implied 2nd param, that you can specify. Either way you need a mysql database connection in your script to really see what the function does.
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
[!--quoteo(post=373155:date=May 11 2006, 03:16 AM:name=gizmola)--][div class=\'quotetop\']QUOTE(gizmola @ May 11 2006, 03:16 AM) [snapback]373155[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Pretty much just what the manual page says it does... escapes a variety of characters.
[/quote]

i have read the manual!! i know it escapes some characters with slashes but it does not seem to show that in the results.

i take it that because it only does this when the server gets the command?



what i would like to be able to stop is, if the visitor trys to inject the DB, i will know about it and inform the visitor that the data supplied in the fields is invalid. so if they type in the new members email field or the password field, or in the login fields something that could be dangerous to the DB i can tell them it is not a valid email or it is an invalid login name or members name or phone number.

i have found a function for the email.

$email = trim($_POST[email]);
if($email != "" && !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email)) {
echo("invalid email<br><br><br><br>");//Not a valid email address
exit;
}


what i am after is one of these functions for each field, the name and phonenumber,

would the following be correct?


$membersname = trim($_POST[membersname ]);
if($membersname != "" && !eregi("^[[:alnum:]][a-z]{5,20}$", $membersname )) {
echo("invalid membersname <br><br><br><br>");//Not a valid membersname address
exit;
}


$phonenumber = trim($_POST[phonenumber ]);
if($phonenumber != "" && !eregi("^[[:alnum:]][0-9_.-]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
exit;
}
jasonc Advanced Member

jasonc

Posted
  • Author
Posted
no!

just tried it, and also tried....

$phonenumber = "897697689679";

$phonenumber = trim($_POST[phonenumber ]);
if(!eregi("^[0-9]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
} else {
echo("ok");
}


still says not valid

seen php.net/ieregi and looked how to form the function but still none the wiser!!

what is the correct method to check if the var is only number or only letters and be able to inform the visitor if it is incorrect.

thanks

jasonc Advanced Member

jasonc

Posted
  • Author
Posted
ok messing around still and now finally i have something that seems to work but is it secure?
have i formed the functions correctly?

thanks again.


<?
$membersname = "joe bloggs";
if(!eregi("^[[:alpha:][:space:]]{5,20}$", $membersname )) {
echo("invalid membersname <br><br><br><br>");//Not a valid membersname address
} else {
echo("ok");
}

$phonenumber = "4545 454";
if(!eregi("^[[:space:]0-9]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
} else {
echo("ok");
}
?>
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.