Jump to content


Photo

Is this code secure or could it be made more secure?


  • Please log in to reply
9 replies to this topic

#1 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 10 May 2006 - 05:37 PM

Is this code secure or could it be made more secure?

please advise.

thanks



if ($email != "") {
$res = @mysql_query("select * from members where email='$email' LIMIT 1");
if (@mysql_num_rows($res) == 1) {
$exists = "yes";
} else {
$exists = "no";
}



#2 lead2gold

lead2gold
  • Members
  • PipPipPip
  • Advanced Member
  • 164 posts
  • LocationOttawa, On

Posted 10 May 2006 - 05:43 PM

[!--quoteo(post=372993:date=May 10 2006, 01:37 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 01:37 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Is this code secure or could it be made more secure?

please advise.

thanks
if ($email != "") {
$res = @mysql_query("select * from members where email='$email' LIMIT 1");
if (@mysql_num_rows($res) == 1) {
$exists = "yes";
} else {
$exists = "no";
}
[/quote]


Unfortuantly thats not very secure at all.
This would be a bit safer for all your inserts.

$res = @mysql_query("select * from members where email=',mysql_real_escape_string($email),"' LIMIT 1");
    if (@mysql_num_rows($res) == 1) {
    $exists = "yes";
    } else {
    $exists = "no";
        }


#3 yonta

yonta
  • Members
  • PipPipPip
  • Advanced Member
  • 70 posts

Posted 10 May 2006 - 05:53 PM

You could use this function for every value that goes in a mysql query:

function prevent_mysql_injection($value){

if (get_magic_quotes_gpc()) { stripslashes($value);}
if (!is_numeric($value)) { mysql_real_escape_string($value);    

}
Found it somewhere in php.net.

Sofia
do it, do it right, do it right now

#4 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 10 May 2006 - 08:01 PM

would this work?

$safeemail=mysql_real_escape_string($email);
$safemembername=mysql_real_escape_string($membername);


thanks



#5 lead2gold

lead2gold
  • Members
  • PipPipPip
  • Advanced Member
  • 164 posts
  • LocationOttawa, On

Posted 10 May 2006 - 08:21 PM

[!--quoteo(post=373074:date=May 10 2006, 04:01 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 04:01 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
would this work?

$safeemail=mysql_real_escape_string($email);
$safemembername=mysql_real_escape_string($membername);
thanks
[/quote]

sure you can do it that way...
putting it in a function like the previous person suggested is even better.

#6 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 10 May 2006 - 10:34 PM

<?
$email = "abc@def.ghi";
$safeemail = mysql_real_escape_string($email);
echo('.'.$safeemail.'.');
?>

i get the following

..

meaning that it does not store the email, what exactly does this command do?

how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.

thanks





[!--quoteo(post=373078:date=May 10 2006, 09:21 PM:name=lead2gold)--][div class=\'quotetop\']QUOTE(lead2gold @ May 10 2006, 09:21 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
sure you can do it that way...
putting it in a function like the previous person suggested is even better.
[/quote]


#7 gizmola

gizmola
  • Administrators
  • Advanced Member
  • 4,667 posts
  • LocationLos Angeles, CA USA

Posted 11 May 2006 - 02:16 AM

[!--quoteo(post=373120:date=May 10 2006, 03:34 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 03:34 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
<?
$email = "abc@def.ghi";
$safeemail = mysql_real_escape_string($email);
echo('.'.$safeemail.'.');
?>

i get the following

..

meaning that it does not store the email, what exactly does this command do?

how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.

thanks
[/quote]

Pretty much just what the manual page says it does... escapes a variety of characters. This is a *smart* function in that it is integrated into the mysql API so that it can be intelligent about the mysql character set being used.

So in your example. you are missing a mysql database connection handle. The handle is an implied 2nd param, that you can specify. Either way you need a mysql database connection in your script to really see what the function does.


#8 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 11 May 2006 - 07:31 AM

[!--quoteo(post=373155:date=May 11 2006, 03:16 AM:name=gizmola)--][div class=\'quotetop\']QUOTE(gizmola @ May 11 2006, 03:16 AM) View Post[/div][div class=\'quotemain\'][!--quotec--]
Pretty much just what the manual page says it does... escapes a variety of characters.
[/quote]

i have read the manual!! i know it escapes some characters with slashes but it does not seem to show that in the results.

i take it that because it only does this when the server gets the command?



what i would like to be able to stop is, if the visitor trys to inject the DB, i will know about it and inform the visitor that the data supplied in the fields is invalid. so if they type in the new members email field or the password field, or in the login fields something that could be dangerous to the DB i can tell them it is not a valid email or it is an invalid login name or members name or phone number.

i have found a function for the email.

$email = trim($_POST[email]);
if($email != "" && !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email)) {
echo("invalid email<br><br><br><br>");//Not a valid email address
exit;
}


what i am after is one of these functions for each field, the name and phonenumber,

would the following be correct?


$membersname = trim($_POST[membersname ]);
if($membersname != "" && !eregi("^[[:alnum:]][a-z]{5,20}$", $membersname )) {
echo("invalid membersname <br><br><br><br>");//Not a valid membersname address
exit;
}


$phonenumber = trim($_POST[phonenumber ]);
if($phonenumber != "" && !eregi("^[[:alnum:]][0-9_.-]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
exit;
}


#9 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 11 May 2006 - 07:46 AM

no!

just tried it, and also tried....

$phonenumber = "897697689679";

$phonenumber = trim($_POST[phonenumber ]);
if(!eregi("^[0-9]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
} else {
echo("ok");
}


still says not valid

seen php.net/ieregi and looked how to form the function but still none the wiser!!

what is the correct method to check if the var is only number or only letters and be able to inform the visitor if it is incorrect.

thanks



#10 jasonc

jasonc
  • Members
  • PipPipPip
  • Advanced Member
  • 841 posts

Posted 11 May 2006 - 08:07 AM

ok messing around still and now finally i have something that seems to work but is it secure?
have i formed the functions correctly?

thanks again.


<?
$membersname = "joe bloggs";
if(!eregi("^[[:alpha:][:space:]]{5,20}$", $membersname )) {
echo("invalid membersname <br><br><br><br>");//Not a valid membersname address
} else {
echo("ok");
}

$phonenumber = "4545 454";
if(!eregi("^[[:space:]0-9]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
} else {
echo("ok");
}
?>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users