Jump to content

Archived

This topic is now archived and is closed to further replies.

jasonc

Is this code secure or could it be made more secure?

Recommended Posts

Is this code secure or could it be made more secure?

please advise.

thanks



if ($email != "") {
$res = @mysql_query("select * from members where email='$email' LIMIT 1");
if (@mysql_num_rows($res) == 1) {
$exists = "yes";
} else {
$exists = "no";
}

Share this post


Link to post
Share on other sites
[!--quoteo(post=372993:date=May 10 2006, 01:37 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 01:37 PM) [snapback]372993[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Is this code secure or could it be made more secure?

please advise.

thanks
if ($email != "") {
$res = @mysql_query("select * from members where email='$email' LIMIT 1");
if (@mysql_num_rows($res) == 1) {
$exists = "yes";
} else {
$exists = "no";
}
[/quote]


Unfortuantly thats not very secure at all.
This would be a bit safer for all your inserts.

[code]
$res = @mysql_query("select * from members where email=',mysql_real_escape_string($email),"' LIMIT 1");
    if (@mysql_num_rows($res) == 1) {
    $exists = "yes";
    } else {
    $exists = "no";
        }
[/code]

Share this post


Link to post
Share on other sites
You could use this function for every value that goes in a mysql query:

[code]function prevent_mysql_injection($value){

if (get_magic_quotes_gpc()) { stripslashes($value);}
if (!is_numeric($value)) { mysql_real_escape_string($value);    

}
[/code]
Found it somewhere in php.net.

Sofia

Share this post


Link to post
Share on other sites
would this work?

$safeemail=mysql_real_escape_string($email);
$safemembername=mysql_real_escape_string($membername);


thanks

Share this post


Link to post
Share on other sites
[!--quoteo(post=373074:date=May 10 2006, 04:01 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 04:01 PM) [snapback]373074[/snapback][/div][div class=\'quotemain\'][!--quotec--]
would this work?

$safeemail=mysql_real_escape_string($email);
$safemembername=mysql_real_escape_string($membername);
thanks
[/quote]

sure you can do it that way...
putting it in a function like the previous person suggested is even better.

Share this post


Link to post
Share on other sites
<?
$email = "abc@def.ghi";
$safeemail = mysql_real_escape_string($email);
echo('.'.$safeemail.'.');
?>

i get the following

..

meaning that it does not store the email, what exactly does this command do?

how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.

thanks





[!--quoteo(post=373078:date=May 10 2006, 09:21 PM:name=lead2gold)--][div class=\'quotetop\']QUOTE(lead2gold @ May 10 2006, 09:21 PM) [snapback]373078[/snapback][/div][div class=\'quotemain\'][!--quotec--]
sure you can do it that way...
putting it in a function like the previous person suggested is even better.
[/quote]

Share this post


Link to post
Share on other sites
[!--quoteo(post=373120:date=May 10 2006, 03:34 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 03:34 PM) [snapback]373120[/snapback][/div][div class=\'quotemain\'][!--quotec--]
<?
$email = "abc@def.ghi";
$safeemail = mysql_real_escape_string($email);
echo('.'.$safeemail.'.');
?>

i get the following

..

meaning that it does not store the email, what exactly does this command do?

how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.

thanks
[/quote]

Pretty much just what the manual page says it does... escapes a variety of characters. This is a *smart* function in that it is integrated into the mysql API so that it can be intelligent about the mysql character set being used.

So in your example. you are missing a mysql database connection handle. The handle is an implied 2nd param, that you can specify. Either way you need a mysql database connection in your script to really see what the function does.

Share this post


Link to post
Share on other sites
[!--quoteo(post=373155:date=May 11 2006, 03:16 AM:name=gizmola)--][div class=\'quotetop\']QUOTE(gizmola @ May 11 2006, 03:16 AM) [snapback]373155[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Pretty much just what the manual page says it does... escapes a variety of characters.
[/quote]

i have read the manual!! i know it escapes some characters with slashes but it does not seem to show that in the results.

i take it that because it only does this when the server gets the command?



what i would like to be able to stop is, if the visitor trys to inject the DB, i will know about it and inform the visitor that the data supplied in the fields is invalid. so if they type in the new members email field or the password field, or in the login fields something that could be dangerous to the DB i can tell them it is not a valid email or it is an invalid login name or members name or phone number.

i have found a function for the email.

$email = trim($_POST[email]);
if($email != "" && !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email)) {
echo("invalid email<br><br><br><br>");//Not a valid email address
exit;
}


what i am after is one of these functions for each field, the name and phonenumber,

would the following be correct?


$membersname = trim($_POST[membersname ]);
if($membersname != "" && !eregi("^[[:alnum:]][a-z]{5,20}$", $membersname )) {
echo("invalid membersname <br><br><br><br>");//Not a valid membersname address
exit;
}


$phonenumber = trim($_POST[phonenumber ]);
if($phonenumber != "" && !eregi("^[[:alnum:]][0-9_.-]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
exit;
}

Share this post


Link to post
Share on other sites
no!

just tried it, and also tried....

$phonenumber = "897697689679";

$phonenumber = trim($_POST[phonenumber ]);
if(!eregi("^[0-9]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
} else {
echo("ok");
}


still says not valid

seen php.net/ieregi and looked how to form the function but still none the wiser!!

what is the correct method to check if the var is only number or only letters and be able to inform the visitor if it is incorrect.

thanks

Share this post


Link to post
Share on other sites
ok messing around still and now finally i have something that seems to work but is it secure?
have i formed the functions correctly?

thanks again.


<?
$membersname = "joe bloggs";
if(!eregi("^[[:alpha:][:space:]]{5,20}$", $membersname )) {
echo("invalid membersname <br><br><br><br>");//Not a valid membersname address
} else {
echo("ok");
}

$phonenumber = "4545 454";
if(!eregi("^[[:space:]0-9]{5,20}$", $phonenumber )) {
echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address
} else {
echo("ok");
}
?>

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.