jasonc Posted May 10, 2006 Share Posted May 10, 2006 Is this code secure or could it be made more secure?please advise.thanksif ($email != "") {$res = @mysql_query("select * from members where email='$email' LIMIT 1"); if (@mysql_num_rows($res) == 1) { $exists = "yes"; } else { $exists = "no"; } Quote Link to comment Share on other sites More sharing options...
lead2gold Posted May 10, 2006 Share Posted May 10, 2006 [!--quoteo(post=372993:date=May 10 2006, 01:37 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 01:37 PM) [snapback]372993[/snapback][/div][div class=\'quotemain\'][!--quotec--]Is this code secure or could it be made more secure?please advise.thanksif ($email != "") {$res = @mysql_query("select * from members where email='$email' LIMIT 1"); if (@mysql_num_rows($res) == 1) { $exists = "yes"; } else { $exists = "no"; }[/quote]Unfortuantly thats not very secure at all.This would be a bit safer for all your inserts.[code]$res = @mysql_query("select * from members where email=',mysql_real_escape_string($email),"' LIMIT 1"); if (@mysql_num_rows($res) == 1) { $exists = "yes"; } else { $exists = "no"; }[/code] Quote Link to comment Share on other sites More sharing options...
yonta Posted May 10, 2006 Share Posted May 10, 2006 You could use this function for every value that goes in a mysql query:[code]function prevent_mysql_injection($value){if (get_magic_quotes_gpc()) { stripslashes($value);}if (!is_numeric($value)) { mysql_real_escape_string($value); }[/code]Found it somewhere in php.net.Sofia Quote Link to comment Share on other sites More sharing options...
jasonc Posted May 10, 2006 Author Share Posted May 10, 2006 would this work?$safeemail=mysql_real_escape_string($email);$safemembername=mysql_real_escape_string($membername);thanks Quote Link to comment Share on other sites More sharing options...
lead2gold Posted May 10, 2006 Share Posted May 10, 2006 [!--quoteo(post=373074:date=May 10 2006, 04:01 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 04:01 PM) [snapback]373074[/snapback][/div][div class=\'quotemain\'][!--quotec--]would this work?$safeemail=mysql_real_escape_string($email);$safemembername=mysql_real_escape_string($membername);thanks[/quote]sure you can do it that way...putting it in a function like the previous person suggested is even better. Quote Link to comment Share on other sites More sharing options...
jasonc Posted May 10, 2006 Author Share Posted May 10, 2006 <?$email = "abc@def.ghi";$safeemail = mysql_real_escape_string($email);echo('.'.$safeemail.'.');?>i get the following..meaning that it does not store the email, what exactly does this command do?how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.thanks[!--quoteo(post=373078:date=May 10 2006, 09:21 PM:name=lead2gold)--][div class=\'quotetop\']QUOTE(lead2gold @ May 10 2006, 09:21 PM) [snapback]373078[/snapback][/div][div class=\'quotemain\'][!--quotec--]sure you can do it that way...putting it in a function like the previous person suggested is even better.[/quote] Quote Link to comment Share on other sites More sharing options...
gizmola Posted May 11, 2006 Share Posted May 11, 2006 [!--quoteo(post=373120:date=May 10 2006, 03:34 PM:name=jasonc)--][div class=\'quotetop\']QUOTE(jasonc @ May 10 2006, 03:34 PM) [snapback]373120[/snapback][/div][div class=\'quotemain\'][!--quotec--]<?$email = "abc@def.ghi";$safeemail = mysql_real_escape_string($email);echo('.'.$safeemail.'.');?>i get the following..meaning that it does not store the email, what exactly does this command do?how do i catch weather the email is invalid or if the text in the membersname variable is only letters upper or lower case. and if it is not i can tell them to correct it before it is sent to the database.thanks[/quote]Pretty much just what the manual page says it does... escapes a variety of characters. This is a *smart* function in that it is integrated into the mysql API so that it can be intelligent about the mysql character set being used. So in your example. you are missing a mysql database connection handle. The handle is an implied 2nd param, that you can specify. Either way you need a mysql database connection in your script to really see what the function does. Quote Link to comment Share on other sites More sharing options...
jasonc Posted May 11, 2006 Author Share Posted May 11, 2006 [!--quoteo(post=373155:date=May 11 2006, 03:16 AM:name=gizmola)--][div class=\'quotetop\']QUOTE(gizmola @ May 11 2006, 03:16 AM) [snapback]373155[/snapback][/div][div class=\'quotemain\'][!--quotec--]Pretty much just what the manual page says it does... escapes a variety of characters. [/quote]i have read the manual!! i know it escapes some characters with slashes but it does not seem to show that in the results.i take it that because it only does this when the server gets the command?what i would like to be able to stop is, if the visitor trys to inject the DB, i will know about it and inform the visitor that the data supplied in the fields is invalid. so if they type in the new members email field or the password field, or in the login fields something that could be dangerous to the DB i can tell them it is not a valid email or it is an invalid login name or members name or phone number.i have found a function for the email.$email = trim($_POST[email]);if($email != "" && !eregi("^[[:alnum:]][a-z0-9_.-]*@[a-z0-9.-]+\.[a-z]{2,4}$", $email)) {echo("invalid email<br><br><br><br>");//Not a valid email addressexit;}what i am after is one of these functions for each field, the name and phonenumber,would the following be correct?$membersname = trim($_POST[membersname ]);if($membersname != "" && !eregi("^[[:alnum:]][a-z]{5,20}$", $membersname )) {echo("invalid membersname <br><br><br><br>");//Not a valid membersname addressexit;}$phonenumber = trim($_POST[phonenumber ]);if($phonenumber != "" && !eregi("^[[:alnum:]][0-9_.-]{5,20}$", $phonenumber )) {echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber addressexit;} Quote Link to comment Share on other sites More sharing options...
jasonc Posted May 11, 2006 Author Share Posted May 11, 2006 no!just tried it, and also tried....$phonenumber = "897697689679";$phonenumber = trim($_POST[phonenumber ]);if(!eregi("^[0-9]{5,20}$", $phonenumber )) {echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address} else {echo("ok");}still says not validseen php.net/ieregi and looked how to form the function but still none the wiser!!what is the correct method to check if the var is only number or only letters and be able to inform the visitor if it is incorrect.thanks Quote Link to comment Share on other sites More sharing options...
jasonc Posted May 11, 2006 Author Share Posted May 11, 2006 ok messing around still and now finally i have something that seems to work but is it secure?have i formed the functions correctly?thanks again.<?$membersname = "joe bloggs";if(!eregi("^[[:alpha:][:space:]]{5,20}$", $membersname )) {echo("invalid membersname <br><br><br><br>");//Not a valid membersname address} else {echo("ok");}$phonenumber = "4545 454";if(!eregi("^[[:space:]0-9]{5,20}$", $phonenumber )) {echo("invalid phonenumber <br><br><br><br>");//Not a valid phonenumber address} else {echo("ok");}?> Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.