SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Addict
    Join Date
    Jan 2006
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    If you limit the input into text fields can you protect the database??

    Ok i was trying to learn a bit from clamcrusher about protecting my database with the form fields input on my website. I have went thru my website and tried to do what he said. Here is a part of my code it isn't inputting any info into the database it is for email but if the way i limit the input into the form fields on this script is alos applied to my forms which add info into the database will that protect the database at all?

    PHP Code:
            if(isset($_POST[s1]))
            {
                    if(empty(
    $_POST[name]) || empty($_POST[email]) || empty($_POST[url]) || empty($_POST[phone]) || empty($_POST[type])|| empty($_POST[size]))
                    {
                            
    $message "<center><b>All fields are required!</color></b></center>";
                    }
                    else if(!
    eregi("^[a-zA-Z]+$"$_POST[name]))
                    {
                            
    $message "<center><b>You can only enter text in the name field!</color></b></center>";
                    }
                    else if(!
    eregi("^[a-zA-Z0-9_]+@[a-zA-Z0-9-]+\.[a-zA-Z]+$"$_POST[email]))
                    {
                            
    $message "<center><b>$_POST[name] Please enter a valid email address!</color></b></center>";
                    }
                    else if(!
    eregi("^[0-9-]+$"$_POST[phone]))
                    {
                            
    $message "<center><b>$_POST[name] Please enter a valid phone number please!</color></b></center>";
                    }
                    else if(!
    eregi("^[hHtTpP]+://[wW]+\.[a-zA-Z0-9_-]+\.[a-zA-Z]"$_POST[url]))
                    {
                            
    $message "<center><b>$_POST[name] Please enter a valid URL please!</color></b></center>";
                    }
                    else if(!
    eregi("^[a-zA-Z]+$"$_POST[type]))
                    {
                            
    $message "<center><b>$_POST[name] You can only enter text in the type of site field!</color></b></center>";
                    }
                    else if(!
    eregi("^[0-9wW]+x[0-9hH]+$"$_POST[size]))
                    {
                            
    $message "<center><b>You can only enter text & numeric characters in the size field!</color></b></center>";
                    }
                    else
                    {
                            
    $name = ($_PRINT[name]);
                            
    $to $aset[MerchantEmail];
                            
    $from "From: $_POST[name] <$_POST[email]>";
                            
    $MyMessage "This is an email, sent via $_SERVER[HTTP_HOST] banner sign up form:";
                            
    $MyMessage .= "\n-------------------------------------------------------------------\n";
                            
    $MyMessage .= stripslashes($_POST[name]);
                            
    $MyMessage .= stripslashes($_POST[email]);
                            
    $MyMessage .= stripslashes($_POST[phone]);
                            
    $MyMessage .= stripslashes($_POST[url]);
                            
    $MyMessage .= stripslashes($_POST[type]);
                            
    $MyMessage .= stripslashes($_POST[size]);
                            
    $MyMessage .= "\n-------------------------------------------------------------------\n";
                            
    $MyMessage .= "end of the message";

                            
    $MySubject stripslashes($_POST[subject]);

                            
    mail($to$MySubject$MyMessage$from);

                            
    $message "<center><b>Thanks $_POST[name] your information has been sent.</b></center>";

                            unset(
    $_POST);
                    }
            } 
    Last edited by netfreakz; Nov 18, 2006 at 09:58. Reason: wrong secription

  2. #2
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,987
    Mentioned
    186 Post(s)
    Tagged
    2 Thread(s)

    database

    IMHO the best way to protect your database is to use bound parameters. At the least use mysql_real_escape_string

  3. #3
    SitePoint Addict
    Join Date
    Jan 2006
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    I read an online tutorial on protecting the database with myqsl escape string..

    I read an article on my sql escape string. This was an example on how to protect the database and correct mysql insertion.


    Here is the example they supplied:
    PHP Code:
    <?php
    // Quote variable to make safe
    function quote_smart($value)
    {
        
    // Stripslashes
        
    if (get_magic_quotes_gpc()) {
            
    $value stripslashes($value);
        }
        
    // Quote if not integer
        
    if (!is_numeric($value)) {
            
    $value "'" mysql_real_escape_string($value) . "'";
        }
        return 
    $value;
    }

    // Connect
    $link mysql_connect('mysql_host''mysql_user''mysql_password')
        OR die(
    mysql_error());

    // Make a safe query
    $query sprintf("SELECT * FROM users WHERE user=%s AND password=%s",
                
    quote_smart($_POST['username']),
                
    quote_smart($_POST['password']));

    mysql_query($query);
    ?>
    How would I implement this into my script? I have a connection.php which is my database connection string, and the script below is the regi.php form which processes the form to register on the site.....

    PHP Code:
    require_once("connection.php");
    require_once(
    "includes.php");

    if(isset(
    $_POST[s1]))
    {
            
    $MyExp mktime(0,0,0,date(m) + 1date(d), date(Y));

            
    $q1 "insert into dts_users set
                                                    username = '
    $_POST[NewUsername]',
                                                    AccountType = '
    $_POST[AccountType]',
                                                    password = '
    $_POST[p1]',
                                                    FirstName = '
    $_POST[FirstName]',
                                                    LastName = '
    $_POST[LastName]',
                                                    phone = '
    $_POST[phone]',
                                                    cellular = '
    $_POST[cellular]',
                                                    email = '
    $_POST[email]',
                                                    RegDate = '
    $t',
                                                    ExpDate = '
    $MyExp',
                                                    AccountStatus = 'pending',
                                                    offers = '0' "
    ;

            
    mysql_query($q1);

            if(
    ereg("key 3"mysql_error()))
            {
                    
    $error "<font face=verdana size=2 color=red><b>The username $_POST[NewUsername]</font> is already in use!<br>Select another one, please!</b></font>";

                    unset(
    $_POST[NewUsername]);
            }
            elseif(
    ereg("key 2"mysql_error()))
            {
                    
    $error "<font face=verdana size=2 color=red><b>Your Email is already registered!<br>Update your account, please!</b></font>";

                    unset(
    $_POST);
            }
            else
            {
                    
    $last mysql_insert_id();
                    
    $_SESSION[NewAgent] = $last;

    ?> 

  4. #4
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,987
    Mentioned
    186 Post(s)
    Tagged
    2 Thread(s)

    anti mysql injection

    In the example, other than the actual function, the key area of interest is
    PHP Code:
    // Make a safe query 
    $query sprintf("SELECT * FROM users WHERE user=%s AND password=%s"
                
    quote_smart($_POST['username']), 
                
    quote_smart($_POST['password'])); 
    You should pass all user supplied input that's going into the database to that function. The sprintf can be a bit tricky. You can specify number types and strings. But, as it looks like all the POST values are strings, it shouldn't be to difficult. Just make sure the inputs are in the same order as the %s's in the query. Maybe like
    PHP Code:
    $q1 sprintf("INSERT INTO dts_users SET
     username = %s,
     AccountType = %s,
     password = %s,
    ...........
     RegDate = '
    $t', 
     ExpDate = '
    $MyExp', 
     AccountStatus = 'pending', 
     offers = '0' "
    ,
    quote_smart($_POST['NewUsername']),
    quote_smart($_POST['AccountType']),
    quote_smart($_POST['p1']),
    ........
    quote_smart($_POST['email'])); 
    Be careful where you use quotes and commas.

  5. #5
    SitePoint Addict
    Join Date
    Jan 2006
    Posts
    221
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mittineague
    In the example, other than the actual function, the key area of interest is
    PHP Code:
    // Make a safe query 
    $query sprintf("SELECT * FROM users WHERE user=%s AND password=%s"
                
    quote_smart($_POST['username']), 
                
    quote_smart($_POST['password'])); 
    You should pass all user supplied input that's going into the database to that function. The sprintf can be a bit tricky. You can specify number types and strings. But, as it looks like all the POST values are strings, it shouldn't be to difficult. Just make sure the inputs are in the same order as the %s's in the query. Maybe like
    PHP Code:
    $q1 sprintf("INSERT INTO dts_users SET
     username = %s,
     AccountType = %s,
     password = %s,
    ...........
     RegDate = '
    $t', 
     ExpDate = '
    $MyExp', 
     AccountStatus = 'pending', 
     offers = '0' "
    ,
    quote_smart($_POST['NewUsername']),
    quote_smart($_POST['AccountType']),
    quote_smart($_POST['p1']),
    ........
    quote_smart($_POST['email'])); 
    Be careful where you use quotes and commas.
    thank you... Will that work for all my forms that process info for the database for all my text input fields?

  6. #6
    Programming Team silver trophybronze trophy
    Mittineague's Avatar
    Join Date
    Jul 2005
    Location
    West Springfield, Massachusetts
    Posts
    16,987
    Mentioned
    186 Post(s)
    Tagged
    2 Thread(s)

    anti db injection

    The same technique should work with other forms that send input to the database. But if the input isn't a string you would need to change the sprintf line's %s's to the type you needed.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •