SitePoint Sponsor

User Tag List

Results 1 to 10 of 10

Thread: Security Check

  1. #1
    Free me php klassicd's Avatar
    Join Date
    Sep 2001
    Location
    San Diego
    Posts
    509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security Check

    I would like to check the $varibles people enter in my forms for certain characters that I might not want in there for security reasons. All i can think of is < > { } ? $ . Are there any other characters that i might not want being submited? This data will end up in a database and be shown on certain pages.

    Also which function would i want to use to check if these are in the varible? ereg() Would that be it?

    What other options can i do?

  2. #2
    SitePoint Addict itsource's Avatar
    Join Date
    Jun 2001
    Location
    Thailand
    Posts
    369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    for easy example using ereg
    PHP Code:
    if (!ereg("^[a-zA-Z0-9]{.+}$",$var))
    {
        
    $error=1;            
        print 
    "Your variable allow only a-z, A-Z and 0-9";
    }
    if(
    $error!=1)
    {
        
    //do something
    }
                } 
    you don't need to check all character, for security in input from user , check this
    1. add slashes all input from user
    2. use htmlspecialchars() function to prevent user type html tag
    3. use trim() function to split blank from input
    I live in Thailand. My English grammar not well.

  3. #3
    midnight coder
    Join Date
    Dec 2000
    Location
    The flat edge of the world
    Posts
    838
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This will take care of just about everything w/o using regex

    PHP Code:
    $str htmlspecialchars(addslashes(trim($str))); 
    Work smarter, not harder. -Scrooge McDuck

  4. #4
    Free me php klassicd's Avatar
    Join Date
    Sep 2001
    Location
    San Diego
    Posts
    509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Well

    I dont want to change the users information. Just check to see if its entered in ther varibles they submit. The code:
    PHP Code:
    if(!ereg("^[a-zA-Z0-0]{.+}$",$password)) {
         
    error("Your input may only contain a letter or a number");

    Seems to look good. It doesnt work thouigh for some reason when i try it. All i would like it to do is make sure the varible is only made up of number and letters. If its not then the error function goes. ANy suggestions?
    Last edited by klassicd; Mar 4, 2002 at 23:59.

  5. #5
    SitePoint Addict itsource's Avatar
    Join Date
    Jun 2001
    Location
    Thailand
    Posts
    369
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    try this

    PHP Code:
    if(!ereg("^[a-zA-Z0-9]{6,}$",$password)) {
         
    error("Your password may only contain a letter or a number and more than 6 char");

    I live in Thailand. My English grammar not well.

  6. #6
    SitePoint Enthusiast MaRkY's Avatar
    Join Date
    Dec 2001
    Location
    Spain
    Posts
    36
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    if(!ereg("^[a-zA-Z0-9]{6,10}$",$password)) { 
    I recommend to put also a top number of letters or numbers like 10, if the password is very long, users can make bad things :P

    And a question:

    Why a-zA-Z0-9?

    for me a-z0-9, includes upcase.

    I also use strip_tags, to strip HTML and PHP code, you can never know what the user is trying to do.

  7. #7
    Free me php klassicd's Avatar
    Join Date
    Sep 2001
    Location
    San Diego
    Posts
    509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    I dont want this function

    Just for password. Im going use it for all varibles. Submited ones or ones through the url.

    What does {.+} mean?

    And it still doesnt work. I have this code:
    PHP Code:
    <?php
    include("common.php");

    if(!
    ereg("^[a-zA-Z0-9]{.+}$",$pass)) {
         
    error("Your password may only contain a letter or a number.");
    } else {
         echo 
    "Quality is good";
    }
    ?>
    On this page
    Last edited by klassicd; Mar 5, 2002 at 17:25.

  8. #8
    SitePoint Wizard silver trophy redemption's Avatar
    Join Date
    Sep 2001
    Location
    Singapore
    Posts
    5,269
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: I dont want this function

    Originally posted by klassicd
    What does {.+} mean?
    it means 1 or more occurences if any character (the '.' stands for any character...

    i guess you're doing it wrong... try this instead:
    PHP Code:
    ereg("^[a-zA-Z0-9]+$",$pass 
    or
    PHP Code:
    ereg("^[a-zA-Z0-9]{4,10}$",$pass 
    for an alphanumeric $pass of at least 4 chars and no more that 10 chars

    read this article for a short tut on regexp with ereg()

  9. #9
    SitePoint Addict Philip Toews's Avatar
    Join Date
    Dec 2001
    Location
    Kuala Belait, Brunei
    Posts
    367
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    can I borrow this thread for a moment?

    stripping out all unwanted characters seems like a prudent thing to do when accepting content from users (variables, long form text, whatever. My question concerns the use of these two functions in PHP:

    PHP Code:
    <?php

    htmlspecialchars
    ();
    escapeshellcmd();

    ?>
    Is it a good idea to run all user submitted data through BOTH of these functions? As a general rule of thumb I mean?

    p
    Philip Toews Professional esl Educator and ASP.NET wannabe

    http://www.philiptoews.com
    philip@philiptoews.com

  10. #10
    Free me php klassicd's Avatar
    Join Date
    Sep 2001
    Location
    San Diego
    Posts
    509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: can I borrow this thread for a moment?

    <?php

    htmlspecialchars();
    escapeshellcmd();

    ?>
    THose are fine to fix a varible someone submits.
    In my case though i just wanted to check if there a was a character i didnt want so the user could go back and chage it.



    PHP Code:
    ereg("^[a-zA-Z0-9]+$",$pass 
    This works perfect. If the varible contains something else than a letter or number i can run a funtion to go back and have the user change it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •