I have a signup page for the restricted access section of my site, where users signup for a userid and their password is generated, then mailed to them. I need to sanitize these inputs to prevents javascript and SQL injection hacks (and whatever I can sanitize them against). I am trying to use the following code:
<?php // signup.php
include("errorhandler.php");
include("databaseconnect.php");
if (!isset($_POST['submitok'])):
// Display the user signup form
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> New User Registration </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1
</head>
<body>
<h3>New User Registration Form</h3>
<p><font color="orangered" size="+1">
<link href="stylesheet" type="text/css" />
<tt><b>*</b></tt></font>
indicates a required field</p>
<form method="post" action="<?=$_SERVER['PHP_SELF']?>">
<table width="326" border="0" cellpadding="0" cellspacing="0">
<tr>
<td width="125" align="right">
<p id="tableTrash">User ID: </p>
</td>
<td width="186" valign="middle">
<input name="newid" type="text" maxlength="100" size="25" />
<font color="orangered" size="+1"><tt><b>*</b></tt></font>
</td>
</tr>
<tr>
<td align="right">
<p id="tableTrash">Full Name: </p>
</td>
<td valign="middle">
<input name="newname" type="text" maxlength="100" size="25" />
<font color="orangered" size="+1"><tt><b>*</b></tt></font>
</td>
</tr>
<tr>
<td align="right">
<p id="tableTrash">E-Mail Address: </p>
</td>
<td valign="middle">
<input name="newemail" type="text" maxlength="100" size="25" />
<font color="orangered" size="+1"><tt><b>*</b></tt></font>
</td>
</tr>
<tr valign="top">
<td height="25" align="right">
<p id="tableTrash">User Type: </p>
</td>
<td valign="middle" width="160px">
<select name="newusertype" id="usertype" title="User Type">
<option value="a" selected="">Co-op Representative</option>
<option value="b">Grower</option>
<option value="c">Patient Collective</option>
</select><font color="orangered" size="+1"><tt><b>*</b></tt></font>
</td>
</tr>
<tr>
<td height="41" colspan="2" align="right">
<hr noshade="noshade" />
<input type="reset" value="Reset Form" />
<input type="submit" name="submitok" value=" OK " />
</td>
</tr>
</table>
</form>
</body>
</html>
<?php
else:
// Process signup submission
dbConnect('members1');
$userid = ereg_replace("[^A-Za-z0-9]", "", $_POST['userid']); // filter everything but numbers and letters
$newid = ereg_replace("[^A-Za-z0-9]", "", $_POST['newid']); // filter everything but numbers and letters
$password = ereg_replace("[^A-Za-z0-9]", "", $_POST['password']); // filter everything but numbers and letters
$newpass = ereg_replace("[^A-Za-z0-9]", "", $_POST['newpass']); // filter everything but numbers and letters
$fullname = ereg_replace("[^A-Za-z0-9]", "", $_POST['fullname']); // filter everything but numbers and letters
$newname = ereg_replace("[^A-Za-z0-9]", "", $_POST['newname']); // filter everything but numbers and letters
$email = stripslashes($_POST['email']);
$email = strip_tags($email);
$email = mysql_real_escape_string($email);
$newemail = stripslashes($_POST['newemail']);
$newemail = strip_tags($newemail);
$newemail = mysql_real_escape_string($newemail);
$usertype = ereg_replace("[^a-z]", "", $_POST['usertype']); // filter everything but lowercase letters
$newusertype = ereg_replace("[^a-z]", "", $_POST['newusertype']); // filter everything but lowercase letters
if ($_POST['newid']=='' or $_POST['newname']==''
or $_POST['newemail']=='' or $_POST['newusertype']=='') {
error('One or more required fields were left blank.\\\
'.
'Please fill them in and try again.');
}
// Check for existing user with the new id
$sql = "SELECT COUNT(*) FROM user WHERE userid = '$_POST[newid]'";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred in processing your '.
'submission.\\\
If this error persists, please '.
'contact webamaster@ccgc-ca.org.');
}
if (mysql_result($result,0,0)>0) {
error('A user already exists with your chosen userid.\\\
'.
'Please try another.');
}
$newpass = substr(md5(time()),0,6);
$sql = "INSERT INTO user SET
userid = '$_POST[newid]',
password = '$newpass',
fullname = '$_POST[newname]',
email = '$_POST[newemail]',
usertype = '$_POST[newusertype]'";
if (!mysql_query($sql))
error('A database error occurred in processing your '.
'submission.\\\
If this error persists, please '.
'contact webmaster@_\\\
' . mysql_error());
// Email the new password to the person.
$message = "Hello!
Your personal account for the CCGC Member Portal
has been created! To log in, proceed to the
following address:
http://www.sitehome.members/
Your personal login ID and password are as
follows:
userid: $_POST[newid]
password: $newpass
If you have any problems, feel free to contact me at
<webmaster@_>.
-
Your Site Webmaster
";
mail($_POST['newemail'],"Your Password for the Project Website",
$message, "From:Webmaster <webmaster@_>");
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title> Registration Complete </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<p><strong>User registration successful!</strong></p>
<p>Your userid and password have been emailed to
<strong><?=$_POST['newemail']?></strong>, the email address
you just provided in your registration form. To log in,
click <a href="index.php">here</a> to return to the login
page, and enter your new personal userid and password.</p>
</body>
</html>
<?php
endif;
?>
But I tried to test it, and was abel to sign up for a userid of joeblow//\\?, for which my script gave me joeblow//\\\\?
Is this working? I though it was supposed to take out everything but numbers and letters? I guess if it’s going to add \\ to the end of any hack attempt, it probably wouldn’t work (for the hacker). Is what I have sufficiently secure?