Bind/how to make sure people cant use special chars

This is guide mostly for website tools and code, for example CMS or registration scripts.
There can also be tools.

Moderators: osRose dev team, ospRose dev team, osiRose dev team, Moderators

Post a reply

Bind/how to make sure people cant use special chars

Postby jordylad42 on Sun Feb 07, 2010 4:21 pm

hi im a little bit stuped im tring to protect my sites/new projects from mysql inject attacks and ive tried a lot of things can anyone tell me how or what i should do or even give me a code so i can make sure people cant use special characters on registration thanks in advance.
jordylad42
Pomic
Pomic
 
Posts: 78
Joined: Tue Dec 29, 2009 5:31 pm
Top

Re: Bind/how to make sure people cant use special chars

Postby Choseal on Sun Feb 07, 2010 5:00 pm

You could use javascript, but I suggest you use google to search for: "Input protection HTML" or PHP, not sure.

Anyway, good luck. :3
Choseal
Electric Ghost
Electric Ghost
 
Posts: 837
Joined: Fri Jan 09, 2009 6:40 pm
Top

Re: Bind/how to make sure people cant use special chars

Postby xPrend on Sun Feb 07, 2010 7:30 pm

Javascript xD never heard abouth that you meant that the input box don't let you put in > and go on if yes that wouldn't be safe in FF you can adjust the post when you send it javascript cant do anything with it, Jordy the mysql_real_escape_string() is everything you need just google it and you will find how to protect you post/get
User avatar
xPrend
Antares
Antares
 
Posts: 346
Joined: Fri Jul 17, 2009 9:22 am
Top

Re: Bind/how to make sure people cant use special chars

Postby jordylad42 on Sun Feb 07, 2010 8:32 pm

cheers i tried the escape string but didnt work i was just looking for some options cos this is an easy fix but im doing pretty bad at the moment so gonna listen to some acid techno and get myself geared up lolz hehehe
jordylad42
Pomic
Pomic
 
Posts: 78
Joined: Tue Dec 29, 2009 5:31 pm
Top

Re: Bind/how to make sure people cant use special chars

Postby Choseal on Sun Feb 07, 2010 8:34 pm

xPrend wrote:Javascript xD never heard abouth that you meant that the input box don't let you put in > and go on if yes that wouldn't be safe in FF you can adjust the post when you send it javascript cant do anything with it, Jordy the mysql_real_escape_string() is everything you need just google it and you will find how to protect you post/get

Well, yea, that's why I said he should google more information. :roll:
Choseal
Electric Ghost
Electric Ghost
 
Posts: 837
Joined: Fri Jan 09, 2009 6:40 pm
Top

Re: Bind/how to make sure people cant use special chars

Postby lmame on Sun Feb 07, 2010 8:44 pm

jordylad42 wrote:cheers i tried the escape string but didnt work i was just looking for some options cos this is an easy fix but im doing pretty bad at the moment so gonna listen to some acid techno and get myself geared up lolz hehehe


mysql_real_escape_string() at php website.


Instead of doing this:
Line number On/Off | Expand/Contract | Select all
  1. <?php
  2. // Query database to check if there are any matching users
  3. $query = "SELECT * FROM users WHERE user='".$_POST['username']."' AND password='".$_POST['password']."' ";
  4. mysql_query($query);
  5. ?>


You do:
Line number On/Off | Expand/Contract | Select all
  1.  
  2. <?php
  3. // Query database to check if there are any matching users
  4. $query = "SELECT * FROM users WHERE user='".mysql_real_escape_string($_POST['username'])."' AND password='".mysql_real_escape_string($_POST['password'])."' ";
  5. mysql_query($query);
  6.  
  7. ?>


I don't see how to do easier than this...


Edit:
Doing JS script is useless since it would check only what people do on their web browser (and they could pass it anyway).
You could do a check php side though of course, there are a lot of scripts on this.

Btw, don't use addslashes, NEVER!
The world is full of love and peace ^_^
Image
User avatar
lmame
Admin
Admin
 
Posts: 8997
Joined: Mon Aug 06, 2007 4:42 pm
Location: July City
Top

Re: Bind/how to make sure people cant use special chars

Postby jordylad42 on Sun Feb 07, 2010 9:38 pm

ok im very sorry if im being a real big pain but ive never had this much trouble before and it doesnt seem to be responding to shit so im gonna post my code and will you tell me whats wrong and correct it for me if you can of have time cheers in advance.

Line number On/Off | Expand/Contract | Select all
  1.         <p><?php
  2. ?>
  3. <form action="?op=register" method="post">
  4.   <div align="center"><br />
  5.   </div>
  6.   <table width="338" border="0" align="center">
  7.     <tr>
  8.       <td width="132" height="20" class="b01">Username:</td>
  9.       <td width="196"><label>
  10.       <input name="user" type="text" class="liteoption" id="user" size="15" maxlength="15" />
  11.       </label></td>
  12.     </tr>
  13.     <tr>
  14.       <td height="25" class="b01">Password:</td>
  15.       <td><input name="pass1" type="password" class="liteoption" id="pass1" size="15" maxlength="15" /></td>
  16.     </tr>
  17.     <tr>
  18.       <td height="24" class="b01">Repeat Password: </td>
  19.       <td><input name="pass2" type="password" class="liteoption" id="pass2" size="15" maxlength="15" /> </td>
  20.     </tr>
  21.       <td height="24" class="b01"><p>email address</p></td>
  22.       <td><input name="email" type="email" class="liteoption" id="email" size="15" maxlength="200" /></td>
  23.   </table>
  24.   <p align="center"><script language="javascript" src="http://www.captcha.cc/cap.js?cap_k=UsskcJZWVgoEEahGztrazdYUHEXfRQCs" type="text/javascript"></script>
  25. <input type=hidden name=cap_h id=cap_h value="">
  26. <img border=1 id=cap_i src="http://www.captcha.cc/img.cgi?cap_k=UsskcJZWVgoEEahGztrazdYUHEXfRQCs" align=middle><img align=middle style="margin-left: 4px;" id=cap_r onload="return cap_showReload(event);" src="http://www.captcha.cc/blank.png"><br>
  27. <input id=cap_t name=cap_t type=text value="" style="margin-top:4px;">
  28. &nbsp;</p>
  29.   <p align="center">
  30.     <input name="submit" type="submit" class="liteoption" value="Register" />
  31.   </p>
  32. </form>
  33. <div align="center">
  34.   <?php
  35. if(isset($_POST['submit'])) {
  36. if(!$_POST['user'] || !$_POST['pass1'] || !$_POST['pass2'])
  37. {
  38. die('You must fill in all of the fields<BR>');
  39. }
  40. stripslashes();
  41. if(!get_magic_quotes_gpc()) {
  42. $user = addslashes($_POST['user']);
  43. $pass = md5($_POST['pass1']);
  44. $email= $_POST['email'];
  45. } else {
  46. $user = $_POST['user'];
  47. $pass = md5($_POST['pass1']);
  48. $email= $_POST['email'];
  49. }
  50. $pass2 = md5($_POST['pass2']);
  51. $check = mysql_query("SELECT * FROM accounts WHERE username = '$user'");
  52. $check2 = mysql_num_rows($check);
  53. if($check2 != '0') {
  54. die("Username: '".$user."' is in use!");
  55. }
  56. if($pass != $pass2) {
  57. die('Passwords dont match!');
  58. }
  59.  
  60. $insert_member = mysql_query("INSERT INTO accounts (username, password, active) VALUES ('$user', '$pass', '$email' '1')");
  61. if($insert_member) {
  62. echo("<p class='b01'>Registration Complete! <a href=?index.php>Click here</a>");
  63. } else {
  64. echo("<p class='b01'>Registration Failed!</p>");
  65. }}
  66. ?> 
jordylad42
Pomic
Pomic
 
Posts: 78
Joined: Tue Dec 29, 2009 5:31 pm
Top

Re: Bind/how to make sure people cant use special chars

Postby Choseal on Sun Feb 07, 2010 9:52 pm

jordylad42 wrote:
Line number On/Off | Expand/Contract | Select all
  1.         <p><?php
  2. ?>
  3. <form action="?op=register" method="post">
  4.   <div align="center"><br />
  5.   </div>
  6.   <table width="338" border="0" align="center">
  7.     <tr>
  8.       <td width="132" height="20" class="b01">Username:</td>
  9.       <td width="196"><label>
  10.       <input name="user" type="text" class="liteoption" id="user" size="15" maxlength="15" />
  11.       </label></td>
  12.     </tr>
  13.     <tr>
  14.       <td height="25" class="b01">Password:</td>
  15.       <td><input name="pass1" type="password" class="liteoption" id="pass1" size="15" maxlength="15" /></td>
  16.     </tr>
  17.     <tr>
  18.       <td height="24" class="b01">Repeat Password: </td>
  19.       <td><input name="pass2" type="password" class="liteoption" id="pass2" size="15" maxlength="15" /> </td>
  20.     </tr>
  21.       <td height="24" class="b01"><p>email address</p></td>
  22.       <td><input name="email" type="email" class="liteoption" id="email" size="15" maxlength="200" /></td>
  23.   </table>
  24.   <p align="center"><script language="javascript" src="http://www.captcha.cc/cap.js?cap_k=UsskcJZWVgoEEahGztrazdYUHEXfRQCs" type="text/javascript"></script>
  25. <input type=hidden name=cap_h id=cap_h value="">
  26. <img border=1 id=cap_i src="http://www.captcha.cc/img.cgi?cap_k=UsskcJZWVgoEEahGztrazdYUHEXfRQCs" align=middle><img align=middle style="margin-left: 4px;" id=cap_r onload="return cap_showReload(event);" src="http://www.captcha.cc/blank.png"><br>
  27. <input id=cap_t name=cap_t type=text value="" style="margin-top:4px;">
  28. &nbsp;</p>
  29.   <p align="center">
  30.     <input name="submit" type="submit" class="liteoption" value="Register" />
  31.   </p>
  32. </form>
  33. <div align="center">
  34.   <?php
  35. if(isset($_POST['submit'])) {
  36. if(!$_POST['user'] || !$_POST['pass1'] || !$_POST['pass2'])
  37. {
  38. die('You must fill in all of the fields<BR>');
  39. }
  40. stripslashes();
  41. if(!get_magic_quotes_gpc()) {
  42. $user = addslashes($_POST['user']);
  43. $pass = md5($_POST['pass1']);
  44. $email= $_POST['email'];
  45. } else {
  46. $user = $_POST['user'];
  47. $pass = md5($_POST['pass1']);
  48. $email= $_POST['email'];
  49. }
  50. $pass2 = md5($_POST['pass2']);
  51. $check = mysql_query("SELECT * FROM accounts WHERE username = '$user'");
  52. $check2 = mysql_num_rows($check);
  53. if($check2 != '0') {
  54. die("Username: '".$user."' is in use!");
  55. }
  56. if($pass != $pass2) {
  57. die('Passwords dont match!');
  58. }
  59.  
  60. $insert_member = mysql_query("INSERT INTO accounts (username, password, active) VALUES ('$user', '$pass', '$email' '1')");
  61. if($insert_member) {
  62. echo("<p class='b01'>Registration Complete! <a href=?index.php>Click here</a>");
  63. } else {
  64. echo("<p class='b01'>Registration Failed!</p>");
  65. }}
  66. ?> 

Just noticed, and I see this alot in your scripts, why are you opening, and immediately closing php?

Also, didn't lmame say you shouldn't use addslashes? =P
Choseal
Electric Ghost
Electric Ghost
 
Posts: 837
Joined: Fri Jan 09, 2009 6:40 pm
Top

Re: Bind/how to make sure people cant use special chars

Postby jordylad42 on Sun Feb 07, 2010 9:57 pm

dunno and tired i guess would it be safer to use $_REQUEST than $_POST??
jordylad42
Pomic
Pomic
 
Posts: 78
Joined: Tue Dec 29, 2009 5:31 pm
Top

Re: Bind/how to make sure people cant use special chars

Postby lmame on Sun Feb 07, 2010 10:01 pm

No.
Use $_POST, FORGET addslashes since it can lead to a security problem too and doesn't clean correctly and use mysql_real_escape_string!
I gave you an example how to use it...
The world is full of love and peace ^_^
Image
User avatar
lmame
Admin
Admin
 
Posts: 8997
Joined: Mon Aug 06, 2007 4:42 pm
Location: July City
Top
Next
Post a reply

Return to PHP / Web Guides, Scripts and tools.

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Inspiration Theme By Echo -=Designs By Echo=- © 2007 Echo
cron