hi there i am working on a project based on php mysql and html now as i was using an more secure method to authenticate login information than simply getting the post variables and comparing it with the data base i came accross different functions like
isset()
empty()
stripslashes()
i got it right till isset and empty but when working with stripslashes i am not getting it right ,as far as i know that the purpose of stripslashes() is to remove any extra
' " / and \ etc
but as i tried to use it and in username input field i entered \omer and tried to echo it after using stripslashes($_POST['FIELD_NAME']); it still shows the " \ " in it
My code is here -
<?
-
$msg="";
-
if(isset($_POST['Submit'])){
-
if(!empty($_POST["l_name"]) && !empty($_POST["l_pass"])) {
-
if(isset($_POST["l_name"]) && isset($_POST["l_pass"])){
-
$mem_name=stripslashes($_POST["l_name"]);
-
$mem_pass=stripslashes($_POST["l_pass"]);
-
echo $mem_name.'<br />'.$mem_pass;
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
}
-
else{
-
$msg.="The e-mail address / user name and password you entered did not match any accounts in our file. Please try again.";
-
}
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
?>
-
any help in this regard would be highly appreciated
regards,
Omer Aslam
23 3787 stripslashes() only strips back slashes.
I can't understand why it isn't working =/
mysql_real_escape_string() is better off used. (you need to be connected to mysql for this to work)
stripslashes() only strips back slashes.
I can't understand why it isn't working =/
mysql_real_escape_string() is better off used. (you need to be connected to mysql for this to work)
yeah i am also surpeised that why isnt it working but now i have made some ammendments in my code here it is -
$msg="";
-
if(isset($_POST['Submit'])){
-
if(!empty($_POST["l_name"]) && !empty($_POST["l_pass"])) {
-
if(isset($_POST["l_name"]) && isset($_POST["l_pass"])){
-
$mem_name=$_POST["l_name"];
-
$mem_name0=strtolower($mem_name);
-
$mem_name1=str_ireplace("/","",$mem_name0);
-
$mem_name2=str_ireplace(",","",$mem_name1);
-
$mem_name3=str_ireplace("'","",$mem_name2);
-
$mem_name4=str_ireplace("*","",$mem_name3);
-
$mem_name5=str_ireplace("and","",$mem_name4);
-
$mem_name6=str_ireplace("or","",$mem_name5);
-
$mem_name7=str_ireplace("where","",$mem_name6);
-
$mem_name=trim($mem_name7);
-
echo $mem_name.'<br />'.$mem_pass;
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
}
-
else{
-
$msg.="The e-mail address / user name and password you entered did not match any accounts in our file. Please try again.";
-
}
-
}
-
else{
-
$msg.="Good to see you Looser";
-
header("Location: buzz.php?msg=".$msg);
-
exit();
-
}
-
but one thing that how could i avoid
; and " from the entered string
any idea?
reagards,
Omer
You could do it quicker with preg_replace
[php]
$replace[0] = '#and#'; // replace and
$replace[1] = '#or#'; // replace or
$replace[2] = '#where#'; // replace where
$replace[3] = '#[\*;\'/\,\"]#'; // replace * ; ' , "
echo preg_replace($replace, "", "*heandlalwhereo;"); // do the replacement
[/php]
Or you could use this one, [php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php]Ronald
Or you could use this one, [php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php]Ronald
Pah!
Defeated me again.
Pah!
Defeated me again.
Not really, it is merely another way of solving it. ;-)
Ronald
Not really, it is merely another way of solving it. ;-)
Ronald
if str_ireplace() is case-insensitive is there any need for strtolower()?
if str_ireplace() is case-insensitive is there any need for strtolower()?
Not for the replace, but the result string is also lower case.
Ronald
Or you could use this one, [php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php]Ronald
thanks alots guys for a bunch of help and speacially ronverdonk who gave such a reduced code of just 1 line that was reallly excellent but 1 thing is stilll there that CASE 1:
i want to remove WHITE SPACES from the username lets say if i enter "omer aslam"
then it should remove the space between omer AND aslam but it is not doing it CASE 2:
and if i enter only white spaces at the end of the name
i.e like this "omer " then in this case it removes the spaces but not in the first case EVEN IF I USE MY TECHNIQUE OR RONVERDONK'S
thanks alot anyways guys that you helped me so far.
Any help in this regard is highly appreciated.
Thanks in advance,
regards,
Omer Aslam.
[php]
$memname=trim(str_ireplace(array(" ", "/",",","'","*","and","or","where"),'', strtolower($memname)));
[/php]
Try that
[php]
$memname=trim(str_ireplace(array(" ", "/",",","'","*","and","or","where"),'', strtolower($memname)));
[/php]
Try that
THANKS ALOOOOOOOOOOOOOOOOOOOOOOT MAN you were really a THETA of PHP :D well just kiddin thats just because you have alots of experience but thats remarkable ;) i guess that was enough :D any how you really helped me out thanks alot guys again bundle of thanks for such efficient and quick reply
regards,
Omer.
THANKS ALOOOOOOOOOOOOOOOOOOOOOOT MAN you were really a THETA of PHP :D well just kiddin thats just because you have alots of experience but thats remarkable ;) i guess that was enough :D any how you really helped me out thanks alot guys again bundle of thanks for such efficient and quick reply
regards,
Omer.
Haha, ron was the op of that, i just tweaked it ever so slightly.
Remember, if there's anything else you want plucking out of the user input just add it into the array :)
Haha, ron was the op of that, i just tweaked it ever so slightly.
Remember, if there's anything else you want plucking out of the user input just add it into the array :)
yeah okay i did that because i had to remove some more extra characters so i did the same, but apart from the discussion ronverdonk really helped me alot he do was OP for that :D
take care alots ,
regards,
Omer.
Consider it a joint solution. It really doesn't matter who originated what code.
In my opinion code should be shared freely. To me there is no such thing as 'ownership' of code, contrary to what a lot of programmers and companies think.
Ronald
[php]$memname=trim(str_ireplace(array("/",",","'","*","and","or","where"),'', strtolower($memname)));[/php]
So besides isset() do you use any other server side protection? Just curious because mine is similar to markusn00b's (just a bit longer), so this looks much more compact!
So besides isset() do you use any other server side protection? Just curious because mine is similar to markusn00b's (just a bit longer), so this looks much more compact!
I suggest that you at least must do a strip_tags() before you assign a POSTed value to a variable. And I mean: at least.
Ronald
I suggest that you at least must do a strip_tags() before you assign a POSTed value to a variable. And I mean: at least.
Ronald
sir i have implimented it like this -
if(isset($_POST['Submit'])){
-
//check weather the fields are empty or not
-
if(!empty($_POST["l_name"]) && !empty($_POST["l_pass"])){
-
//check weather the the fields were set from the form or not
-
if(isset($_POST["l_name"]) && isset($_POST["l_pass"])){
-
//get the user and pass
-
$mem_nameT=MyTag($_POST["l_name"]);
-
$mem_passT=MyTag($_POST["l_pass"]);
-
//remove special characters
-
$mem_name=$myStrip->SpecialCharactors($mem_nameT,1);
-
$mem_pass=$myStrip->SpecialCharactors($mem_passT,0);
-
echo $mem_name.'<br />'.$mem_pass;
-
}
-
else{
-
$msg.="Good to see you Looser";
-
}
-
}
-
else{
-
$msg.="The e-mail address / user name and password you entered did not match any accounts in our file. Please try again.";
-
}
-
}
-
-
function MyTag($a)
-
{
-
$s=strip_tags($a);
-
return $s;
-
}
-
-
is there any thing else that you can suggest for this
regards,
omer aslam
There are a lot of things that can be done to protect your script from attacks. And there are many types of attacks. Please read the PHP security guide of the PHP security consortium PHP security guide.
There are also many tutorials on SQL injection on the web. E.g. SQL Injections attacks by example and SQL injection cheat sheet
Ronald
thanks a lot for the links, going through the SQL injection cheat sheet
i saw that there were given some ways to inject sql injections via HEXADECIMAL values also and i was thinking that how could i stop that thing to happen
any suggestions?
Regards Omer aslam.
Protecting against SQL injection is easy: l Filter your data.
This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are practically eliminated. lI Quote your data.
If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type. lII Escape your data.
Sometimes valid data can unintentionally interfere with the format of the SQL statement itself. Use mysql_escape_string() or an escaping function native to your particular database. If there isn't a specific one, addslashes() is a good last resort.
Following option II is the easiest and quickest to implement.
Ronald
What about making a function:
[PHP]function sanitize($data) {
$data = stripslashes($data);
$clean = trim( str_ireplace( array(" ", "/",",","'","*","and","or","where"),'', $data ) );
return $clean;
}
[/PHP]
Is there anything wrong with this? Also, what about double backslashes (or even more) and " characters?
You could make an endless list of things to remove. Using functions: do not forget to include strip_tags and htmlentities with ENT_QUOTES.
Ronald
I know that I have practically no experience in hacking, and so trying to break my code in an attempt to identify holes is actually proving to be difficult.
What is wrong with doing this to all inputs:
[PHP]
$username= "A Bad* <Username..";
$username=addslashes($username);
if ( !eregi("^[a-zA-Z0-9_]+$", $username)) {
return FALSE;
;}[/PHP]
And just not allow any code to run if that's false? I have tried MySQL injections, but none get through? What are the security risks I am missing?
Sign in to post your reply or Sign up for a free account.
Similar topics
by: lawrence |
last post by:
Over on www.monkeyclaus.org I'm getting back slashes showing up on my
web pages, where this function outputs. This despite the explicit use
of stripslashes(). Does anyone know why this might be?
|
by: Phil Powell |
last post by:
If $val is the following:
....Just revamped the site's Content Management Application I built.. so do
bear in mind.. sorry!
Phil
stripslashes(htmlspecialchars($val)) should produce the...
|
by: Al |
last post by:
Hi
i have a problem with a new server running
PHP Version 4.3.2
when i retrive text from mysql it automaticly strip all "\" why?
what can i do?
Thanks
|
by: |-|erc |
last post by:
<?php
// Get the names and values for vars sent by index.lib.php3
if (isset($HTTP_GET_VARS))
{
while(list($name,$value) = each($HTTP_GET_VARS))
{
$$name = $value;
};
};
|
by: Dave Moore |
last post by:
Hi All,
Can anybody point me to a FAQ or similar that describes what all this
stuff is about please?. I'm interfacing with a MySQL database if that's
relavent. I've read a couple of books which...
|
by: Areric |
last post by:
hey all,
I recently got in a bit of a fight with my webhost because he made some
changes to my server. Specifically they updated php without telling me.
They are now running PHP 4.4.1 (not sure...
|
by: Terry |
last post by:
I have a form that my wife uses to update her tennis racket website. I
modified it to allow data entry, modify, and delete. If you enter an id
number you get the matching record if there is one. ...
|
by: lawrence k |
last post by:
This seems so simple, I can't believe its tripping me up. I've a
database class with a query method that looks like this:
function query($query=false) {
global $controller;
// $query =...
|
by: Sergei Riaguzov |
last post by:
Hmm, I can apply stripslashes() to a string, causing it to remove slashes
near quotes (\") but how can I change this quotes to appropriate HTML
quotes like "?
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |