Re: question about validation and sql injection
- From: "Álvaro G. Vicario" <alvaroNOSPAMTHANKS@xxxxxxxxxxxxxx>
- Date: Fri, 16 May 2008 09:48:25 +0200
Sudhakar escribió:
a) the username should only begin either letters or numbers, and
Underscore character
example = user123, 123user, u_ser123, user_123 = completely case
insensitive
b) a user may choose not to have an underscore or numbers sometimes.
example = username
presently my validation for username is
$username = $_POST["username"];
if( $username == "" || !eregi("^[a-zA-Z0-9_]+$", $username) )
{
$error.="User name cannot be blank or has special characters";
}
You'd better get used to preg_* functions, their old ereg_* equivalent will be deprecated in PHP 6. Not tested but...
if(
// Check non-empty, only valid chars and 1 to 16 chars
!preg_match('/^[a-z0-9_]{1,16}$/i', $username) ||
// Check at least one letter
!preg_match('/[a-z]/i', $username)
){
$error .= '......';
}
I've added an extra check. Replace 16 with your database field length. Probably, it could all be done in only one expression but...
B) preventing sql injection
htmlentities
This is used to convert plain text into HTML, it has nothing to do with SQL injection.
addslashes
This may help to avoid _some_ types of injection in some database servers like MySQL, but it wouldn't help in Oracle or SQL Server.
trim
I won't even comment on this.
mysql-real-escape-string
This is a valid option for MySQL. Prepared statements are the other way.
magic_quotes_gpc is ON
The same as addslashes(), except that you'll get \'s inserted all around your input and you'll have to remove it again when not using it for a SQL query:
<p>Welcome, John O\'Hara!</p>
c) also with the prevention methods if a user types a special
character in the data will that character be written in the table as a
escaped character or how does it store those special characters
Why does it matter how the DBMS stores data internally?
d) a very important point here, i have a feature where a user can
check if a username is available or not. so while storing a username
if the username is stored as john\smith in mysql and if the user is
searching for johnsmith this would not match, so even in the table the
username should be stored without slashes as i have to read the
username and compare with what the user has typed to see if they both
are same or different.
You said users can only have letters, numbers and underscores... If you also allow backslashes then of course "john\smith" is different to "johnsmith" or "john_smith" or "john___smith". My suggestion is that you add an extra column to the table (possibly indexed) and check against it as well:
Username StrippedUsername
============= ================
john_smith123 johnsmith
___123x___ x
$stripper_username = strtolower(preg_replace('/[^a-z]+/', '', $username));
--
-- http://alvaro.es - Álvaro G. Vicario - Burgos, Spain
-- Mi sitio sobre programación web: http://bits.demogracia.com
-- Mi web de humor al baño María: http://www.demogracia.com
--
.
- References:
- question about validation and sql injection
- From: Sudhakar
- question about validation and sql injection
- Prev by Date: Re: Setting html page for printing
- Next by Date: Re: Sharing data between sessions?
- Previous by thread: Re: question about validation and sql injection
- Next by thread: Setting html page for printing
- Index(es):
Relevant Pages
|
