regex syntax error - maybe?

Security issues related to php and mysql usage. How to make your code secure? Security measures and configurations? It's all in here!

Moderators: macek, egami, gesf

russia5
New php-forum User
New php-forum User
Posts: 10
Joined: Fri Jul 07, 2006 5:26 am
Location: Pasadena, California
Contact:

regex syntax error - maybe?

Postby russia5 » Sat Sep 02, 2006 4:40 pm

Hello, this is my code for Regex text box discrimination.

Code: Select all


if (empty($_POST['id'])) $id = 0; else $id = $_POST['id'];

if (!preg_match("/[a-z0-9].\:\?\!\"\-]$/i), $id);
{
  preg_replace("*")

{else return $id;

}
}



I get an error way down the page, so I am not sure the error is with the syntax coding. Does anyone see a problem with my code.

Second, am I doing the best thing here. This is for a profile submission, so it is important that because someone use a bad character, the connection not die, hence destroying a valuable submission. I can live with * in place of bad characters, but I would like to use the best method.

Am I under the right impression that this !preg_match will not allow characters other than what I have specified to be put into the database nor pulled to the HTML page? Or echoed after the code? ( I beat my head for a week learning that mysql_real_escape_string() did not actually put / in the output. :oops:

Thanks Greg

User avatar
gesf
Moderator
Moderator
Posts: 1717
Joined: Sun Dec 29, 2002 5:03 am
Location: Portugal / Sweden
Contact:

Postby gesf » Sun Sep 03, 2006 3:04 pm

Code: Select all

<?php

$id = int (empty($_POST['id'])) ? 0 : $_POST['id'];

// OR

if(empty($_POST['id'])) {
     $id = 0;
} else {
     $id = $_POST['id'];
}

// You miss the last double quote

if (!preg_match("/[a-z0-9].\:\?\!\"\-]$/i"), $id) {
     // preg_replace("*");
     // Check the manual page for: preg_replace();   
} else {
     return $id;
}

?>
Use error_reporting(E_ALL); at first in your code.

russia5
New php-forum User
New php-forum User
Posts: 10
Joined: Fri Jul 07, 2006 5:26 am
Location: Pasadena, California
Contact:

Postby russia5 » Sun Sep 03, 2006 3:25 pm

Thankyou Very Much! You did it! I got it working. Or at least, not putting on an error.

Let me ask you, if the code is working, are the characters that are not in the regex string, still display in the output, and they are just given literals - such as in mysql_real_escape_string() output. The point is, when I put in characters like ) and > they still appear in the output.

Also the same is true for this code:



Code: Select all

 function check_inject()
   {
     $badchars = array(";", "'", "\"", "*", "DROP", "SELECT", "UPDATE", "DELETE", "-");
   
     foreach($_POST as $value)

     


Should DROP, SELECT, UPDATE and DELETE, if input into the text box, appear in the output. If not, what should appear?

Thanks Greg [/code]

User avatar
gesf
Moderator
Moderator
Posts: 1717
Joined: Sun Dec 29, 2002 5:03 am
Location: Portugal / Sweden
Contact:

Postby gesf » Wed Sep 06, 2006 4:04 pm

Not sure if i get your point russia5... can you say it in other words !? :)
Are making a protection script against SQL injection !?

russia5
New php-forum User
New php-forum User
Posts: 10
Joined: Fri Jul 07, 2006 5:26 am
Location: Pasadena, California
Contact:

Postby russia5 » Thu Sep 07, 2006 4:01 am

At this point, gesf, I am just trying to learn security and to apply a bunch of scripts to my site to secure it up. But later, I believe a script you can put on a form page or password page to protect the page would be a great product.

On my question: the preface being - you know how mysql_real_escape_sting() puts in escapes that turn the characters into literal values and that the characters still show up in the database and output? Well on my bad characters in_array() below, I still get the words that I type in the input, in the output. It does not kill the connection. I was wondering if this was normal? Say, if I type in DELETE and it is in in_array(DELETE) rather DELETE showed up in the output anyway, but the effects were mitigated someway as in mysql_real_escape_string() does to its characters.

The point is, how do you tell rather in_array() is working? Maybe just the fact that it is there and you arn't getting an error?

User avatar
gesf
Moderator
Moderator
Posts: 1717
Joined: Sun Dec 29, 2002 5:03 am
Location: Portugal / Sweden
Contact:

Postby gesf » Sat Sep 09, 2006 1:23 am

Try this out:

Code: Select all

<?php

// Use it like: index.php?id=whatever

$variable = trim($_GET['id']); // Or $_POST
$your_array = array('whatever','whatever1','whatever2');

print (in_array($variable, $your_array)) ? 'In Array!' : 'Not In Array!';

?>
The "key" here is the trim() function which strips whitespace from the beginning and end of the string. I know this sounds stupid, but you'll get your problem solved with this ;)


Return to “PHP & MySQL Security”

Who is online

Users browsing this forum: No registered users and 1 guest