A) validating username in php
as part of a registration form a user fills there desired username
and this is stored in a mysql. there are certain conditions for the
username.
a) the username should only begin either letters or numbers, and
Underscore character
example = user123, 123user, u_ser123, user_123 = completely case
insensitive
b) a user may choose not to have an underscore or numbers sometimes.
example = username
presently my validation for username is
$username = $_POST["username"];
if( $username == "" || !eregi("^[a-zA-Z0-9_]+$", $username) )
{
$error.="User name cannot be blank or has special characters";
}
Question = how can i rewrite this php validation for username to
meet the above criteria or is my validation correct
B) preventing sql injection
till now i have been capturing the form values and directly
inserting into the table without considering sql injection however
for this project as it is for a forum i would like to implement
prevention of sql injection. from what i have read about preventing
sql injection there are several steps that need to be followed,
htmlentities
addslashes
trim
mysql-real-escape-string
magic_quotes_gpc is ON
magic_quotes_runtime is OFF
magic_quotes_sybase is OFF
as i have not done preventing sql injection i am not sure what is
the correct process.
Question =
a) please advice a step by step process of how to go about avoiding
the sql injection before the insert sql query is executed starting
from
$username = $_POST["username"]; till the
insert into tablename(field1, field2) values($value1, $value2) SQL
query is executed which will prevent sql injection even if the user
enters any special characters while filling the form.
b) should i consider the setting of magic quotes as in should it be
ON or OFF or should i ignore it if so should it be
ON or OFF
c) also with the prevention methods if a user types a special
character in the data will that character be written in the table as
a escaped character or how does it store those special characters
d) a very important point here, i have a feature where a user can
check if a username is available or not. so while storing a username
if the username is stored as john\smith in mysql and if the user is
searching for johnsmith this would not match, so even in the table
the username should be stored without slashes as i have to read the
username and compare with what the user has typed to see if they
both are same or different.
please advice if i have missed any other steps to prevent sql
injection.
thanks a lot for your help.
