Hi,
You can prevent sql injection by several ways.
1. Use values from specific global array, $_POST or $_GET, instead of
$_REQUEST. Suppose you are expecting a value from a form that is posted,
then use only $_POST.
2. Convert all single and double quotes into entities in the user input
fields. You can use mysql real escape string also, but this is what I
prefer.
e.g. $username=htmlspecialchars($_POST['username'], true);
While retrieving back use html_entity_decode. These two functions may be
useful to you.
function escapeString($text, $escapeHtml=false)
{
if($escapeHtml) return addslashes(nl2br(htmlspecialchars($text,
ENT_QUOTES)));
else return addslashes(nl2br($text));
}
function replaceString($text, $replaceHtml=false)
{
if($replaceHtml) return
stripslashes(br2nl(html_entity_decode($normalText, ENT_QUOTES)));
else return stripslashes(br2nl($text));
}
3. Use constrained datatype in the table. i.e. instead of using text
datatype for username and password, use varchar. instead of varchar for
number fields, use int or bigint specifically. In this way, you can filter
out excess or useless data entering into database.
4. Finally, do not depend on client side javascript validations, firefox
has option to turn off javascript. So you have to write validations in
php.
Regards,
Manda Krishna Srikanth
http://www.krishnasrikanth.com
php-objects@xxxxxxxxxxxxxxx wrote on 05/16/2008 04:20:01 AM:
>
> A) validating username in php
>
> as part of a registration form a user fills there desired username
> and this is stored in a mysql. there are certain conditions for the
> username.
>
> a) the username should only begin either letters or numbers, and
> Underscore character
> example = user123, 123user, u_ser123, user_123 = completely case
> insensitive
> b) a user may choose not to have an underscore or numbers sometimes.
> example = username
>
> presently my validation for username is
>
> $username = $_POST["username"];
> if( $username == "" || !eregi("^[a-zA-Z0-9_]+$", $username) )
> {
> $error.="User name cannot be blank or has special characters";
> }
>
> Question = how can i rewrite this php validation for username to
> meet the above criteria or is my validation correct
>
> B) preventing sql injection
>
> till now i have been capturing the form values and directly
> inserting into the table without considering sql injection however
> for this project as it is for a forum i would like to implement
> prevention of sql injection. from what i have read about preventing
> sql injection there are several steps that need to be followed,
>
> htmlentities
> addslashes
> trim
> mysql-real-escape-string
> magic_quotes_gpc is ON
> magic_quotes_runtime is OFF
> magic_quotes_sybase is OFF
>
> as i have not done preventing sql injection i am not sure what is
> the correct process.
>
> Question =
>
> a) please advice a step by step process of how to go about avoiding
> the sql injection before the insert sql query is executed starting
> from
>
> $username = $_POST["username"]; till the
>
> insert into tablename(field1, field2) values($value1, $value2) SQL
> query is executed which will prevent sql injection even if the user
> enters any special characters while filling the form.
>
> b) should i consider the setting of magic quotes as in should it be
> ON or OFF or should i ignore it if so should it be
> ON or OFF
>
> c) also with the prevention methods if a user types a special
> character in the data will that character be written in the table as
> a escaped character or how does it store those special characters
>
> d) a very important point here, i have a feature where a user can
> check if a username is available or not. so while storing a username
> if the username is stored as john\smith in mysql and if the user is
> searching for johnsmith this would not match, so even in the table
> the username should be stored without slashes as i have to read the
> username and compare with what the user has typed to see if they
> both are same or different.
>
> please advice if i have missed any other steps to prevent sql
> injection.
>
> thanks a lot for your help.
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain
confidential or privileged information. If you are
not the intended recipient, any dissemination, use,
review, distribution, printing or copying of the
information contained in this e-mail message
and/or attachments to it are strictly prohibited. If
you have received this communication in error,
please notify us by reply e-mail or telephone and
immediately and permanently delete the message
and any attachments. Thank you
[Non-text portions of this message have been removed]
