Using escapeshellcmd.

I have two input boxes, username and password, I want to prevent any kind of scripts from being entered into the boxes, I believe you can disable any scripts entered using escapeshellcmd which puts forward slashes etc in.
Below I have the following variables, how would I go about doing the above. I would prefer to keep the variable names the same though.

<?php
    $username = $_POST['username'];
    $password = $_POST['password'];
      ?>
Thanks in advance.
jdav3579Asked:
Who is Participating?
 
ldbkuttyConnect With a Mentor Commented:
Since the username & password are database related things, mysql_real_escape_string() is better than addslashes().
 
I recommend to use the quote_smart() function in the example 3 of this link: http://www.php.net/mysql_real_escape_string with which stripslashes and get_magic_quotes_gpc are also covered.
0
 
PromethylCommented:
Why not just MD5 or SHA1 the value before comparing it.

Are you passing these values to the shelL?

0
 
alextr2003frConnect With a Mentor Commented:
if you want to add escaping slashes to your variables try http://fr.php.net/addslashes
example :
<?php
    $username = addslashes($_POST['username']);
    $password = addslashes($_POST['password']);
?>
but IMHO it only should be done if you put your variables in a database
for example to avoid any *sql injections attacks
Also try to see : stripslashes(), get_magic_quotes_gpc()
0
Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

 
jdav3579Author Commented:
I like the MD5'ing the variables first, this seems like the best way. Have never used MD5 before, any suggestions. Thanks all for your comments.
0
 
virmaiorCommented:
I would tend to agree with all three of the posters here.

as far as I can tell, escapeshellcmd is not really useful for what you're trying to do...
http://us2.php.net/manual/en/function.escapeshellcmd.php
it's meant to guard against letting people EXECUTE dangerous commands on your shell (unix equivalent of command.com/cmd.exe [for these purposes])

I use the technique promethyl describes and also mysql_real_escape_string() anything that's getting fed to MySQL


0
 
dougdayCommented:
Yes, I would agree with the MD5 of the variables also (If you like this, give points to Promethyl):

Something like this:

$salt = "some_random_text_that_nobody_can_guess_1zk#92k!!";
<?php
    $username = md5($_POST['username'] . $salt);
    $password = md5($_POST['password'] . $salt);
?>

-Doug
0
 
dougdayCommented:
Oops, put the $salt line inside the <?php tag.
0
 
virmaiorCommented:
dougday - that's not really the way you do it...
you MD5 the password on the client side using javascript
otherwise you aren't reaping any security benefits.
0
 
dougdayCommented:
True, I assumed use of ssl.  (I guess I should stop assuming ;)
0
 
dougdayConnect With a Mentor Commented:
I've never seen md5 in javascript -- do you have an example?
0
 
virmaiorConnect With a Mentor Commented:
I've got the code at work. (so tomorrow)
0
 
dougdayCommented:
Why thank you :)
0
 
PromethylCommented:
>I use the technique promethyl describes and also mysql_real_escape_string() anything that's getting fed to MySQL

Thank you. Although MD5 is insecure. Use SHA-1 or better.


http://us3.php.net/sha1

sha1

(PHP 4 >= 4.3.0, PHP 5)
sha1 -- Calculate the sha1 hash of a string
Description
string sha1 ( string str [, bool raw_output] )

Calculates the sha1 hash of str using the US Secure Hash Algorithm 1, and returns that hash. The hash is a 40-character hexadecimal number. If the optional raw_output is set to TRUE, then the sha1 digest is instead returned in raw binary format with a length of 20.

    Note: The optional raw_output parameter was added in PHP 5.0.0 and defaults to FALSE

Example 1. A sha1() example
<?php
$str = 'apple';
                   
if (sha1($str) === 'd0be2dc421be4fcd0172e5afceea3970e2f3d940') {
   echo "Would you like a green or red apple?";
   exit;
}
?>

See also sha1_file(), crc32(), and md5()
0
 
virmaiorCommented:
I was hoping I had a link for the js (I didn't write it).

this link has MD-5, SHA-1, etc. in JavaScript

http://pajhome.org.uk/crypt/md5/
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.