Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Trying to strip out the escape characters

Posted on 2011-09-09
8
Medium Priority
?
244 Views
Last Modified: 2012-05-12
Hi there;

I am trying to strip out all escape characters and any trick possible to get rid of sql injection in a mail address. So the code that i am using is as follows:


<?php session_start(); ?>
 
<?php
 
 
 
 
$email = check_input($_POST['email'], "error message");
$country  = check_input($_POST['country'], "error message");
$name    = check_input($_POST['name']);
$age  = check_input($_POST['age']);
$education   = check_input($_POST['education']);
 
 
 
 
 
/*CHECK EMAIL FORMAT*/
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
    die("E-mail address not valid");
}
 
/*THIS CODE CHECK IF AGE IS A NUMBER*/
if (preg_match("/\D/",$age))
{
    die("Please enter numbers only for Age");
}
 
 
function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
}

Is this sufficient or any other ways and code snippets to enhance this, maybe?

Kind regards.
0
Comment
Question by:jazzIIIlove
  • 4
  • 3
8 Comments
 
LVL 8

Assisted Solution

by:Rik-Legger
Rik-Legger earned 1000 total points
ID: 36509993
If you are using MYSQL you can just use mysql_real_escape string for the data you put in the database.
http://php.net/manual/en/function.mysql-real-escape-string.php
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510072
Just using mysql escape in case of which line?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510114
In case of all lines actually,
you should use that when inserting something into mysql:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Open in new window

0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510172
Any other comment? Is yours " totally " safe
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510185
Yes, this is totally safe :)
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510321
Moreover, within this approach, is it possible to have the mail in a correct way?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510397
These are 2 separate things, you should always use the mysql_real_escape_string on mysql query's,
and for additional checking you can use your approaches first.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 1000 total points
ID: 36516424
Here is how to validate an email address.  You still want to use mysql_real_escape_string() on all inputs to the query.

One little sidebar note.  If you keep the client age, your data model will become wrong in a year (or less).  You might want to store the date of birth instead.  

Best regards, ~Ray
<?php // RAY_email_validation.php
error_reporting(E_ALL);



// A FUNCTION TO TEST FOR A VALID EMAIL ADDRESS, RETURN TRUE OR FALSE



// SEE MAN PAGE: http://php.net/manual/en/intro.filter.php
function check_valid_email($email)
{
    // IF PHP 5.2 OR ABOVE, WE CAN USE THE FILTER
    if (strnatcmp(phpversion(),'5.2') >= 0)
    {
        if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return FALSE;
    }

    // IF LOWER-LEVEL PHP, WE CAN CONSTRUCT A REGULAR EXPRESSION
    else
    {
        $regex
        = '/'                        // START REGEX DELIMITER
        . '^'                        // START STRING
        . '[A-Z0-9_-]'               // AN EMAIL - SOME CHARACTER(S)
        . '[A-Z0-9._-]*'             // AN EMAIL - SOME CHARACTER(S) PERMITS DOT
        . '@'                        // A SINGLE AT-SIGN
        . '([A-Z0-9][A-Z0-9-]*\.)+'  // A DOMAIN NAME PERMITS DOT, ENDS DOT
        . '[A-Z\.]'                  // A TOP-LEVEL DOMAIN PERMITS DOT
        . '{2,6}'                    // TLD LENGTH >= 2 AND =< 6
        . '$'                        // ENDOF STRING
        . '/'                        // ENDOF REGEX DELIMITER
        . 'i'                        // CASE INSENSITIVE
        ;
        // TEST THE STRING FORMAT
        if (!preg_match($regex, $email)) return FALSE;
    }

    // FILTER_VAR OR PREG_MATCH DOES NOT TEST IF THE DOMAIN IS ROUTABLE
    $domain = explode('@', $email);

    // MAN PAGE: http://php.net/manual/en/function.checkdnsrr.php
    if ( checkdnsrr($domain[1],"MX") || checkdnsrr($domain[1],"A") ) return TRUE;

    // EMAIL IS NOT ROUTABLE
    return FALSE;
}



// DEMONSTRATE THE FUNCTION IN ACTION
$e = NULL;
if (!empty($_GET["e"]))
{
    $e = $_GET["e"];
    if (check_valid_email($e))
    {
        echo "<br/>VALID: $e \n";
    }
    else
    {
        echo "<br/>BOGUS: $e \n";
    }
}


// END OF PROCESSING - CREATE THE FORM USING HEREDOC NOTATION
$form = <<<ENDFORM
<form>
TEST A STRING FOR A VALID EMAIL ADDRESS:
<input name="e" value="$e" />
<input type="submit" />
</form>
ENDFORM;

echo $form;

Open in new window

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
This article discusses how to implement server side field validation and display customized error messages to the client.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to count occurrences of each item in an array.
Suggested Courses

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question