Solved

Trying to strip out the escape characters

Posted on 2011-09-09
8
232 Views
Last Modified: 2012-05-12
Hi there;

I am trying to strip out all escape characters and any trick possible to get rid of sql injection in a mail address. So the code that i am using is as follows:


<?php session_start(); ?>
 
<?php
 
 
 
 
$email = check_input($_POST['email'], "error message");
$country  = check_input($_POST['country'], "error message");
$name    = check_input($_POST['name']);
$age  = check_input($_POST['age']);
$education   = check_input($_POST['education']);
 
 
 
 
 
/*CHECK EMAIL FORMAT*/
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
    die("E-mail address not valid");
}
 
/*THIS CODE CHECK IF AGE IS A NUMBER*/
if (preg_match("/\D/",$age))
{
    die("Please enter numbers only for Age");
}
 
 
function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
}

Is this sufficient or any other ways and code snippets to enhance this, maybe?

Kind regards.
0
Comment
Question by:jazzIIIlove
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 8

Assisted Solution

by:Rik-Legger
Rik-Legger earned 250 total points
ID: 36509993
If you are using MYSQL you can just use mysql_real_escape string for the data you put in the database.
http://php.net/manual/en/function.mysql-real-escape-string.php
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510072
Just using mysql escape in case of which line?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510114
In case of all lines actually,
you should use that when inserting something into mysql:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Open in new window

0
Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510172
Any other comment? Is yours " totally " safe
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510185
Yes, this is totally safe :)
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510321
Moreover, within this approach, is it possible to have the mail in a correct way?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510397
These are 2 separate things, you should always use the mysql_real_escape_string on mysql query's,
and for additional checking you can use your approaches first.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 36516424
Here is how to validate an email address.  You still want to use mysql_real_escape_string() on all inputs to the query.

One little sidebar note.  If you keep the client age, your data model will become wrong in a year (or less).  You might want to store the date of birth instead.  

Best regards, ~Ray
<?php // RAY_email_validation.php
error_reporting(E_ALL);



// A FUNCTION TO TEST FOR A VALID EMAIL ADDRESS, RETURN TRUE OR FALSE



// SEE MAN PAGE: http://php.net/manual/en/intro.filter.php
function check_valid_email($email)
{
    // IF PHP 5.2 OR ABOVE, WE CAN USE THE FILTER
    if (strnatcmp(phpversion(),'5.2') >= 0)
    {
        if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return FALSE;
    }

    // IF LOWER-LEVEL PHP, WE CAN CONSTRUCT A REGULAR EXPRESSION
    else
    {
        $regex
        = '/'                        // START REGEX DELIMITER
        . '^'                        // START STRING
        . '[A-Z0-9_-]'               // AN EMAIL - SOME CHARACTER(S)
        . '[A-Z0-9._-]*'             // AN EMAIL - SOME CHARACTER(S) PERMITS DOT
        . '@'                        // A SINGLE AT-SIGN
        . '([A-Z0-9][A-Z0-9-]*\.)+'  // A DOMAIN NAME PERMITS DOT, ENDS DOT
        . '[A-Z\.]'                  // A TOP-LEVEL DOMAIN PERMITS DOT
        . '{2,6}'                    // TLD LENGTH >= 2 AND =< 6
        . '$'                        // ENDOF STRING
        . '/'                        // ENDOF REGEX DELIMITER
        . 'i'                        // CASE INSENSITIVE
        ;
        // TEST THE STRING FORMAT
        if (!preg_match($regex, $email)) return FALSE;
    }

    // FILTER_VAR OR PREG_MATCH DOES NOT TEST IF THE DOMAIN IS ROUTABLE
    $domain = explode('@', $email);

    // MAN PAGE: http://php.net/manual/en/function.checkdnsrr.php
    if ( checkdnsrr($domain[1],"MX") || checkdnsrr($domain[1],"A") ) return TRUE;

    // EMAIL IS NOT ROUTABLE
    return FALSE;
}



// DEMONSTRATE THE FUNCTION IN ACTION
$e = NULL;
if (!empty($_GET["e"]))
{
    $e = $_GET["e"];
    if (check_valid_email($e))
    {
        echo "<br/>VALID: $e \n";
    }
    else
    {
        echo "<br/>BOGUS: $e \n";
    }
}


// END OF PROCESSING - CREATE THE FORM USING HEREDOC NOTATION
$form = <<<ENDFORM
<form>
TEST A STRING FOR A VALID EMAIL ADDRESS:
<input name="e" value="$e" />
<input type="submit" />
</form>
ENDFORM;

echo $form;

Open in new window

0

Featured Post

Don't Cry: How Liquid Web is Ensuring Security

WannaCry is just the start. Read how Liquid Web is protecting itself and its customers against new threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this. Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it i…
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question