Solved

Trying to strip out the escape characters

Posted on 2011-09-09
8
226 Views
Last Modified: 2012-05-12
Hi there;

I am trying to strip out all escape characters and any trick possible to get rid of sql injection in a mail address. So the code that i am using is as follows:


<?php session_start(); ?>
 
<?php
 
 
 
 
$email = check_input($_POST['email'], "error message");
$country  = check_input($_POST['country'], "error message");
$name    = check_input($_POST['name']);
$age  = check_input($_POST['age']);
$education   = check_input($_POST['education']);
 
 
 
 
 
/*CHECK EMAIL FORMAT*/
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
    die("E-mail address not valid");
}
 
/*THIS CODE CHECK IF AGE IS A NUMBER*/
if (preg_match("/\D/",$age))
{
    die("Please enter numbers only for Age");
}
 
 
function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
}

Is this sufficient or any other ways and code snippets to enhance this, maybe?

Kind regards.
0
Comment
Question by:jazzIIIlove
  • 4
  • 3
8 Comments
 
LVL 8

Assisted Solution

by:Rik-Legger
Rik-Legger earned 250 total points
ID: 36509993
If you are using MYSQL you can just use mysql_real_escape string for the data you put in the database.
http://php.net/manual/en/function.mysql-real-escape-string.php
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510072
Just using mysql escape in case of which line?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510114
In case of all lines actually,
you should use that when inserting something into mysql:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Open in new window

0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510172
Any other comment? Is yours " totally " safe
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510185
Yes, this is totally safe :)
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510321
Moreover, within this approach, is it possible to have the mail in a correct way?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510397
These are 2 separate things, you should always use the mysql_real_escape_string on mysql query's,
and for additional checking you can use your approaches first.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 36516424
Here is how to validate an email address.  You still want to use mysql_real_escape_string() on all inputs to the query.

One little sidebar note.  If you keep the client age, your data model will become wrong in a year (or less).  You might want to store the date of birth instead.  

Best regards, ~Ray
<?php // RAY_email_validation.php
error_reporting(E_ALL);



// A FUNCTION TO TEST FOR A VALID EMAIL ADDRESS, RETURN TRUE OR FALSE



// SEE MAN PAGE: http://php.net/manual/en/intro.filter.php
function check_valid_email($email)
{
    // IF PHP 5.2 OR ABOVE, WE CAN USE THE FILTER
    if (strnatcmp(phpversion(),'5.2') >= 0)
    {
        if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return FALSE;
    }

    // IF LOWER-LEVEL PHP, WE CAN CONSTRUCT A REGULAR EXPRESSION
    else
    {
        $regex
        = '/'                        // START REGEX DELIMITER
        . '^'                        // START STRING
        . '[A-Z0-9_-]'               // AN EMAIL - SOME CHARACTER(S)
        . '[A-Z0-9._-]*'             // AN EMAIL - SOME CHARACTER(S) PERMITS DOT
        . '@'                        // A SINGLE AT-SIGN
        . '([A-Z0-9][A-Z0-9-]*\.)+'  // A DOMAIN NAME PERMITS DOT, ENDS DOT
        . '[A-Z\.]'                  // A TOP-LEVEL DOMAIN PERMITS DOT
        . '{2,6}'                    // TLD LENGTH >= 2 AND =< 6
        . '$'                        // ENDOF STRING
        . '/'                        // ENDOF REGEX DELIMITER
        . 'i'                        // CASE INSENSITIVE
        ;
        // TEST THE STRING FORMAT
        if (!preg_match($regex, $email)) return FALSE;
    }

    // FILTER_VAR OR PREG_MATCH DOES NOT TEST IF THE DOMAIN IS ROUTABLE
    $domain = explode('@', $email);

    // MAN PAGE: http://php.net/manual/en/function.checkdnsrr.php
    if ( checkdnsrr($domain[1],"MX") || checkdnsrr($domain[1],"A") ) return TRUE;

    // EMAIL IS NOT ROUTABLE
    return FALSE;
}



// DEMONSTRATE THE FUNCTION IN ACTION
$e = NULL;
if (!empty($_GET["e"]))
{
    $e = $_GET["e"];
    if (check_valid_email($e))
    {
        echo "<br/>VALID: $e \n";
    }
    else
    {
        echo "<br/>BOGUS: $e \n";
    }
}


// END OF PROCESSING - CREATE THE FORM USING HEREDOC NOTATION
$form = <<<ENDFORM
<form>
TEST A STRING FOR A VALID EMAIL ADDRESS:
<input name="e" value="$e" />
<input type="submit" />
</form>
ENDFORM;

echo $form;

Open in new window

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

25 Experts available now in Live!

Get 1:1 Help Now