Solved

Trying to strip out the escape characters

Posted on 2011-09-09
8
222 Views
Last Modified: 2012-05-12
Hi there;

I am trying to strip out all escape characters and any trick possible to get rid of sql injection in a mail address. So the code that i am using is as follows:


<?php session_start(); ?>
 
<?php
 
 
 
 
$email = check_input($_POST['email'], "error message");
$country  = check_input($_POST['country'], "error message");
$name    = check_input($_POST['name']);
$age  = check_input($_POST['age']);
$education   = check_input($_POST['education']);
 
 
 
 
 
/*CHECK EMAIL FORMAT*/
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
    die("E-mail address not valid");
}
 
/*THIS CODE CHECK IF AGE IS A NUMBER*/
if (preg_match("/\D/",$age))
{
    die("Please enter numbers only for Age");
}
 
 
function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
}

Is this sufficient or any other ways and code snippets to enhance this, maybe?

Kind regards.
0
Comment
Question by:jazzIIIlove
  • 4
  • 3
8 Comments
 
LVL 8

Assisted Solution

by:Rik-Legger
Rik-Legger earned 250 total points
Comment Utility
If you are using MYSQL you can just use mysql_real_escape string for the data you put in the database.
http://php.net/manual/en/function.mysql-real-escape-string.php
0
 
LVL 12

Author Comment

by:jazzIIIlove
Comment Utility
Just using mysql escape in case of which line?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
Comment Utility
In case of all lines actually,
you should use that when inserting something into mysql:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Open in new window

0
 
LVL 12

Author Comment

by:jazzIIIlove
Comment Utility
Any other comment? Is yours " totally " safe
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 8

Expert Comment

by:Rik-Legger
Comment Utility
Yes, this is totally safe :)
0
 
LVL 12

Author Comment

by:jazzIIIlove
Comment Utility
Moreover, within this approach, is it possible to have the mail in a correct way?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
Comment Utility
These are 2 separate things, you should always use the mysql_real_escape_string on mysql query's,
and for additional checking you can use your approaches first.
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 250 total points
Comment Utility
Here is how to validate an email address.  You still want to use mysql_real_escape_string() on all inputs to the query.

One little sidebar note.  If you keep the client age, your data model will become wrong in a year (or less).  You might want to store the date of birth instead.  

Best regards, ~Ray
<?php // RAY_email_validation.php
error_reporting(E_ALL);



// A FUNCTION TO TEST FOR A VALID EMAIL ADDRESS, RETURN TRUE OR FALSE



// SEE MAN PAGE: http://php.net/manual/en/intro.filter.php
function check_valid_email($email)
{
    // IF PHP 5.2 OR ABOVE, WE CAN USE THE FILTER
    if (strnatcmp(phpversion(),'5.2') >= 0)
    {
        if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return FALSE;
    }

    // IF LOWER-LEVEL PHP, WE CAN CONSTRUCT A REGULAR EXPRESSION
    else
    {
        $regex
        = '/'                        // START REGEX DELIMITER
        . '^'                        // START STRING
        . '[A-Z0-9_-]'               // AN EMAIL - SOME CHARACTER(S)
        . '[A-Z0-9._-]*'             // AN EMAIL - SOME CHARACTER(S) PERMITS DOT
        . '@'                        // A SINGLE AT-SIGN
        . '([A-Z0-9][A-Z0-9-]*\.)+'  // A DOMAIN NAME PERMITS DOT, ENDS DOT
        . '[A-Z\.]'                  // A TOP-LEVEL DOMAIN PERMITS DOT
        . '{2,6}'                    // TLD LENGTH >= 2 AND =< 6
        . '$'                        // ENDOF STRING
        . '/'                        // ENDOF REGEX DELIMITER
        . 'i'                        // CASE INSENSITIVE
        ;
        // TEST THE STRING FORMAT
        if (!preg_match($regex, $email)) return FALSE;
    }

    // FILTER_VAR OR PREG_MATCH DOES NOT TEST IF THE DOMAIN IS ROUTABLE
    $domain = explode('@', $email);

    // MAN PAGE: http://php.net/manual/en/function.checkdnsrr.php
    if ( checkdnsrr($domain[1],"MX") || checkdnsrr($domain[1],"A") ) return TRUE;

    // EMAIL IS NOT ROUTABLE
    return FALSE;
}



// DEMONSTRATE THE FUNCTION IN ACTION
$e = NULL;
if (!empty($_GET["e"]))
{
    $e = $_GET["e"];
    if (check_valid_email($e))
    {
        echo "<br/>VALID: $e \n";
    }
    else
    {
        echo "<br/>BOGUS: $e \n";
    }
}


// END OF PROCESSING - CREATE THE FORM USING HEREDOC NOTATION
$form = <<<ENDFORM
<form>
TEST A STRING FOR A VALID EMAIL ADDRESS:
<input name="e" value="$e" />
<input type="submit" />
</form>
ENDFORM;

echo $form;

Open in new window

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now