Solved

Trying to strip out the escape characters

Posted on 2011-09-09
8
230 Views
Last Modified: 2012-05-12
Hi there;

I am trying to strip out all escape characters and any trick possible to get rid of sql injection in a mail address. So the code that i am using is as follows:


<?php session_start(); ?>
 
<?php
 
 
 
 
$email = check_input($_POST['email'], "error message");
$country  = check_input($_POST['country'], "error message");
$name    = check_input($_POST['name']);
$age  = check_input($_POST['age']);
$education   = check_input($_POST['education']);
 
 
 
 
 
/*CHECK EMAIL FORMAT*/
if (!preg_match("/([\w\-]+\@[\w\-]+\.[\w\-]+)/",$email))
{
    die("E-mail address not valid");
}
 
/*THIS CODE CHECK IF AGE IS A NUMBER*/
if (preg_match("/\D/",$age))
{
    die("Please enter numbers only for Age");
}
 
 
function check_input($data, $problem='')
{
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
}

Is this sufficient or any other ways and code snippets to enhance this, maybe?

Kind regards.
0
Comment
Question by:jazzIIIlove
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 8

Assisted Solution

by:Rik-Legger
Rik-Legger earned 250 total points
ID: 36509993
If you are using MYSQL you can just use mysql_real_escape string for the data you put in the database.
http://php.net/manual/en/function.mysql-real-escape-string.php
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510072
Just using mysql escape in case of which line?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510114
In case of all lines actually,
you should use that when inserting something into mysql:

// Query
$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
            mysql_real_escape_string($user),
            mysql_real_escape_string($password));

Open in new window

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510172
Any other comment? Is yours " totally " safe
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510185
Yes, this is totally safe :)
0
 
LVL 12

Author Comment

by:jazzIIIlove
ID: 36510321
Moreover, within this approach, is it possible to have the mail in a correct way?

Kind regards.
0
 
LVL 8

Expert Comment

by:Rik-Legger
ID: 36510397
These are 2 separate things, you should always use the mysql_real_escape_string on mysql query's,
and for additional checking you can use your approaches first.
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 250 total points
ID: 36516424
Here is how to validate an email address.  You still want to use mysql_real_escape_string() on all inputs to the query.

One little sidebar note.  If you keep the client age, your data model will become wrong in a year (or less).  You might want to store the date of birth instead.  

Best regards, ~Ray
<?php // RAY_email_validation.php
error_reporting(E_ALL);



// A FUNCTION TO TEST FOR A VALID EMAIL ADDRESS, RETURN TRUE OR FALSE



// SEE MAN PAGE: http://php.net/manual/en/intro.filter.php
function check_valid_email($email)
{
    // IF PHP 5.2 OR ABOVE, WE CAN USE THE FILTER
    if (strnatcmp(phpversion(),'5.2') >= 0)
    {
        if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return FALSE;
    }

    // IF LOWER-LEVEL PHP, WE CAN CONSTRUCT A REGULAR EXPRESSION
    else
    {
        $regex
        = '/'                        // START REGEX DELIMITER
        . '^'                        // START STRING
        . '[A-Z0-9_-]'               // AN EMAIL - SOME CHARACTER(S)
        . '[A-Z0-9._-]*'             // AN EMAIL - SOME CHARACTER(S) PERMITS DOT
        . '@'                        // A SINGLE AT-SIGN
        . '([A-Z0-9][A-Z0-9-]*\.)+'  // A DOMAIN NAME PERMITS DOT, ENDS DOT
        . '[A-Z\.]'                  // A TOP-LEVEL DOMAIN PERMITS DOT
        . '{2,6}'                    // TLD LENGTH >= 2 AND =< 6
        . '$'                        // ENDOF STRING
        . '/'                        // ENDOF REGEX DELIMITER
        . 'i'                        // CASE INSENSITIVE
        ;
        // TEST THE STRING FORMAT
        if (!preg_match($regex, $email)) return FALSE;
    }

    // FILTER_VAR OR PREG_MATCH DOES NOT TEST IF THE DOMAIN IS ROUTABLE
    $domain = explode('@', $email);

    // MAN PAGE: http://php.net/manual/en/function.checkdnsrr.php
    if ( checkdnsrr($domain[1],"MX") || checkdnsrr($domain[1],"A") ) return TRUE;

    // EMAIL IS NOT ROUTABLE
    return FALSE;
}



// DEMONSTRATE THE FUNCTION IN ACTION
$e = NULL;
if (!empty($_GET["e"]))
{
    $e = $_GET["e"];
    if (check_valid_email($e))
    {
        echo "<br/>VALID: $e \n";
    }
    else
    {
        echo "<br/>BOGUS: $e \n";
    }
}


// END OF PROCESSING - CREATE THE FORM USING HEREDOC NOTATION
$form = <<<ENDFORM
<form>
TEST A STRING FOR A VALID EMAIL ADDRESS:
<input name="e" value="$e" />
<input type="submit" />
</form>
ENDFORM;

echo $form;

Open in new window

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
This article discusses how to create an extensible mechanism for linked drop downs.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

697 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question