...

View Full Version : Input to lower case



alex98uk
03-01-2010, 06:51 PM
Hi

I'm taking a user input and trying to post it to a database. I want all user input to be automatically converted to lower case. So, at the moment the code takes each input (called tag1, tag2, tag3, tag4 and tag5).

I know I need the "strtolower" function, but can't quite get it working. This is my code:


<?php

session_start();

$con = mysql_connect("xxxxxx","xxxxxx","xxxxxxx");
if (!$con)
{ die('Could not connect: ' . mysql_error()); }

mysql_select_db("db_xxxxxx", $con);

$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES

('$_POST[tag1]','$_POST[article1]','$_POST[articlename]','$_POST[userID]')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}



$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$_POST[tag2]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}


$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$_POST[tag3]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}


$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$_POST[tag4]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}


$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$_POST[tag5]','$_POST[article1]', '$_POST[articlename]','$_POST[userID]')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}

echo "You have successfully entered search tags for this article.";

mysql_close($con)
?>

So, basically I want it to take tag1, 2, 3, 4 & 5, convert them to lower case and then post them to the database. Some help? :)

met
03-01-2010, 07:08 PM
$str = strtolower($str);
/* or in your case */

$tag1 = strtolower($_POST['tag1']);
$tag2 = strtolower($_POST['tag2']);


http://php.net/manual/en/function.strtolower.php

you are inserting values directly from $_POST in to your table, this is a security risk.

http://unixwiz.net/techtips/sql-injection.html

read up on it

http://www.php.net/manual/en/function.mysql-real-escape-string.php

mlseim
03-01-2010, 07:16 PM
Sanitize all variables before using them in any SQL queries to avoid injections.
You can convert to lower-case at the same time ... see below.



<?php

session_start();

$con = mysql_connect("xxxxxx","xxxxxx","xxxxxxx");
if (!$con)
{ die('Could not connect: ' . mysql_error()); }

mysql_select_db("db_xxxxxx", $con);

// Sanitize all variables used in your query strings ... to avoid SQL Injections ...
$tag1 = mysql_real_escape_string(strtolower($_POST['tag1']));
$tag2 = mysql_real_escape_string(strtolower($_POST['tag2']));
$tag3 = mysql_real_escape_string(strtolower($_POST['tag3']));
$tag4 = mysql_real_escape_string(strtolower($_POST['tag4']));
$tag5 = mysql_real_escape_string(strtolower($_POST['tag5']));
$article1 = mysql_real_escape_string(strtolower($_POST['article1']));
$articlename = mysql_real_escape_string(strtolower($_POST['articlename']));
$userID = mysql_real_escape_string(strtolower($_POST['userID']));


$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES

('$tag1','$article1','$articlename','$userID')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}

$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$tag2','$article1','$articlename','$userID')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}

$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$tag3','$article1','$articlename','$userID')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}

$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$tag4','$article1','$articlename','$userID')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}

$sql="INSERT INTO article_tag (tag, articleid, articlename, userid)
VALUES
('$tag5','$article1','$articlename','$userID')";

if (!mysql_query($sql,$con))

{die('Error: Tag already exists');}

echo "You have successfully entered search tags for this article.";

mysql_close($con)
?>

alex98uk
03-01-2010, 11:58 PM
Thanks guys. I'm a student and still learning, but I do know about sanitizing inputs, I just hadn't used it here. I'll try the suggestion in the 2nd post :)

alex98uk
03-02-2010, 12:53 PM
That worked great. Just coming back to the SQL injection bit, I have some code in a different part of the site which I have now modified with the escape string function. However, I use MD5 encryption on passwords and just want to make sure that it is being sanitised before being posted as well. This is the code.


$username = mysql_real_escape_string($_POST['username']);
$forename = mysql_real_escape_string($_POST['forename']);
$surname = mysql_real_escape_string($_POST['surname']);
$email = mysql_real_escape_string($_POST['email']);
$password = mysql_real_escape_string($_POST['password']);

$salt= '_$_%123';

$sql="INSERT INTO users (username, forename, surname, email, password)
VALUES
('$username','$forename','$surname','$email','".md5($_POST['$password'].$salt)."')";

if (!mysql_query($sql,$con))

{die('Error: Username in use');}

Is the password being sanitised as well?

abduraooft
03-02-2010, 01:05 PM
Is the password being sanitised as well? Yes, you need to do it on all external data (GET/POST/COOKIE).

mlseim
03-02-2010, 01:27 PM
$sql="INSERT INTO users (username, forename, surname, email, password)
VALUES
('$username','$forename','$surname','$email','".md5($password.$salt)."')";

alex98uk
03-02-2010, 02:29 PM
Ah, yes that makes sense. I have my head around it now. Thanks :D

mlseim
03-02-2010, 02:57 PM
You might have already used Google to find this: mysql_real_escape_string
It's a built-in function to "clean-up" or "sanitize" variables so that people
can't inject SQL query tags or strings that will take control of your database.

There are some YouTube examples of MySQL injections:
http://www.youtube.com/results?search_query=mysql+injection&search_type=&aq=1&oq=mysql+in

In a related topic, there is also a way to clean-up any HTML stuff that
people might put into a text editor: http://php.net/manual/en/function.htmlentities.php

These functions are a way to maintain as much control as possible, of the data
that people enter into forms, URL's, etc. It's all about checking every piece of
information that people put into your website/databases.

alex98uk
03-02-2010, 03:06 PM
You might have already used Google to find this: mysql_real_escape_string
It's a built-in function to "clean-up" or "sanitize" variables so that people
can't inject SQL query tags or strings that will take control of your database.

There are some YouTube examples of MySQL injections:
http://www.youtube.com/results?search_query=mysql+injection&search_type=&aq=1&oq=mysql+in

In a related topic, there is also a way to clean-up any HTML stuff that
people might put into a text editor: http://php.net/manual/en/function.htmlentities.php

These functions are a way to maintain as much control as possible, of the data
that people enter into forms, URL's, etc. It's all about checking every piece of
information that people put into your website/databases.

Yeah, we learned about the theory of it in class, but never the technicalities behind how to use it. Part of our University course was to teach ourselves HTML (if you didn't already know it), PHP and MySQL. We were told to have a site with basic backend database ready in a month, so i'm still learning the finer details of what can be a confusing language :)

I'm now trying to work out how to input an input mask to make sure the user enters a valid email address. I guess I have to use PHP email filter, but the same problem occurs in that I can never seem to work out how to get it to actually work!

Oh well, i'll stay on this site, everyone seems very helpful here :)

mlseim
03-02-2010, 04:04 PM
The key is to use Google.

Put the word "PHP" and then what you're looking for ...

Example: PHP email validation
http://www.google.com/#hl=en&source=hp&q=php+email+validation&aq=f&aqi=g10&aql=&oq=&fp=c26c79a56c95bda8

Now, look at a few of the hits ...
You'll find several different ways of doing it, and many examples, like this:
http://www.totallyphp.co.uk/code/validate_an_email_address_using_regular_expressions.htm


Google is your best source.



.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum