...

View Full Version : Resolved Prevent SQL injection with preg_replace?



conware
09-10-2011, 06:46 PM
Hi everyone,
I was wondering if for example I have a login script.
And I would use preg_replace to make sure the username/password input would both only use numbers and letters.
Then if Im correct there should be no injection possible right?
Ore am I seeing this wrong?

For example lets say I have a page calt login.php
In this page I have two Post variables made by a html form etc.




$username = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['username']);
$password = preg_replace('/[^a-zA-Z0-9]/', '', $_POST['password']);



Would this prevent injection?

Fou-Lu
09-10-2011, 07:08 PM
Yes, but the game changes as soon as the just alphanumeric rule no longer applies.
Do not leave it up to your business rules to satisfy a sanitation function. Run any string through the database escaping function, that is what it was designed to do.

Also, you should NOT be using preg_replace, you should be using preg_match or ctype to determine these and inform the client that the entry is invalid.

conware
09-10-2011, 07:42 PM
Thanks for the reply Fou-Lu,
I wondered about this because if I ever decided to make a login then I would probably only allow alphanumeric values. Because I think it looks better for usernames.
However I can see that in most cases alphanumeric values won't apply.

Also I don't really know how to use preg_match.
Could you post a example how to use it with alphanumeric values?

Btw I would also use sprintf with mysql_real_escape_string if I ever decided to write something like that.

BluePanther
09-10-2011, 09:53 PM
preg_match() uses the same regular expression rules as preg_replace(), except only has 2 required arguments - pattern and subject. preg_match() will return 0 for no matches found, or 1 for a match found. It doesn't change any values in the $subject.

conware
09-10-2011, 09:58 PM
Ah I see thanks BluePanther, :D

Fou-Lu
09-10-2011, 10:58 PM
There is no reason to not force alphanumeric, or even just alpha. These are you're rules, so you can decided whatever you want to do.
No, my suggestion is to not replace so if I enter a name of Fou-Lu, it will replace it with FouLu. That means when I try to log in, I will fail since my name as I expect it is no longer valid. You are better just telling me that I cannot use the - in it, and let me go back to change it.

conware
09-11-2011, 09:11 PM
There is no reason to not force alphanumeric, or even just alpha. These are you're rules, so you can decided whatever you want to do.
No, my suggestion is to not replace so if I enter a name of Fou-Lu, it will replace it with FouLu. That means when I try to log in, I will fail since my name as I expect it is no longer valid. You are better just telling me that I cannot use the - in it, and let me go back to change it.

Oh now I see sorry I misunderstood before.
You have a good point I'll include that information on the register page and include some javascript to disable the characters I don't want.
That would probably solve frustration to users.
I would probably also include the username again in the mail, which the recieve to conclude there registration.
I think that should cover most of the login part.

Thanks for usefull information.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum