Pllleeeaasseee help!

[SRBuckey5266]

I have this code:

PHP Code:

<?php

$name = $_POST['name'];
$message = $_POST['message'];

if(!eregi("^([0-9a-z])*$", $message)){
  echo "<div class='box'>Please use letters only.</div>"; 
}
else
{
 //connect
$connect = mysql_connect("","","") or die("Connection failed!");
mysql_select_db("") or die("Database fail!");

//write
$write = mysql_query("INSERT INTO posts VALUES ('','$name','$message')") or die(mysql_eror());

echo "<div class='box'><font face='arial'><b><span style='color:green'>Posted! Your name was:</span> $name</b> - Your message was....<br><br><b>$message - <a href='index.php'>View it!</a></b>";
}

?>

Now if you go here: http://chataddict.netau.net/ - and type your message, it keeps displaying the error box. Why??!

[oracleguy]

In the future, please use a more descriptive subject when posting a question. See posting guidelines.

I went to that link and was able to post without getting an error. I just couldn't use a newline (aka press enter) but that is because your regular expression doesn't allow it. It doesn't allow punctuation either.

[SRBuckey5266]

What can I do to improve it?

And it's still not letting me post.

[oracleguy]

Well you shouldn't use the eregi function anyways since it is deprecated.

But what things are you trying to block from being in messages?

Edit: The page isn't working for me now though that second post on the page did work but no longer does now.

[SRBuckey5266]

Quote:

Originally Posted by oracleguy

Well you shouldn't use the eregi function anyways since it is deprecated.

But what things are you trying to block from being in messages?

The simple things to protect from SQL Injections, I just want the following blocked out: ;$'^#@

I guess I'll remove the code. :/

Thank you for the help.

[oracleguy]

Then just use mysql_real_escape_string and you should use it on the name and the message. That will auto escape any special characters that could be used for SQL injection.

See:

PHP Code:

<?php
 //connect
$connect = mysql_connect("","","") or die("Connection failed!");
mysql_select_db("") or die("Database fail!");

$name = mysql_real_escape_string($_POST['name']);
$message = mysql_real_escape_string($_POST['message']);

//write
$write = mysql_query("INSERT INTO posts VALUES ('','$name','$message')") or die(mysql_eror());

echo "<div class='box'><font face='arial'><b><span style='color:green'>Posted! Your name was:</span> $name</b> - Your message was....<br><br><b>$message - <a href='index.php'>View it!</a></b>";


?>

[SRBuckey5266]

Thank you Oracle! I'll make a credits list, and I'll add you, and a link to your profile. I really appreciate it!

[SRBuckey5266]

Wait, now I get this error:


Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/a5488351/public_html/post.php on line 33

Free Web Hosting

PHP Error Message

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/a5488351/public_html/post.php on line 33

Free Web Hosting

PHP Error Message

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/a5488351/public_html/post.php on line 34

Free Web Hosting

PHP Error Message

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/a5488351/public_html/post.php on line 34

[oracleguy]

Did you connect to the database before you called mysql_real_escape_string like I did revised version of your code that I posted?

[Fou-Lu]

mysql_real_escape_string requires you're connection to the database is established. Ensure that you're using you're mysql_connect prior to the use of mysql_real_escape_string.
Also, until PHP6, there is a possibility of magic_quotes_gpc being enabled on you're server. The idea behind it was to prevent sql injections, but they are not compatible with 'real' (ie: from the database) sanitation. So, you'll need to code to handle that as well:

PHP Code:

$con = mysql_connect('', '', '') or die(mysql_errno());
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
    $_POST = array_map('stripslashes', $_POST);
}

$name = mysql_real_escape_string($_POST['name']);
$message = mysql_real_escape_string($_POST['message']);
.... 


Of course, if its not a string you're intending to handle, cast it to the specific type (like an int), and ignore the mysql_real_escape_string. Any input data in PHP is considered a string, so its up to you to control what is really what.

[SRBuckey5266]

I don't think that protects from codes. I want a code that stops you and says: "Please use letters only." if they type in stuff like: $[];'{}

Can anyone do this?

[Fou-Lu]

Quote:

Originally Posted by SRBuckey5266

I don't think that protects from codes. I want a code that stops you and says: "Please use letters only." if they type in stuff like: $[];'{}

Can anyone do this?

Well yes actually it will protect from code, at least PHP code. The purpose of mysql_real_escape_string is to convert escapable data into non-escapable data string allowing you to store it in a database properly. Should you want to remove tags to prevent html and xss injection, you can look at using strip_tags and htmlentities to take care of those conversions.
To match just letters you can pattern match with if (preg_match('/^[a-z]*$/i', $input)), but thats letters only, no spaces or numbers.

[oracleguy]

Quote:

Originally Posted by Fou-Lu

he purpose of mysql_real_escape_string is to convert escapable data into non-escapable data string allowing you to store it in a database properly.

Aka meaning it prevents SQL injection. So it should do what you want. There is no need to block $[];'{}. It isn't like if someone were to write $foo = 8; in the message that the code would get executed.