Help - Search - Members - Calendar
Full Version: Php Security Scripting Problem
Zymic Webmaster Forums > Web Design & Development > Server Side Scripting > PHP
LadyYepperz
Feb 11 2009, 08:21 PM
Im getting a very strange output to this code. Can you guys help me please find the problem?
This is printing to the browser
string(0) "" string(0) "" string(0) "" string(0) ""
and. . .
Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied

CODE
switch($_GET[action]){
    case "check": //checks for blank fields

//======I THINK MY 1st PROBLEM STARTS HERE============
$scname=filter_string($_GET['scname']);
$email=filter_email($_GET['email']);
$psw=filter_string($_GET['password']);
$psw2=filter_string($_GET['passw2']);
$queryScname=check_input($_GET['scname']);

if(!filter_input(INPUT_GET, "$email", FILTER_VALIDATE_EMAIL)){
     echo "<font color='#D5C513'><strong>E-mail is not valid.</font></strong><br />";
}
else {
    return $value;
}
//=========================  
    
    if(strlen($scname)>7 && strlen($scname)<26 && strlen($email)>7 && strlen($psw)>7
                          && strlen($psw)<26 && strlen($psw2)>0 && $psw == $psw2){

    // Connect to server and select database.
$con = mysql_connect("$host", "$username", "$password")or die("cannot connect server" . mysql_error());
mysql_select_db("$db_name")or die("cannot select DB" . mysql_error());
$sql=("SELECT COUNT(scname) FROM $tbl WHERE scname='$scname'");
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);    
    
    //screen name check    
            if($rows[0] == 0) {
           $sql2=mysql_query("INSERT INTO temps (scname, password, datetime, email, code)
                        VALUES('$scname', '$psw', '$date', '$email', '$_POST[code]')");
        mysql_close($con);    
        
        //send email
        $body="Welcome and thank you for becoming a part of iEroticXpressions.com.  
                Your screen name has been successfully created.  
                After you have confirmed your account you may begin posting.
                Click on the link and use the activation key provided to complete your account registration. \n \n";
        $body.="Screen Name: $scname\n";
        $body.="Activation Key: $_POST[code]\n";
        $body.="Password: $psw\n";
        $from="admin@iEroticXpressions.com";
        $header="From: $from";
        mail("$email","IEX Mail",$body,$header);
        print "Only one more step to complete registration.  Please check your email for further instructions.";
        break;
        }    
        else
        print "<font color='#D5C513'><strong>Submission Incomplete!</strong><hr>
                <strong>$scname</strong> is already in use.
                Chose another screen name and try again.
                You may try including the underscore, period, or dash in your choice of screen name.</font><hr>";
    }        
            
    else{
        print "<font color='#D5C513'><strong>Submission error!</strong> Please try again.<hr>
            1) Check to make sure you've filled out all of the fields.<br/>
            2) Make sure your passwords match and that you've used only<br />    
            alphanumeric characters (A-Z and/or 0-9).<br/>
            3) In all fields you may also use the underscore, period, or dash.<hr></font><br />";
        include("includes/newaccounts.inc.php");
        break;
    }    
    default:
    include("includes/newaccounts.inc.php");
    break;
      
}      
//==
function filter_string($value){
    var_dump(filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW));
    return $value;
}
  
//===== AND 2nd ERROR HERE =============
function check_input($value){
// Stripslashes
if (get_magic_quotes_gpc())  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}
//======================

function filter_email($value){
    var_dump(filter_var($value, FILTER_SANITIZE_EMAIL));
    }


PLEASE PLEASE HELP ME
Ed
Feb 12 2009, 06:16 AM
The nature of mysql_real_escape_string is that it requires an active MySQL connection to sanitize the data passed against the current connection's character set, your function is called prior to the MySQL connection (in the 'check_input()' function); If you move the mysql_connect above the call to 'check_input($_GET['scname']) you should be sorted.

Hope that helps.
LadyYepperz
Feb 12 2009, 11:49 PM
Bread, thanx for replying to my thread i did some moving around and Im not getting that particular error any more.

Now Im getting this...
string(0) "" string(0) "" string(0) ""
Fatal error: Call to undefined function filter_email()
Ive gone over this 1000 times and i cant figure out what it mean by undefined or why its still printing out "string(0)"

Changes:
CODE
// Connect to server and select database.
$con = mysql_connect("$host", "$username", "$password")or die("cannot connect server" . mysql_error());
mysql_select_db("$db_name")or die("cannot select DB" . mysql_error());

switch($_GET[action]){
    case "check": //checks fields
    
//==================
$scname=filter_string($_POST['scname']);
$psw=filter_string($_POST['password']);
$psw2=filter_string($_POST['passw2']);
$queryScname=check_input($_POST['scname']);

$email=filter_email($_POST['email']);

function filter_email($value){
    var_dump(filter_var($value, FILTER_SANITIZE_EMAIL));
    
    if(!filter_var($value, FILTER_VALIDATE_EMAIL)){
     echo "<font color='#D5C513'><strong>E-mail is not valid.</font></strong>";
     }
     else {
        return $value;
     }
    }
//==================
    if(strlen($scname)>7 && strlen($scname)<26 && strlen($email)>7 && strlen($psw)>7 && strlen($psw)<26 && strlen($psw2)>0 && $psw == $psw2){



=========================================================


I found this on PHP.net
CODE
<?php
$var="<b>Peter Griffin<b>";
var_dump(filter_var($var, FILTER_SANITIZE_STRING));
?>

The output of the code will be:
CODE
string(13) "Peter Griffin"

If the FILTER_SANTITIZE_STRING function is causing the "string(0)" to print how do I stop it and still use the function? Or would you suggest an alternative?
swordz
Feb 12 2009, 11:55 PM
Any chance of seeing the code for the filter functions, filter_string and filter_email ?

You could always use isstring() and the proper e-mail filters...

swordz
LadyYepperz
Feb 13 2009, 12:31 AM
CODE
    //removes HTML coding & special characters
function filter_string($value){
    var_dump(trim(filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW)));
    return $value;
}


CODE
function filter_email($value){
    var_dump(filter_var($value, FILTER_SANITIZE_EMAIL));
    
    if(!filter_var($value, FILTER_VALIDATE_EMAIL)){
     echo "<font color='#D5C513'><strong>E-mail is not valid.</font></strong>";
     }
     else {
        return $value;
     }
    }


CODE
function check_input($value){
// Stripslashes
if (get_magic_quotes_gpc())  {
  $value = stripslashes($value);
  }
// Quote if not a number
if (!is_numeric($value))  {
  $value = "'" . mysql_real_escape_string($value) . "'";
  }
return $value;
}
swordz
Feb 13 2009, 10:00 AM
QUOTE(LadyYepperz @ Feb 13 2009, 12:31 AM) *
CODE
    //removes HTML coding & special characters
function filter_string($value){
    trim(filter_var($value, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW));
    return $value;
}


CODE
function filter_email($value){
    filter_var($value, FILTER_SANITIZE_EMAIL);
    
    if(!filter_var($value, FILTER_VALIDATE_EMAIL)){
     echo "<font color='#D5C513'><strong>E-mail is not valid.</font></strong>";
     }
     else {
        return $value;
     }
    }


It's the var_dumps that are outputting the string(0).

swordz
LadyYepperz
Feb 14 2009, 01:26 AM
Thank you so much, Swordz!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2012 Invision Power Services, Inc.