Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 13 of 13
  1. #1
    New Coder
    Join Date
    Jan 2009
    Posts
    45
    Thanks
    3
    Thanked 0 Times in 0 Posts

    Pllleeeaasseee help!

    I have this code:

    PHP Code:
    <?php

    $name 
    $_POST['name'];
    $message $_POST['message'];

    if(!
    eregi("^([0-9a-z])*$"$message)){
      echo 
    "<div class='box'>Please use letters only.</div>"
    }
    else
    {
     
    //connect
    $connect mysql_connect("","","") or die("Connection failed!");
    mysql_select_db("") or die("Database fail!");

    //write
    $write mysql_query("INSERT INTO posts VALUES ('','$name','$message')") or die(mysql_eror());

    echo 
    "<div class='box'><font face='arial'><b><span style='color:green'>Posted! Your name was:</span> $name</b> - Your message was....<br><br><b>$message - <a href='index.php'>View it!</a></b>";
    }

    ?>
    Now if you go here: http://chataddict.netau.net/ - and type your message, it keeps displaying the error box. Why??!
    Last edited by SRBuckey5266; 10-13-2009 at 08:30 PM.

  • #2
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    In the future, please use a more descriptive subject when posting a question. See posting guidelines.

    I went to that link and was able to post without getting an error. I just couldn't use a newline (aka press enter) but that is because your regular expression doesn't allow it. It doesn't allow punctuation either.
    OracleGuy

  • #3
    New Coder
    Join Date
    Jan 2009
    Posts
    45
    Thanks
    3
    Thanked 0 Times in 0 Posts
    What can I do to improve it?

    And it's still not letting me post.

  • #4
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Well you shouldn't use the eregi function anyways since it is deprecated.

    But what things are you trying to block from being in messages?

    Edit: The page isn't working for me now though that second post on the page did work but no longer does now.
    OracleGuy

  • #5
    New Coder
    Join Date
    Jan 2009
    Posts
    45
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by oracleguy View Post
    Well you shouldn't use the eregi function anyways since it is deprecated.

    But what things are you trying to block from being in messages?
    The simple things to protect from SQL Injections, I just want the following blocked out: ;$'^#@

    I guess I'll remove the code. :/

    Thank you for the help.

  • #6
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Then just use mysql_real_escape_string and you should use it on the name and the message. That will auto escape any special characters that could be used for SQL injection.

    See:

    PHP Code:
    <?php
     
    //connect
    $connect mysql_connect("","","") or die("Connection failed!");
    mysql_select_db("") or die("Database fail!");

    $name mysql_real_escape_string($_POST['name']);
    $message mysql_real_escape_string($_POST['message']);

    //write
    $write mysql_query("INSERT INTO posts VALUES ('','$name','$message')") or die(mysql_eror());

    echo 
    "<div class='box'><font face='arial'><b><span style='color:green'>Posted! Your name was:</span> $name</b> - Your message was....<br><br><b>$message - <a href='index.php'>View it!</a></b>";


    ?>
    OracleGuy

  • #7
    New Coder
    Join Date
    Jan 2009
    Posts
    45
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Thank you Oracle! I'll make a credits list, and I'll add you, and a link to your profile. I really appreciate it!

  • #8
    New Coder
    Join Date
    Jan 2009
    Posts
    45
    Thanks
    3
    Thanked 0 Times in 0 Posts
    Wait, now I get this error:


    Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/a5488351/public_html/post.php on line 33

    Free Web Hosting

    PHP Error Message

    Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/a5488351/public_html/post.php on line 33

    Free Web Hosting

    PHP Error Message

    Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'nobody'@'localhost' (using password: NO) in /home/a5488351/public_html/post.php on line 34

    Free Web Hosting

    PHP Error Message

    Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in /home/a5488351/public_html/post.php on line 34

  • #9
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Did you connect to the database before you called mysql_real_escape_string like I did revised version of your code that I posted?
    OracleGuy

  • #10
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    mysql_real_escape_string requires you're connection to the database is established. Ensure that you're using you're mysql_connect prior to the use of mysql_real_escape_string.
    Also, until PHP6, there is a possibility of magic_quotes_gpc being enabled on you're server. The idea behind it was to prevent sql injections, but they are not compatible with 'real' (ie: from the database) sanitation. So, you'll need to code to handle that as well:
    PHP Code:
    $con mysql_connect('''''') or die(mysql_errno());
    if (
    function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
    {
        
    $_POST array_map('stripslashes'$_POST);
    }

    $name mysql_real_escape_string($_POST['name']);
    $message mysql_real_escape_string($_POST['message']);
    .... 
    Of course, if its not a string you're intending to handle, cast it to the specific type (like an int), and ignore the mysql_real_escape_string. Any input data in PHP is considered a string, so its up to you to control what is really what.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #11
    New Coder
    Join Date
    Jan 2009
    Posts
    45
    Thanks
    3
    Thanked 0 Times in 0 Posts
    I don't think that protects from codes. I want a code that stops you and says: "Please use letters only." if they type in stuff like: $[];'{}

    Can anyone do this?

  • #12
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Quote Originally Posted by SRBuckey5266 View Post
    I don't think that protects from codes. I want a code that stops you and says: "Please use letters only." if they type in stuff like: $[];'{}

    Can anyone do this?
    Well yes actually it will protect from code, at least PHP code. The purpose of mysql_real_escape_string is to convert escapable data into non-escapable data string allowing you to store it in a database properly. Should you want to remove tags to prevent html and xss injection, you can look at using strip_tags and htmlentities to take care of those conversions.
    To match just letters you can pattern match with if (preg_match('/^[a-z]*$/i', $input)), but thats letters only, no spaces or numbers.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #13
    Rockstar Coder
    Join Date
    Jun 2002
    Location
    USA
    Posts
    9,074
    Thanks
    1
    Thanked 328 Times in 324 Posts
    Quote Originally Posted by Fou-Lu View Post
    he purpose of mysql_real_escape_string is to convert escapable data into non-escapable data string allowing you to store it in a database properly.
    Aka meaning it prevents SQL injection. So it should do what you want. There is no need to block $[];'{}. It isn't like if someone were to write $foo = 8; in the message that the code would get executed.
    OracleGuy


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •