Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Mar 2010
    Posts
    201
    Thanks
    79
    Thanked 5 Times in 5 Posts

    Prevent SQL injection with preg_replace?

    Hi everyone,
    I was wondering if for example I have a login script.
    And I would use preg_replace to make sure the username/password input would both only use numbers and letters.
    Then if Im correct there should be no injection possible right?
    Ore am I seeing this wrong?

    For example lets say I have a page calt login.php
    In this page I have two Post variables made by a html form etc.

    PHP Code:

    $username 
    preg_replace('/[^a-zA-Z0-9]/'''$_POST['username']);
    $password preg_replace('/[^a-zA-Z0-9]/'''$_POST['password']); 
    Would this prevent injection?
    Last edited by conware; 09-10-2011 at 09:59 PM.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Yes, but the game changes as soon as the just alphanumeric rule no longer applies.
    Do not leave it up to your business rules to satisfy a sanitation function. Run any string through the database escaping function, that is what it was designed to do.

    Also, you should NOT be using preg_replace, you should be using preg_match or ctype to determine these and inform the client that the entry is invalid.

  • Users who have thanked Fou-Lu for this post:

    conware (09-10-2011)

  • #3
    Regular Coder
    Join Date
    Mar 2010
    Posts
    201
    Thanks
    79
    Thanked 5 Times in 5 Posts
    Thanks for the reply Fou-Lu,
    I wondered about this because if I ever decided to make a login then I would probably only allow alphanumeric values. Because I think it looks better for usernames.
    However I can see that in most cases alphanumeric values won't apply.

    Also I don't really know how to use preg_match.
    Could you post a example how to use it with alphanumeric values?

    Btw I would also use sprintf with mysql_real_escape_string if I ever decided to write something like that.

  • #4
    Senior Coder
    Join Date
    Jul 2011
    Posts
    1,226
    Thanks
    3
    Thanked 171 Times in 171 Posts
    preg_match() uses the same regular expression rules as preg_replace(), except only has 2 required arguments - pattern and subject. preg_match() will return 0 for no matches found, or 1 for a match found. It doesn't change any values in the $subject.

  • Users who have thanked BluePanther for this post:

    conware (09-10-2011)

  • #5
    Regular Coder
    Join Date
    Mar 2010
    Posts
    201
    Thanks
    79
    Thanked 5 Times in 5 Posts
    Ah I see thanks BluePanther,

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    There is no reason to not force alphanumeric, or even just alpha. These are you're rules, so you can decided whatever you want to do.
    No, my suggestion is to not replace so if I enter a name of Fou-Lu, it will replace it with FouLu. That means when I try to log in, I will fail since my name as I expect it is no longer valid. You are better just telling me that I cannot use the - in it, and let me go back to change it.

  • Users who have thanked Fou-Lu for this post:

    conware (09-11-2011)

  • #7
    Regular Coder
    Join Date
    Mar 2010
    Posts
    201
    Thanks
    79
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Fou-Lu View Post
    There is no reason to not force alphanumeric, or even just alpha. These are you're rules, so you can decided whatever you want to do.
    No, my suggestion is to not replace so if I enter a name of Fou-Lu, it will replace it with FouLu. That means when I try to log in, I will fail since my name as I expect it is no longer valid. You are better just telling me that I cannot use the - in it, and let me go back to change it.
    Oh now I see sorry I misunderstood before.
    You have a good point I'll include that information on the register page and include some javascript to disable the characters I don't want.
    That would probably solve frustration to users.
    I would probably also include the username again in the mail, which the recieve to conclude there registration.
    I think that should cover most of the login part.

    Thanks for usefull information.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •