Re: question about database injection

Re: question about database injection

am 07.04.2008 05:06:13 von AnrDaemon

Greetings, Rik Wasmus.
In reply to Your message dated Saturday, March 15, 2008, 19:33:50,

> On Sat, 15 Mar 2008 16:18:12 +0100, Michael Fesser wrote:
>> .oO(Sudhakar)
>>> i am helping a friend to build a forum website which uses php and
>>> mysql database.
>>>
>>> i am working on the registeration page for the forum website and its
>>> validation. i am using php 5.2.5
>>>
>>> i am able to validate and do other tasks, however i really need help
>>> as i am stuck with regards to database injection.
>>> please answer the following questions. any help will be greatly
>>> appreciated.
>>>
>>> 1. USER NAME VALIDATION
>>>
>>> username = eregi("^[a-zA-Z0-9_ ]+$", $username)
>>
>> ereg_* is dead and will be removed in PHP 6. You should use the preg_*
>> functions, which is also what I use in the example patterns below.

> Indeed.

>>> with the above validation, a user can enter letters uppercase,
>>> lowercase and numbers and underscore with spaces ONLY
>>>
>>> ex= 9abc_def OR _abc123 = this IS INCORRECT
>>>
>>> however i would like the username to be Letters First(upper or
>>> lowercase), followed by numbers and underscore and spaces in the
>>> username.
>>>
>>> ex= abcd1234 OR ABcd1234 OR Ab_12 OR ab 12_cd = this IS CORRECT
>>>
>>> i have used with preg_match as => if( $username == "" || !preg_match('/
>>> ^[a-zA-Z0-9_]+$/x', $username) )
>>> however its the same as eregi
>>>
>>> QUESTION = how can i rewrite username = eregi("^[a-zA-Z0-9_ ]+$",
>>> $username) to match the following requirement.
>>> username = abcd1234 OR ABcd1234 OR Ab_12
>>
>> /^[a-z][a-z\d_ ]*$/i
>>
>> Starts with a letter, followed by any arbitrary number of letters,
>> digits, underscores or spaces, all case-insensitive.
>>
>>> also with eregi("^[a-zA-Z0-9_ ]+$", $username) as there is a space if
>>> a user has more than 1 space ex= "ab cd 12" it is still accepting is
>>> there a way to restrict to ONE space only ex = "ab cd12"
>>
>> /^[a-z](?:[a-z\d_]| [a-z\d_])*$/i

> Nope, that would still allow more spaces (not successive, but more none
> the less).
> /^[a-z](?: [a-z\d_]*)?$/i

My $0.02 as more general pattern:

/^[word symbols]+(?:[delimiter symbols][word symbols]+)*$/i

And as real example:

/^[a-z][a-z0-9]*(?:[\x20\-\_\.][a-z0-9]+)*$/i

Will allow names started from letter and continued by letters and numbers,
delimited by space, dot, dash and undescore, but not allowed two delimiters in
a row.


--
Sincerely Yours, AnrDaemon