Announcement

**perpl3x3d** · Sep 11, 2011, 02:00 PM

Any way you can post your clean function?

**xxcorrosionxx** · Sep 11, 2011, 02:11 PM

Register-exec.php

PHP Code:


<?php
    //Start session
    session_start();
    
    //Include database connection details
    require_once('config.php');
    
    //Array to store validation errors
    $errmsg_arr = array();
    
    //Validation error flag
    $errflag = false;
    
    //Connect to mysql server
    $link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
    if(!$link) {
        die('Failed to connect to server: ' . mysql_error());
    }
    
    //Select database
    $db = mysql_select_db(DB_DATABASE);
    if(!$db) {
        die("Unable to select database");
    }
    
 //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysql_real_escape_string($str);
    } 
    
    //Sanitize the POST values
    $fname = clean($_POST['fname']);
    $lname = clean($_POST['lname']);
    $SiteID = clean($_POST['SiteID']);
    $Age = clean($_POST['Age']);
    $Url = clean($_POST['Url']);
    $realname = clean($_POST['realname']);
    $exitmessage = clean($_POST['exitmessage']);
    $comments = clean($_POST['comments']);
    $password = clean($_POST['password']);
    $cpassword = clean($_POST['cpassword']);
    $remoteAddress  = $_SERVER["REMOTE_ADDR"];
    $str = trim(strip_tags($str));
    
    //Input Validations
    if($fname == '') {
        $errmsg_arr[] = 'First name missing';
        $errflag = true;
    }
    if($lname == '') {
        $errmsg_arr[] = 'Last name missing';
        $errflag = true;
    }
    if($login == '') {
        $errmsg_arr[] = 'Login ID missing';
        $errflag = true;
    }
    if($SiteID == '') {
        $errmsg_arr[] = 'Site ID missing';
        $errflag = true;
        }
    if($Age == '') {
        $errmsg_arr[] = 'Age missing';
        $errflag = true;
        }
    if($Url == '') {
        $errmsg_arr[] = 'Url missing';
        $errflag = true;
    }
    if($exitmessage == '') {
        $errmsg_arr[] = 'Exit Message missing';
        $errflag = true;
    }
    if($comments == '') {
        $errmsg_arr[] = 'Comments missing';
        $errflag = true;
    }
    if($realname == '') {
        $errmsg_arr[] = 'Real Name missing';
        $errflag = true;
    }
    if($password == '') {
        $errmsg_arr[] = 'Password missing';
        $errflag = true;
    }
    if($cpassword == '') {
        $errmsg_arr[] = 'Confirm password missing';
        $errflag = true;
    }
    if( strcmp($password, $cpassword) != 0 ) {
        $errmsg_arr[] = 'Passwords do not match';
        $errflag = true;
    }

    //Check for duplicate login ID
    if($login != '') {
        $qry = "SELECT * FROM members WHERE login='$login'";
        $result = mysql_query($qry);
        if($result) {
            if(mysql_num_rows($result) > 0) {
                $errmsg_arr[] = 'Login ID already in use';
                $errflag = true;
            }
            @mysql_free_result($result);
        }
        else {
            die("Query failed");
        }
    }
    
    //If there are input validations, redirect back to the registration form
    if($errflag) {
        $_SESSION['ERRMSG_ARR'] = $errmsg_arr;
        session_write_close();
        header("location: register.php");
        exit();
    }

    //Create INSERT query
    $qry = "INSERT INTO members(firstname, lastname, login, SiteID, Age, Url, exitmessage, comments, realname, passwd) VALUES('$fname','$lname','$login','$SiteID','$Age','$Url','$exitmessage','$comments','$realname','".md5($_POST['password'])."')";
    $result = @mysql_query($qry);
    
    //Check whether the query was successful or not
    if($result) {
        header("location: success.php");
        exit();
    }else {
        die("Query failed");
    }
?>

**BluePanther** · Sep 11, 2011, 02:50 PM

You could easily add the function to the return statement in the clean function. But, just run the function itself before the item's have been through clean() through all the variables and you'll be fine

**tangoforce** · Sep 11, 2011, 02:52 PM

But its the function you speak of which the op is asking for help with. Not where to put it.

**BluePanther** · Sep 11, 2011, 02:57 PM

Originally posted by xxcorrosionxx View Post

PHP Code:


    $fname = clean($_POST['fname']);

    $lname = clean($_POST['lname']);

    $login = clean($_POST['login']);

    $SiteID = clean($_POST['SiteID']);

    $Age = clean($_POST['Age']);

    $Url = clean($_POST['Url']);

    $realname = clean($_POST['realname']);

    $exitmessage = clean($_POST['exitmessage']);

    $comments = clean($_POST['comments']);

    $password = clean($_POST['password']);

    $cpassword = clean($_POST['cpassword']);

Where exactly would i strip this?

Are you wanting to strip the tags? or use html entities?
Strip tags will remove the tags completely, html entities will replace the tags with special characters that the browser translates to the text version of tags.
strip_tags() for the former, htmlspecialchars() for the latter. Use the function you desire before the clean() function.

**xxcorrosionxx** · Sep 11, 2011, 02:59 PM

Strip tags completely. I don't want people to sign up under html codes and php codes. And be able to use meta refresh tags. Where do i place these strip tags in my register-exec.php.

**tangoforce** · Sep 11, 2011, 03:11 PM

Originally posted by BluePanther View Post

Are you wanting to strip the tags? or use html entities?

And you thought you were going blind the other day

**xxcorrosionxx** · Sep 11, 2011, 03:17 PM

Can you tell me here? If you are looking for money i am 16 years old. Lol! I don't have money, i am still living with my mom and dad.

**BluePanther** · Sep 11, 2011, 03:27 PM

Originally posted by xxcorrosionxx View Post

Register-exec.php

PHP Code:


<?php

        

 //Function to sanitize values received from the form. Prevents SQL injection

    function clean($str) {

        $str = @trim($str);

        if(get_magic_quotes_gpc()) {

            $str = stripslashes($str);

        }

        return mysql_real_escape_string($str);

    } 

    

    //Sanitize the POST values

    $fname = clean($_POST['fname']);

    $lname = clean($_POST['lname']);

    $SiteID = clean($_POST['SiteID']);

    $Age = clean($_POST['Age']);

    $Url = clean($_POST['Url']);

    $realname = clean($_POST['realname']);

    $exitmessage = clean($_POST['exitmessage']);

    $comments = clean($_POST['comments']);

    $password = clean($_POST['password']);

    $cpassword = clean($_POST['cpassword']);

    $remoteAddress  = $_SERVER["REMOTE_ADDR"];

    $str = trim(strip_tags($str));

Change that to

PHP Code:


//Function to sanitize values received from the form. Prevents SQL injection

    function clean($str) {

        $str = @trim(strip_tags($str));

        if(get_magic_quotes_gpc()) {

            $str = stripslashes($str);

        }

        return mysql_real_escape_string($str);

    } 

    

    //Sanitize the POST values

    $fname = clean($_POST['fname']);

    $lname = clean($_POST['lname']);

    $SiteID = clean($_POST['SiteID']);

    $Age = clean($_POST['Age']);

    $Url = clean($_POST['Url']);

    $realname = clean($_POST['realname']);

    $exitmessage = clean($_POST['exitmessage']);

    $comments = clean($_POST['comments']);

    $password = clean($_POST['password']);

    $cpassword = clean($_POST['cpassword']);

    $remoteAddress  = $_SERVER["REMOTE_ADDR"];

You had placed the strip_tags() in the wrong area

. You were stripping tags from the $str value passed into the function clean(), but doing it outside of the function. The addition amendment above will mean your clean() function will also strip tags

Originally posted by tangoforce View Post

And you thought you were going blind the other day

haha :P

**xxcorrosionxx** · Sep 11, 2011, 03:38 PM

So i make it like this?

PHP Code:


$fname = $str($_POST['fname']);

**BluePanther** · Sep 11, 2011, 04:04 PM

no no no no no.

Remove the line $str = trim(strip_tags($str)); from underneath $RemoteAddress = $_SERVER["REMOTE_ADDR"]; and replace the line $str = @trim($str); with $str = @trim(strip_tags($str)); and that's your solution.

$str() is a weird thing to say, $str is a string inside the clean() function. $str is not a function itself, it's a local variable for the clean() function, and is an argument passed into the clean() function.

Announcement

Strip Html Entities

Strip Html Entities

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment