[B]I use this script and I want to add e-mail field and I know how to add this.
but how to protect this field from the sql injection because some players use email with [ [COLOR=Red]@[/COLOR] | [COLOR=Red]-[/COLOR] |[COLOR=Red] .[/COLOR] |[COLOR=Red] [/COLOR] ] .
So How can I protect this field from sql injection [ [COLOR=Red]’[/COLOR] | [COLOR=Red]`[/COLOR] | [COLOR=Red]"[/COLOR] | [COLOR=Red]&[/COLOR] | [COLOR=Red]etc[/COLOR]…]
and at the same time gave permits the possibility to write [ [COLOR=Red]@[/COLOR] | [COLOR=Red]-[/COLOR] | [COLOR=Red].[/COLOR] | [COLOR=Red][/COLOR] ]
[/B][php]<?php
include ‘Password.php’;
error_reporting(E_ALL);
ini_set(‘display_errors’,‘on’);
$config = array(
‘db_username’ => ‘sa’,
‘db_password’ => ‘*******’,
‘db_dsn’ => ‘kal_auth’,
‘template’ => ‘registration.tpl’,
‘debug’ => false,
);
define(‘UI_ERROR’,’%s’);
if(strtolower($_SERVER[‘REQUEST_METHOD’]) == ‘post’) {
$username = $_POST[‘username’];
$password = $_POST[‘password’];
$email = $_POST[‘email’];
$error = array();
if(!ctype_alnum($username)) {
$error['username'] = sprintf(UI_ERROR,'Illigal characters in the username');
}
if(!ctype_alnum($password)) {
$error['password'] = sprintf(UI_ERROR,'Illigal characters in the password');
}
if(empty($error)) {
$conn = odbc_connect($config['db_dsn'],
$config['db_username'],
$config['db_password']);
$check = "SELECT
[ID] FROM [Login]
WHERE
[ID]='%s'
OR
[ID]='%s'
OR
[ID]='%s'
OR
[ID]='%s'
";
$check = sprintf($check,$username,
strtolower($username),
strtoupper($username),
ucfirst($username)
);
$exec = odbc_exec($conn,$check);
if(!$exec && ($config['debug'] === true)) {
echo odbc_errormsg($conn);
die();
}
$data = odbc_fetch_array($exec);
if($data !== false) {
$error['username'] = sprintf(UI_ERROR,'Account allready registered,
please choose another name');
} else {
$password = Password::encode($password);
$sql = "INSERT INTO
[Login] ([ID],[PWD],[Birth],[Type],[ExpTime],[Info],[Email])
VALUES
('".$username."',".$password.",'19190101',0,4000,'".$email."')
$result = odbc_exec($conn,$sql);
if(!$result && ($config['debug'] === true)) {
echo odbc_errormsg($conn);
die();
}
}
}
}
// display template
include $config[‘template’];
?>[/php][COLOR=Black]> If i used this function : [/COLOR]
[php]
if(!ctype_alnum($email)) {
$error[‘email’] = sprintf(UI_ERROR,‘Illigal characters in the email’);
}[/php][COLOR=SeaGreen]
[COLOR=DarkRed]Characters[/COLOR] : [/COLOR][B][ [COLOR=Red]@[/COLOR] | [COLOR=Red]-[/COLOR] | [COLOR=Red].[/COLOR] | [COLOR=Red]_[/COLOR] ] [COLOR=DarkRed]will not work[/COLOR]
and i tried this function on my script but it doesn’t work on script
[/B][php]if(!ereg(’[^[email protected]]’, $email) && strstr($email,"@"))
{ $error[‘email’] = sprintf(UI_ERROR,‘Illigal characters in the email’);
}
[/php][B][COLOR=SeaGreen] [COLOR=Black]>and i tried this too[/COLOR]
[/COLOR][/B][php]if ((eregi("[^a-zA-Z0-9_-]", $email)) || (eregi("[^a-zA-Z0-9_-]", $email))) {
echo(“SQL Injection Detected”);
exit();
}[/php][B][COLOR=SeaGreen]
[/COLOR][/B]