Security Validation Question


#1

Good evening
I have worked on the following code to validate my forms and secure my SQL database.
However, when entering the city, location or artist name, I thought I had the validation code set to not accept anything but a-zA-Z.
As it is, I can type in anything such as in the city code "New York()&^%$/ and it will go straight into the database. This indicates to me that my PHP form is not secure to injection or hacking at all. Can someone give me sugestions as to where I have gone wrong?

[code]

<? if (!isset ($submit)){ $errors= array( $artist = preg_match('/^([a-zA-Z]){3,30}sb i $/', $_POST['artist']) ? $errors[] = 'Error: invalid entry artist' : mysql_escape_string(trim($_POST['artist'])), $where = preg_match('/^([a-zA-Z]){3,25}sb i $/', $_POST['where']) ? $errors[] = 'Error: invaid entry where' : mysql_escape_string(trim($_POST['where'])), $city = preg_match('/^([a-zA-Z]){3,25}s i$/', $_POST['city'])? $errors[] = 'Error: invalid entry city' : mysql_escape_string(trim($_POST['city'])), $length = preg_match('/^W{1}([0-9]){2,4}$/', $_POST['length'])? $errors[] = 'Error: invalid entry length' : mysql_escape_string(trim($_POST['length'])), $url = preg_match('#b(https?|ftp)://([-A-Z0-9.]+)(/[-A-Z0-9+&@#/%=~_|!:,.;]*)?(?[-A-Z0-9+&@#/%=~_|!:,.;]*)?#', $_POST['url'])? $errors[] = 'Error: invalid entry url' : mysql_escape_string(trim($_POST['url'])), $desc = preg_match('/^s([a-zA-Z]){3,200}s i$/', $_POST['desc'])? $errors[] = 'Error: invalid entry desc' : mysql_escape_string(trim($_POST['desc'])), $date = preg_match ('/^(d{1,2})-(d{1,2})-(d{4})/', $_POST['date']) ? $errors[] = 'Error: Invalid Entry date' : mysql_escape_string(trim($_POST['date'])), ); if (sizeof($errors) > 0) { echo "
    "; foreach ($errors as $e) { echo "
  • $e
  • "; } die(); echo "
"; } } $dbh=mysql_connect ("localhost", [/code] From here is just goes through the database insert command. The script works as far a sgetting data into the database, Its just that I can put the wrong stuff in Thanks

#2

If you want to exclude any characters other than a-zA-Z, you’re taking a wrong approach by checking for those. Instead, check for any characters who are NOT those:

[php]
if (preg_match("/[^a-zA-Z]/i", $_POST[‘variable’])) {
// Your error here
}[/php]

I didn’t bother looking at your code, as it throws me for a loop ^_^;;


#3

Thanks for your honesty :lol:

The codes came right out of the books i bought to learn php. maybe I copied them wrong.

I will give your method a shot. Much appreciated.


#4

If it’s a 1-on-1 copy from a book that’s supposed to teach PHP, then toss the book out of the window. The way it builds the $errors array is definately not the way it’s supposed to be done. It unnecessarily toughens things up if you ask me.