Noob can't get eregi to work

Any questions involving matching text strings to patterns - the pattern is called a "regular expression."

Moderator: General Moderators

Post Reply
jeaux
Forum Commoner
Posts: 25
Joined: Sun Aug 24, 2008 5:11 pm

Noob can't get eregi to work

Post by jeaux »

Why does the !eregi not work?

Code: Select all

<?php
  $conn = mysql_connect($dbhost, $dbuser, $dbpass)
            or die('Error connecting to MySQL.');
 
  mysql_select_db($dbname)
  
    or die('Error selecting database.');
    
if (isset($_POST["submit"]))
                        {
                            $error = array();
                            $message = "";
                            $validName = "[a-z]*";
                            $validDescription = "[a-z\,\.\']*";
                            if (!is_numeric($_POST[MenuCategory]))
                            {
                                $error[] = 'Whoa nelly';
                            }
                            if (!eregi($validName, $_POST[name]))
                            {
                                $error[] = 'Name field is not text only';
                            }
                            if (!eregi($validDescription, $_POST[description]))
                            {
                                $error[] = 'Description field has unathorized characters';
                            }
                            if (!is_numeric($_POST[price]))
                            {
                                $error[] = 'Price field is not numeric';
                            }
                            if (count($error) > 0)
                            {
                                foreach ($error as $fail)
                                 {
                                    echo $fail .'<br>'. "\n";
                                 }
                            }
                            if (count($error) == 0)
                            {
                                $sql="INSERT INTO universitymenu (MenuCategoryID, ItemName, ItemCost, ItemDescription)
                                VALUES
                                ('$_POST[MenuCategory]','$_POST[name]','$_POST[price]','$_POST[description]')";
 
                                if (!mysql_query($sql,$conn))
                                {
                                 die('Error: ' . mysql_error());
                                }
                                echo "1 record added";
 
                                mysql_close($conn);
 
                            }
                        }
?>
Last edited by califdon on Sun Aug 24, 2008 5:40 pm, edited 1 time in total.
Reason: Replaced the code=text with code=php tag, for readability.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Noob can't get eregi to work

Post by califdon »

I'm not experienced with eregi, but I would advise you to do two things, for sure, even if they don't solve your eregi problem:
  1. Use single quotes around the array index in all of your $_POST statements. So they should look like this:

    Code: Select all

    $_POST['name']
  2. Instead of using the raw $_POST input, convert them all to $variables after applying the mysql_real_escape_string() function to them, like this:

    Code: Select all

     if(isset($_POST['name'])) $name=mysql_real_escape_string($_POST['name']);
    and then just use $name.
The use of mysql_real_escape_string() is your first line of defense against "SQL injection" by hackers. If you neglect to use it, you run the risk that someone will find your web form and enter in the "name" input box:

Code: Select all

' or '%
and retrieve ALL of the records in your database. Or much worse exploits.
jeaux
Forum Commoner
Posts: 25
Joined: Sun Aug 24, 2008 5:11 pm

Re: Noob can't get eregi to work

Post by jeaux »

Many thanks. As I said I'm a noob and that's the type of advice I'm looking for. The management portion of the site is closed to most people but it would be nice to prepare for the 13 year old attack.
User avatar
GeertDD
Forum Contributor
Posts: 274
Joined: Sun Oct 22, 2006 1:47 am
Location: Belgium

Re: Noob can't get eregi to work

Post by GeertDD »

Sidenote: I would advise you not to use the ereg functions, but instead switch to the preg functions. PCRE is generally considered more powerful and faster.

http://php.net/pcre
jeaux
Forum Commoner
Posts: 25
Joined: Sun Aug 24, 2008 5:11 pm

Re: Noob can't get eregi to work

Post by jeaux »

So my brain has stopped working. All I really wanted to do here is make sure that nothing that could delete the table could be included or whatever exploits are out there for scumbags to use. Am I wasting my time with pattern matching? If I just include the mysql_real_escape_string does that accomplish the task? Is there a similar function like is_numeric for is alphanumeric with periods, commas, and quotations. I know these may seem like dumb questions but I'm just not getting it.

Many thanks for your time.
Joe
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Noob can't get eregi to work

Post by califdon »

jeaux wrote:So my brain has stopped working. All I really wanted to do here is make sure that nothing that could delete the table could be included or whatever exploits are out there for scumbags to use. Am I wasting my time with pattern matching? If I just include the mysql_real_escape_string does that accomplish the task? Is there a similar function like is_numeric for is alphanumeric with periods, commas, and quotations. I know these may seem like dumb questions but I'm just not getting it.

Many thanks for your time.
Joe
Sorry, I didn't really focus on what you were trying to do. The subject of sql injection, and security in general is a broad one, and I'm not competent to offer authoritative advice, but there is an entire Security forum here that you might want to check. At my level of security knowledge, it's my understanding that mysql_real_escape_string() is a major step that defeats the simple exploits, also handles apostrophes in text, etc. I'm sure that, by itself, it's not a cure-all for security.
jeaux
Forum Commoner
Posts: 25
Joined: Sun Aug 24, 2008 5:11 pm

Re: Noob can't get eregi to work

Post by jeaux »

Thank you califdon for the quick response and advice. I will refocus my searches and inquiries to the appropriate forum.
Post Reply