Page 1 of 1

Noob can't get eregi to work

Posted: Sun Aug 24, 2008 5:17 pm
by jeaux
Why does the !eregi not work?

Code: Select all

<?php
  $conn = mysql_connect($dbhost, $dbuser, $dbpass)
            or die('Error connecting to MySQL.');
 
  mysql_select_db($dbname)
  
    or die('Error selecting database.');
    
if (isset($_POST["submit"]))
                        {
                            $error = array();
                            $message = "";
                            $validName = "[a-z]*";
                            $validDescription = "[a-z\,\.\']*";
                            if (!is_numeric($_POST[MenuCategory]))
                            {
                                $error[] = 'Whoa nelly';
                            }
                            if (!eregi($validName, $_POST[name]))
                            {
                                $error[] = 'Name field is not text only';
                            }
                            if (!eregi($validDescription, $_POST[description]))
                            {
                                $error[] = 'Description field has unathorized characters';
                            }
                            if (!is_numeric($_POST[price]))
                            {
                                $error[] = 'Price field is not numeric';
                            }
                            if (count($error) > 0)
                            {
                                foreach ($error as $fail)
                                 {
                                    echo $fail .'<br>'. "\n";
                                 }
                            }
                            if (count($error) == 0)
                            {
                                $sql="INSERT INTO universitymenu (MenuCategoryID, ItemName, ItemCost, ItemDescription)
                                VALUES
                                ('$_POST[MenuCategory]','$_POST[name]','$_POST[price]','$_POST[description]')";
 
                                if (!mysql_query($sql,$conn))
                                {
                                 die('Error: ' . mysql_error());
                                }
                                echo "1 record added";
 
                                mysql_close($conn);
 
                            }
                        }
?>

Re: Noob can't get eregi to work

Posted: Sun Aug 24, 2008 5:51 pm
by califdon
I'm not experienced with eregi, but I would advise you to do two things, for sure, even if they don't solve your eregi problem:
  1. Use single quotes around the array index in all of your $_POST statements. So they should look like this:

    Code: Select all

    $_POST['name']
  2. Instead of using the raw $_POST input, convert them all to $variables after applying the mysql_real_escape_string() function to them, like this:

    Code: Select all

     if(isset($_POST['name'])) $name=mysql_real_escape_string($_POST['name']);
    and then just use $name.
The use of mysql_real_escape_string() is your first line of defense against "SQL injection" by hackers. If you neglect to use it, you run the risk that someone will find your web form and enter in the "name" input box:

Code: Select all

' or '%
and retrieve ALL of the records in your database. Or much worse exploits.

Re: Noob can't get eregi to work

Posted: Sun Aug 24, 2008 6:24 pm
by jeaux
Many thanks. As I said I'm a noob and that's the type of advice I'm looking for. The management portion of the site is closed to most people but it would be nice to prepare for the 13 year old attack.

Re: Noob can't get eregi to work

Posted: Mon Aug 25, 2008 6:22 am
by GeertDD
Sidenote: I would advise you not to use the ereg functions, but instead switch to the preg functions. PCRE is generally considered more powerful and faster.

http://php.net/pcre

Re: Noob can't get eregi to work

Posted: Mon Aug 25, 2008 7:30 pm
by jeaux
So my brain has stopped working. All I really wanted to do here is make sure that nothing that could delete the table could be included or whatever exploits are out there for scumbags to use. Am I wasting my time with pattern matching? If I just include the mysql_real_escape_string does that accomplish the task? Is there a similar function like is_numeric for is alphanumeric with periods, commas, and quotations. I know these may seem like dumb questions but I'm just not getting it.

Many thanks for your time.
Joe

Re: Noob can't get eregi to work

Posted: Mon Aug 25, 2008 7:51 pm
by califdon
jeaux wrote:So my brain has stopped working. All I really wanted to do here is make sure that nothing that could delete the table could be included or whatever exploits are out there for scumbags to use. Am I wasting my time with pattern matching? If I just include the mysql_real_escape_string does that accomplish the task? Is there a similar function like is_numeric for is alphanumeric with periods, commas, and quotations. I know these may seem like dumb questions but I'm just not getting it.

Many thanks for your time.
Joe
Sorry, I didn't really focus on what you were trying to do. The subject of sql injection, and security in general is a broad one, and I'm not competent to offer authoritative advice, but there is an entire Security forum here that you might want to check. At my level of security knowledge, it's my understanding that mysql_real_escape_string() is a major step that defeats the simple exploits, also handles apostrophes in text, etc. I'm sure that, by itself, it's not a cure-all for security.

Re: Noob can't get eregi to work

Posted: Mon Aug 25, 2008 8:57 pm
by jeaux
Thank you califdon for the quick response and advice. I will refocus my searches and inquiries to the appropriate forum.