PDA

View Full Version : Validation



jeaux
08-23-2008, 02:34 PM
Why does the !eregi not work?

<?php
$conn = mysql_connect($dbhost, $dbuser, $dbpass)
or die('Error connecting to MySQL.');

mysql_select_db($dbname)

or die('Error selecting database.');

if (isset($_POST["submit"]))
{
$error = array();
$message = "";
$validName = "[a-z]*";
$validDescription = "[a-z\,\.\']*";
if (!is_numeric($_POST[MenuCategory]))
{
$error[] = 'Whoa nelly';
}
if (!eregi($validName, $_POST[name]))
{
$error[] = 'Name field is not text only';
}
if (!eregi($validDescription, $_POST[description]))
{
$error[] = 'Description field has unathorized characters';
}
if (!is_numeric($_POST[price]))
{
$error[] = 'Price field is not numeric';
}
if (count($error) > 0)
{
foreach ($error as $fail)
{
echo $fail .'<br>'. "\n";
}
}
if (count($error) == 0)
{
$sql="INSERT INTO universitymenu (MenuCategoryID, ItemName, ItemCost, ItemDescription)
VALUES
('$_POST[MenuCategory]','$_POST[name]','$_POST[price]','$_POST[description]')";

if (!mysql_query($sql,$conn))
{
die('Error: ' . mysql_error());
}
echo "1 record added";

mysql_close($conn);

}
}
?>

I've been using this post to help me piece this together:
http://www.dynamicdrive.com/forums/showthread.php?t=9972
The two is_numeric checks work fine.

Here's the form:


<?php

$conn = mysql_connect($dbhost, $dbuser, $dbpass)
or die('Error connecting to MySQL.');

mysql_select_db($dbname)
or die('Error selecting database.');
$result=mysql_query('SELECT * FROM universitymenucategory');
?>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Add menu item</title>
</head>
<body>
<form action="ManagerSection/PHP_Scripts/AddMenuItem.php" method="post">
<fieldset>
<legend>Add menu item</legend>
<ol>
<li><label for="form-ItemName">Item name:</label> <input type="text" name="name" id="form-name"></li>
<li><label for="form-ItemPrice">Price: $</label><input type="text" name="price" id ="form-price"></li>
<li><label for="form-ItemDescription">Description:</label><textarea name="description" rows="4" cols="60" maxlength="300">(300 characters max)</textarea></li>
<li><label for="form-Category">To which category does this menu item belong?<label><br />
<select name="MenuCategory" id="form-Category">
<?php
while ($row = mysql_fetch_array($result)) {
?>
<option value="
<?php
echo $row['MenuCategoryID']
?>
">
<?php
echo $row['MenuCategoryName'];
?>
</option>
<?php
}
?>
</select></label></li>
</ol>
<input type="submit" name="submit" value="Add item">
</fieldset>
</form>
</body>
</html>

OK now I've become aware of mysql_real_escape_string(). How do I incorporate this into the stream?

jeaux
08-26-2008, 08:55 PM
I was directed to this article about sql injection and was so impressed with it's content I thought I should share it here.

http://www.webappsec.org/projects/articles/091007.shtml