12-21-2007, 04:07 PM
|
#19 (permalink)
|
|
The Wanderer
Join Date: Dec 2007
Posts: 14
Thanks: 0
|
Quote:
Originally Posted by Aaron
How would I use that code, though?
if($username == $strPattern. . .)
?
Oh, and wouldn't logging the IP be a good idea as well?
How would I do that? (I am going to look... but I haven't really found that many quality security tutorials. They are mostly preventing SQL injections and sessions, which I don't intend to get into just yet.
Update: Why doesn't this work properly? It should only allow names that contain alphabetical characters and spaces... It accepts anything.
Code:
if(!eregi("a-z[.a-z]$", $name)){}
else{
$error.="Please, go back and fill out your name. This is your actual name that we will need, not your username.<br>\n";
}
|
Your pattern needs to have forward slashes before and after the pattern. Try this instead
PHP Code:
if (!preg_match('/^[A-Za-z ]+$/', $name)) {
$error.="Please, go back and fill out your name. This is your actual name that we will need, not your username.<br>\n";
}
You can log IPs, but it is trivial to spoof an IP or to use a proxy. So it depends on WHY you are thinking of logging IPs. To access the IP address of the client use
PHP Code:
$_SERVER[’REMOTE_ADDR’];
Security tutorials. Try this site : http://www.orkspace.net/secdocs/
Over 200 papers on Security and Hacking. Some of it is a little out-dated, but it's still excellent material.
As for the XSS'ing on your site, the script is accepting pretty much anything you give it, and then is echo'ing back that data without encoding it. so all I had to do was put
Quote:
|
<script>alert(/xssed/);</script>abx
|
in the domain= part of the URL. A good read on XSS is the XSS FAQ maintained by cgisecurity.com : http://www.cgisecurity.com/articles/xss-faq.shtml |
|
|
|