 |
Account Login
|
 |
|
Latest Articles
|
|
|
IRC Channel
|
|
|
Associates
|
|
|
Associates
|
|
|
 |
|
|
|
|
12-20-2007, 12:46 AM
|
#1 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
How would I use Email and password validation?
Okay, so I have this contact form, and I have most of it coded, but I can't quite get the code to validate the email address...
I tried
Code:
if($email == eregi(this was some complicated email validation code that I tried,$email)){}
else
{
$error.="Please, go back and fill out your Email correctly.<br>\n";
}
and It didn't work too well...
The entire code would be really really really annoying to post... It has some possibly-sensitive stuff.
Anyway, the page at work is http://aetherdesigns.com/hosting/standard.php
I really need to get this code to look good O.o |
|
|
|
12-20-2007, 01:54 AM
|
#2 (permalink)
|
|
The Acquainted
Join Date: Sep 2007
Location: Arizona
Posts: 114
Thanks: 10
|
You don't need the $email ==. All you need is the eregi() function, as if that pattern matches the string in the second argument, then it will return true, giving you a successful match, therefore a valid email.
Also I would suggest using something like the following, rather than what are you using:
PHP Code:
if (!eregi("/pattern/", $email) {
// Tell user they had an invalid email
}
|
|
|
|
|
The Following User Says Thank You to Andrew For This Useful Post:
|
|
|
12-20-2007, 01:59 AM
|
#3 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
Thanks a lot for that!
Now I need to implement some password protection, encryption, and a whole bunch of hack-safe stuff, and I need help with that. Basically... Something you would expect from a form carrying sensitive information.
Capcha wouldn't be a bad idea either. Could you help me with that?
edit: I am trying to learn, as well, so please describe more then the methods. I searched google for password validation and came up with nothing but ereg and the like.
|
|
|
|
|
12-20-2007, 02:23 AM
|
#4 (permalink)
|
|
The Acquainted
Join Date: Sep 2007
Location: Arizona
Posts: 114
Thanks: 10
|
I've never used Captcha, but I know there is a useful tutorial on Sitepoint regarding them and PHP.
As for password validation, what kind of validation did you have in mind? If they match the database? This is what I generally do:
1. MD5 password.
2. Query database for all info for the given username.
3. Check passwords using an IF statement (so there are no SQL injections).
4. Login user.
|
|
|
|
|
12-20-2007, 03:04 AM
|
#5 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
Well, first I don't know anything about SQL, so don't go into databases O.o
Second of all, it is just a... well I don't have a log in, it is just a sign up thing.
So how would I implement these things so the signup can't be messed with and such?
|
|
|
|
|
12-20-2007, 04:36 AM
|
#6 (permalink)
|
|
The Acquainted
Join Date: Sep 2007
Location: Arizona
Posts: 114
Thanks: 10
|
Well, with contact forms (forgot that was what you were coding), very little security is necessary as long as everything isn't outputted in HTML. For example, the other day, I had someone attempt a XSS attack using <script> tags in my plaintext email, so of course nothing happened. However, to validate a domain as well, I'd use this regex (assuming I did it right):
PHP Code:
preg_match("/^[http:\/\/]?[w]{3}?[A-Za-z0-9\-][\.][A-Za-z]{2,4}$/")
However, I'd strongly suggest having someone skilled with regex to check that before you implement it (or you can test it), since I'm not too experienced myself.
If you would LIKE to encrypt the password that they give you, just use md5(). |
|
|
|
|
12-20-2007, 10:49 AM
|
#7 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
This really isn't a contact form, it is a signup form for my hosting service, so if anyone gets a hold on the information I could be in some deep trouble... Also, I was asking for somone skilled to help me out so I don't get screwed >.>
what is XSS? cross site scripting does what? :/
|
|
|
|
|
12-20-2007, 12:27 PM
|
#8 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 2,280
Thanks: 90
|
XSS isn't really an issue if you're getting the stuff sent directly to your email address. XSS is prevalent on such forms as comment forms - you should always strip the HTML tags beforehand. Which information are you worried they may get a hold of? If it's your e-mail address then so as long as it's hard-coded into the PHP file, then you shouldn't have any issues unless the entire website is wide-open to attacks. XSS is often masked using images, as a call to download an image is identical to that of a call to download a website HTML page, and so you see the potential security implications with that.
If you let us know further about what you're trying to stop people from doing, then we'll be able to assist even more  !
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|
|
|
12-20-2007, 12:55 PM
|
#9 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
Im trying to stop people from spamming the account, from hacking anything, or from getting the passwords that I am sent with the form.
|
|
|
|
|
12-20-2007, 03:43 PM
|
#10 (permalink)
|
|
The Frequenter
Join Date: Nov 2007
Location: Netherlands
Posts: 460
Thanks: 49
|
The most simple thing to do in your case is follow a tutorial from tutorialized.com and finish it up from there.
__________________
"Life is a bitch, take that bitch on a ride"
|
|
|
|
|
12-20-2007, 04:30 PM
|
#11 (permalink)
|
|
The Reckoner
Join Date: Sep 2007
Posts: 437
Thanks: 22
|
You've already got your solution, but I thought I'd mention the nice filter_* methods that you can use to achieve email validation, everyone always seems to overlook it:
PHP Code:
if (!filter_var('karl@talkphp.com', FILTER_VALIDATE_EMAIL))
{
echo "Email is invalid!";
}
That's all there is to it, you can even santize your data with the same function.
__________________
Any fool can write code that a computer can understand. Good programmers write code that humans can understand.
|
|
|
|
|
The Following 2 Users Say Thank You to Karl For This Useful Post:
|
|
|
12-20-2007, 09:52 PM
|
#12 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
I'm sorry, sanitize?
|
|
|
|
|
12-20-2007, 10:02 PM
|
#13 (permalink)
|
|
La Vida es Sueño
Join Date: Sep 2007
Location: Oldham
Posts: 2,280
Thanks: 90
|
Making it safe to echo or store.
__________________
The man who comes back through the Door in the Wall will never be quite the same as the man who went out.
|
|
|
|
|
12-20-2007, 10:08 PM
|
#14 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
How? Right now I am reading the cryptography salt thing that you made by the way... Good stuff!
|
|
|
|
|
12-20-2007, 10:16 PM
|
#15 (permalink)
|
|
The Wanderer
Join Date: Dec 2007
Posts: 14
Thanks: 0
|
Quote:
Originally Posted by Aaron
I'm sorry, sanitize?
|
Sanitation is the process of removing characters/data from the user-supplied data that you do not want. It can also be known as filtering. However, the problem with either is that someone will always be able to evade your filters.
The best thing to do is validate your data (as others here have already mentioned). For example, for your input element package, you should check the user-supplied data for that element and make sure it is of one of the two values you are expecting: Standard Monthly, Standard Yearly. If it isnt, then drop the data for that element.
PHP Code:
$aryPackage = array('Standard Monthly','Standard Yearly');
if(!in_array($_POST['package'],$aryPackage)){
//drop the value and/or display an error to the user
$_POST['package'] = '';
} else {
//continue on your way
}
You should follow a similar pattern for all the other incoming values as well. A person's name should be alpha characters, spaces, a hyphen, an apostrophe and MAYBE a digit. If the data contains anything beyond that, drop. Essentially, expect that the information that user is giving you is dangerous/tainted and can not be trusted. Paranoia, to a point, is a good thing when you are a programmer. 
By the way, your site is currently vulnerable to XSS'ing through your domain check
http://aetherdesigns.com/hosting/who...m&option=whois |
|
|
|
|
The Following User Says Thank You to gilzow For This Useful Post:
|
|
|
12-20-2007, 10:23 PM
|
#16 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
Okay, I think I might have had this answered several times... But... How exactly would I compare that stuff? The ereg/eregi function is really confusing O.o.
So sanitize everything with eregi? so like...
Code:
if(!eregi(A-Z0-9,$name)) {
echo "Usernames can only be alphanumeric, please correct this.";
}
Also, the domain checker was mostly tutorial code. How exactly did you do that? |
|
|
|
|
12-20-2007, 10:33 PM
|
#17 (permalink)
|
|
The Wanderer
Join Date: Dec 2007
Posts: 14
Thanks: 0
|
Quote:
Originally Posted by Aaron
Okay, I think I might have had this answered several times... But... How exactly would I compare that stuff? The ereg/eregi function is really confusing O.o.
So sanitize everything with eregi? so like...
Code:
if(!eregi(A-Z0-9,$name)) {
echo "Usernames can only be alphanumeric, please correct this.";
}
Also, the domain checker was mostly tutorial code. How exactly did you do that? |
Regex patterns take awhile to get used to, but are EXTREMELY valuable. do a search for 'regex tutorial' and do some research on them. And I highly recommend Regex Buddy.
The pattern I typically use for a person's last name is
PHP Code:
$strPattern = '/^[A-Z0-9\'\-]+$/i';
which allows for alpha characters A-Z, numbers 0-9, a hyphen, and an apostrophe and is case-insensitive. This doesnt check for length, just that what I'm checking matches the pattern I've defined.
I've gotta run right now. I'll come back tomorrow to explain the XSS stuff. |
|
|
|
|
12-20-2007, 10:44 PM
|
#18 (permalink)
|
|
The Frequenter
Join Date: Dec 2007
Location: In my basement
Posts: 386
Thanks: 47
|
How would I use that code, though?
if($username == $strPattern. . .)
?
Oh, and wouldn't logging the IP be a good idea as well?
How would I do that? (I am going to look... but I haven't really found that many quality security tutorials. They are mostly preventing SQL injections and sessions, which I don't intend to get into just yet.
Update: Why doesn't this work properly? It should only allow names that contain alphabetical characters and spaces... It accepts anything.
Code:
if(!eregi("a-z[.a-z]$", $name)){}
else{
$error.="Please, go back and fill out your name. This is your actual name that we will need, not your username.<br>\n";
}
Last edited by Aaron : 12-21-2007 at 03:12 AM.
|
|
|
|
|
12-21-2007, 04:07 PM
|
#19 (permalink)
|
|
The Wanderer
Join Date: Dec 2007
Posts: 14
Thanks: 0
|
Quote:
Originally Posted by Aaron
How would I use that code, though?
if($username == $strPattern. . .)
?
Oh, and wouldn't logging the IP be a good idea as well?
How would I do that? (I am going to look... but I haven't really found that many quality security tutorials. They are mostly preventing SQL injections and sessions, which I don't intend to get into just yet.
Update: Why doesn't this work properly? It should only allow names that contain alphabetical characters and spaces... It accepts anything.
Code:
if(!eregi("a-z[.a-z]$", $name)){}
else{
$error.="Please, go back and fill out your name. This is your actual name that we will need, not your username.<br>\n";
}
|
Your pattern needs to have forward slashes before and after the pattern. Try this instead
PHP Code:
if (!preg_match('/^[A-Za-z ]+$/', $name)) {
$error.="Please, go back and fill out your name. This is your actual name that we will need, not your username.<br>\n";
}
You can log IPs, but it is trivial to spoof an IP or to use a proxy. So it depends on WHY you are thinking of logging IPs. To access the IP address of the client use
PHP Code:
$_SERVER[’REMOTE_ADDR’];
Security tutorials. Try this site : http://www.orkspace.net/secdocs/
Over 200 papers on Security and Hacking. Some of it is a little out-dated, but it's still excellent material.
As for the XSS'ing on your site, the script is accepting pretty much anything you give it, and then is echo'ing back that data without encoding it. so all I had to do was put
Quote:
|
<script>alert(/xssed/);</script>abx
|
in the domain= part of the URL. A good read on XSS is the XSS FAQ maintained by cgisecurity.com : http://www.cgisecurity.com/articles/xss-faq.shtml |
|
|
|
|
The Following User Says Thank You to gilzow For This Useful Post:
|
|
|
12-21-2007, 09:11 PM
|
#20 (permalink)
|
|
The Acquainted
Join Date: Sep 2007
Location: Arizona
Posts: 114
Thanks: 10
|
Also, I would check to see if the values that were entered were empty, or the default value you have using the value attribute.
|
|
|
|
|
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
Join the friendly bunch on IRC...
