Tag Archives: Php

Preventing MySQL injection with PHP

March 12, 2009 5:13 pm /

A good practice is to check input strings to make sure users don’t put in mySQL commands in your server. For instance, if a username or password POST variable isn’t filtered, there is a potential for an injection like ‘OR myusername=’. In the past, I’ve been using my own PHP toolkit to “clean” the input variables. But recently, I began searching to see if there are a built-in solution in PHP for this, especially since I’m converting a script written in Python that had the filter MySQLdb.escape_string. Enter mysql_real_escape_string()

1) Step 1: Filter out the backtick character, ` which is often used in mySQL to denote field names

$variable = str_replace("`","",$variable);

2) Step 2: If its a username or password field which does not have a space, you should use ctype_alnum This will determine whether there is a character thats not alphanumeric or numeric. So, spaces will not work.

if (ctype_alnum($variable))
{
//allowed variable
}

3) Step 3: Use the mysql_real_escape_string as long as it exists on your server. If it doesn’t exist, an error message will display. I suggest upgrading your PHP if possible since this function will take care of different character sets/etc. You can use this function after the mySQL connection has been initialized.

if(function_exists("mysql_real_escape_string"))
{
$variable = mysql_real_escape_string(htmlspecialchars($variable, ENT_QUOTES));
}
else
{
echo "mysql_real_escpe_string does not exist on the server. Upgrade PHP to the latest version.";
}

Posted in: MySQL, PHP / Tagged: , ,

PHP – MySQL datetime to seconds

January 26, 2009 9:53 pm /

$unixseconds = strtotime($mysqldate);

For instance, you can use this to write a timeout script for login failures. Usually, a system should lock after 3-5 consecutive failed login attempts. I save the timestamp after the 5th consecutive login failure, then run a check on this timestamp if the current time is within the ~5-10 minute lockout window. 5 minutes is 300 seconds, 10 minutes is 600 seconds.

Posted in: MySQL, PHP / Tagged: , ,

Validate MySQL date format in PHP

January 7, 2009 3:32 pm /

Validating the date in MySQL should be done using preg_match since ereg_* functions will be removed in PHP 6.

More info on PHP 6 changes: http://wiki.php.net/todo/php60 It appears there will be a module that you can use to utilize existing ereg expressions, so that’ll buy some time to port code from ereg* to preg*.
function isValidDate($date){

if (preg_match (“/^([0-9]{4})-([0-9]{2})-([0-9]{2})$/”, $date))
{

return true;
}
else{
return false;
}

}

Posted in: PHP / Tagged: , , , ,

Define variables in PHP 5

December 3, 2008 6:46 pm /

If you have older scripts, you may encounter warning messages such as “Notice: Undefined variable: ”

As a standard practice, you should define variables in PHP by putting in the variable name = FALSE;
$myvar = FALSE;

This is primarily for local variable names that aren’t passed in through a $_REQUEST or $_POST, etc.

Posted in: PHP / Tagged: ,

PHP Uptime check

November 24, 2008 4:49 pm /

I found a useful script in PHP that can be used for checking uptime of a server. It can be useful for checking when the servers have a such a significant load that pages can’t be displayed. The benefit or running it locally is that I can configure the script to perform failover functionality if necessary. Online uptime services are good too, but most of them aren’t free. Maybe I should force the server to show a failwhale when the site gets too busy… j/k 😀

Here’s the link to the script.
http://www.programmingtalk.com/showthread.php?t=34999



Posted in: PHP / Tagged: , ,

Post Navigation

 
Newer Posts