www.webdeveloper.com
Results 1 to 7 of 7

Thread: preg_match problem need solution?

  1. #1
    Join Date
    Nov 2013
    Posts
    4

    preg_match problem need solution?

    I have problem with my preg_match function it seems it always returns true no matter what's in the input form? it suppose to just return true when the value has junkies in it.

    this is part of the code, the echo in thisCheckerNum always display 1, even when $_POST['number2'] has nothing in it... , and because of that it will always go to "die("Error: passwordOld contains invalid characters!");", I need to know why..


    PHP Code:
    function thisCheckerNum($str)
    {
        
    $var preg_match('/^[a-zA-Z0-9]*$/'$str);
        echo 
    $var;
        return 
    $var;
    }

        if (isset(
    $_POST['number1']) && isset($_POST['number2'])) {
            
    $passwordOld $_POST['number2'];
            
    $passwordOld2 $_POST['number3'];
            
    $passwordNew $_POST['number4'];
            
    $passwordNew2 $_POST['number5'];
            
    $sql "SELECT * FROM users WHERE email='$email' AND password='$passwordOld'";
            
    $query mysql_query($sql);

            
    /* filter vals*/
            
    $passwordOld mysql_real_escape_string(html_entity_decode(htmlentities($passwordOld)));
            
    $passwordOld2 mysql_real_escape_string(html_entity_decode(htmlentities($passwordOld2)));
            
    $passwordNew mysql_real_escape_string(html_entity_decode(htmlentities($passwordNew)));
            
    $passwordNew2 mysql_real_escape_string(html_entity_decode(htmlentities($passwordNew2)));
            
    /*
            This counts how many records match our query
            */
            
    echo $email."<br \>".$passwordOld."<br \>".$passwordOld2."<br \>".$passwordNew."<br \>".$passwordNew2."<br \>";
            
    //Die if account contains non-alphanumeric characters
            
    if(thisCheckerNum($passwordOld) == 1)
            {
              die(
    "Error: passwordOld contains invalid characters!");
            } 
    Last edited by NogDog; 11-12-2013 at 10:01 PM. Reason: changed I tags to PHP tags

  2. #2
    Join Date
    Nov 2013
    Posts
    4
    or eventually does anyone know any good php user change password template that I can just use it out of the box? That would be perfect I never programm php before this is nitemare.

  3. #3
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,637
    I think you have your logic reversed in your if clause, since preg_match() will return 1 if the pattern matches. It does beg the question, though: why do you want to limit users to only those characters, when current security best practices are for strong passwords to contain letters, numbers, and "special" characters? I would just test for minimum/maximum length requirements, and let the users use whatever passwords they want within those restrictions.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  4. #4
    Join Date
    Nov 2013
    Posts
    4
    Hi, Nog it's true I can barely understand what this script does, I just found it by google. The original writer of this script have the if clause to match for '1' and return die error. I didn't even think that he could be wrong.. I was keep thinking it's the '/^[a-zA-Z0-9]*$/' that needs something else while I have no idea what that mean.

    After I change '1' to '0' in the if clause, now it works as it should, thanks a lot.

    I done a little research people claim some characters might be harmful to database? that's why it should rule out those? I don't know for sure but if it's a security issue may be I should just follow the main line? I don't know about that, too.

  5. #5
    Join Date
    Nov 2013
    Posts
    4
    I have another question though, I'm make a shopping site from ground and I'm pretty much learning it from ground up..

    so forgive me that my lack of fundamental knowing of the ecommerce world, if user wanted to change their account password,

    would it be appropriate or most importantly- secure, that my site send an email back to their email with link in it, that when they open it, it takes them to a page that ask them to input new password directly to database? My main concern is that the page will input the new password regardless of what the original password is,

    but I think what strongly back this idea is that the link in theory is only accessible if the clicker can open that email account in the first place? So it should be secure right? Should I use this method?

  6. #6
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,637
    Quote Originally Posted by teeronline View Post
    ...
    I done a little research people claim some characters might be harmful to database? that's why it should rule out those? I don't know for sure but if it's a security issue may be I should just follow the main line? I don't know about that, too.
    Using mysql_real_escape_string() for any character strings being entered into the DB takes care of all SQL injection issues, regardless of what the user submitted. To that end, the code in there messing around with htmlentities is unnecessary and effectively cancels itself out anyway. So instead of this...
    PHP Code:
    $passwordOld mysql_real_escape_string(html_entity_decode(htmlentities($passwordOld))); 
    ...just do...
    PHP Code:
    $passwordOld mysql_real_escape_string($passwordOld); 
    ...and SQL injection is not an issue, while you've removed unneeded extra processing.

    The only time you should need to use htmlentities() is when outputting text to the browser -- it is not a database sanitizing function.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  7. #7
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,637
    Quote Originally Posted by teeronline View Post
    I have another question though, I'm make a shopping site from ground and I'm pretty much learning it from ground up..

    so forgive me that my lack of fundamental knowing of the ecommerce world, if user wanted to change their account password,

    would it be appropriate or most importantly- secure, that my site send an email back to their email with link in it, that when they open it, it takes them to a page that ask them to input new password directly to database? My main concern is that the page will input the new password regardless of what the original password is,

    but I think what strongly back this idea is that the link in theory is only accessible if the clicker can open that email account in the first place? So it should be secure right? Should I use this method?
    What you can do is generate a pseudo-random string, such as with uniquid(). You store that in an additional column in the users table, along with another timestamp column with the current date/time in it (NOW()). In the link you send in the email, you include that random string as one of the URL parameters (presumably along with the user ID as another field). Then when the link is clicked, you check to see if the user id and random token match, and that the timestamp is not older than whatever you decide the maximum time should be between when it is generated and when the user must "use it or lose it." If all those criteria are met, you display the new password form, which you would include that random token in as a hidden field, so you can do the same check again when they actually enter the form.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles