Jump to content
Larry Ullman's Book Forums

Another Question About The Login Script


Recommended Posts

Hi everyone.

 

I am running into a problem at the register.php script

 

I am from Holland and in both our city names as in first and last names, apostrophs and other punctuation marks are used.

For intance 's-Gravenhage is the official name of The Hague.

Or a common last name is In 't Groen

 

The script does not seem to allow this, because it keeps returning that I need to enter a valid last name.

 

 

the code is:

 

// Trim all the incoming data:

$trimmed = array_map('trim', $_POST);

 

// Assume invalid values:

$fn = $ln = $e = $p = FALSE;

----------

// Check for a last name:

if (preg_match ('/^[A-Z \'.-]{2,40}$/i', $trimmed['last_name'])) {

$ln = mysqli_real_escape_string ($dbc, $trimmed['last_name']);

} else {

echo '<p class="error">Fill in your last name please!</p>';

}

-----------

 

If I enter a name as in the example In 't Groen... it would re-fill the line with In \'t Groen.

 

To prevent that from happening I rewrote the form for the last name:

<tr><td><b>Last Name:</b></td><td><input type="text" name="last_name" size="20" maxlength="40" value="<?php if (isset($trimmed['last_name'])) echo stripslashes($trimmed['last_name']); ?>" /></td></tr>

 

My question is, how can I allow these characters such as ' and é ï, which we also use a lot, to pass beyond the script and inject it safely into the database?

 

Thanks again!

 

Mike

Link to comment
Share on other sites

In the form input field, your code should be echoing $_POST['last_name'], not the escaped variable. It's the escaping that is adding the slash. Try this:

<tr>
 <td><b>Last Name:</b></td>
 <td><input type="text" name="last_name" size="20" maxlength="40" value="<?php if (isset($_POST['last_name'])) echo $_POST['last_name']; ?>" /></td>
</tr>

Your form should re-fill the line with exactly what was typed into it. The escaped value is intended only for use in a database query. Once you retrieve it from the database, if you need to display it in a web page, you will need to use stripslashes() on it.

Link to comment
Share on other sites

Hi Paul

 

Thanks for your help!

Unfortunately the result remains the same. But I have no idea why...

So even with your code, it still show in \'t Groen

Plus

The fact that the apostroph is not accepted by the preg_matching I guess... what else would stop it? I am not even injecting it yet in the database.

What I mean is, the rest of the original register.php as written in Larry's book, checks if you enter a first name, last name, email address and twice your password.

So forgetting either of those, will fill in the already entered info and warn you about the wrong or forgotten ones.

 

But I have no idea what causes the preg_match to state that the entered last name, containing the ' is not a valid last name.

 

Any ideas?

 

Thanks

Mike

Link to comment
Share on other sites

Hi Larry

 

Thanks for your answer (and your wisdom!!!)

That's going to be a challenge... I will have to find a workaround for this, as I am running the scripts from a hosted site, in which I cannot change anything in the php.ini.

 

I will snoop around

Mike

Link to comment
Share on other sites

Larry

 

I found this and added it in the header file of the login script:

 

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() === 1){

$_POST = array_map( 'stripslashes', $_POST );

$_GET = array_map( 'stripslashes', $_GET );

$_COOKIE = array_map( 'stripslashes', $_COOKIE );

}

 

It seems to do the trick... as I need this on more locations (us Dutchies are like the French with our apostrophs hahaha)

 

Mike

Link to comment
Share on other sites

 Share

×
×
  • Create New...