Dr.Mezo
Dr.Mezo

Reputation: 869

is_numeric and isEmail functions

I create field ($login), user should register with email or phone number So I want to o a security check to validate

Can I use 2 functions at same time ? I tried the following code but it didn't work.

if(!is_numeric || isEmail($login)) {
    $mesaj = '<div class="msg"><div class="error">Add Valid Email or Phone Number</div></div>';
}else{
    $db->Query("UPDATE `users` SET `login`='".$login."' WHERE `id`='".$data['id']."'");
    $mesaj = '<div class="msg"><div class="success">Success</div></div>';
}

Any Idea?

Upvotes: 0

Views: 134

Answers (1)

CommandZ
CommandZ

Reputation: 3633

You have an error in your code: if(!is_numeric || isEmail($login))

You're not making a function call with is_numeric. You need to provide it a parameter: is_numeric($myVar)

You also have a SQL Injection problem in your code. Never concatenate strings to build a query. Use parameterized queries instead.


Possible attack vector:

/***
 * Data input from client browser / app
 ***/
$data['id'] = "0' OR id > 0 OR id = '1";
$login = "', `password`='hacked";

"UPDATE `users` SET `login`='".$login."' WHERE `id`='".$data['id']."'"

Output SQL:

"UPDATE `users` SET `login`='', `password`='hacked' WHERE `id`='0' OR id > 0 OR id = '1'"

Upvotes: 1

Related Questions