Jump to content

php beginner

New Members
  • Posts

    2
  • Joined

  • Last visited

    Never

Profile Information

  • Gender
    Not Telling

php beginner's Achievements

Newbie

Newbie (1/5)

0

Reputation

  1. Hello, Let's say you had an array with these values: basketball[0] = 'green'; basketball[1] = 'red'; basketball[2] = 'red'; basketball[3] = 'red'; basketball[4] = 'blue'; basketball[5] = 'black'; Is there a function that can perform a search on the array to remove all of the entries that have a value of 'red'? Maybe something like: remove_array_values(basketball[], 'red'); Then the array would end up like this: basketball[0] = 'green'; basketball[1] = 'blue'; basketball[2] = 'black'; So it took out all of the array entries that had 'red' as it's string contents. I'm wondering if there is a way to do that.
  2. Hello, This is my first post here. This looks like a great place! I'm working on building a PHP/MySQL website that has a search box. So if the site visitor typed "soccer tournament" it would find all of the stuff that has to do with soccer tournaments on the website. I've determined that the site visitors will never need to type anything other than alpha-numeric characters to find what they are looking for. So here is my basic strategy to protect the database against SQL-injection attacks: 1) convert all the characters from the user input to lowercase using strtolower() 2) replace all apostrophes or commas with a blank space using str_ireplace() 3) explode each separate word into its own array entry using explode() 4) any blank spaces that got placed into this array will be removed programmatically 5) check to see if each array entry is alphanumeric by using ctype_alnum() 6) if any part of the query fails the alphanumeric test (step 5), the user's search is blocked and not allowed to proceed. 7) if the query passes step 5, it's allowed to proceed and search the database for search results This would make sure that something like this would pass: top five soccer tournaments But something like this would fail: /php ? ` DROP TABLE So my question is this: if the only search input that is allowed to "pass" and access the database are those that consist exclusively of alphanumeric characters, is that enough to guarantee prevention of an SQL-injection attack? Or maybe phrased differently: is there a way to cause an SQL injection attack into a search box by using only alphanumeric characters? I could also create further processing where troublesome words like DROP TABLE DELETE RECORD are scrubbed from the string. But I think that restricting allowable database query text to consist only of alphanumeric characters will be enough to guard against SQL injection attacks. But I don't know for sure, so that's why I am asking! Thanks for any insights into this. I know there are things like prepared statements and data binding. I'm in the process of learning about those. But what I'm looking for here is an exact answer to my one specific question: is alphanumeric-only text in a search query against a mysql database safe by design?
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.