Jump to content

[SOLVED] Function to prevent SQL Injection and converting åäö - review this one plea

Bisa

By Bisa
in PHP Coding Help

Recommended Posts

Bisa Member

Bisa

Posted
Posted

I've been working on a form and it is functional at the moment, now it's time to secure it from injections and at the same time I figured I'd convert å, ä and ö so that they would be correctly rendered by browsers all around.

 

My function looks like this and I would appreciate any pointers regarding security so far as well as perhaps be able to spot why the åäö converting prevents anything else of my script to be run when I load the page ;)

 

//Function to prevents SQL Injection and convert åäö
function secureFormInput($formdata) {
$formdata = ereg_replace("[\'\")(;|`,<>]", "", $formdata);
$formdata = trim($formdata);
$formdata = stripslashes($formdata);

$replace = array("å", "ä", "ö", "Å", "Ä", "Ö";
$with = array("å", "ä", "ö", "Å", "Ä", "Ö");
$formdata = str_replace($replace, $with, $formdata);

return $formdata;
}

 

Edit, oops, I posted this in the wrong section (reported to mod)

luca200 Newbie

luca200

Posted
Posted

First of all

the åäö converting prevents anything else of my script to be run when I load the page

I'm sorry but my English is too bad to understand what you mean with this

 

Anyway, I have many objections to your code, and the first is a simple question: why not using mysql_real_escape_string() (or similar functions for other db's)?

I do not agree about altering what the user posted, so I will not change quotes to backticks.

Neither will I change non-latin characters to html entities: what if tomorrow you decide to use those data for other than a web page?

Another thing you should avoid is using stripslashes() when you're not sure that magic_quotes_gpc is on.

 

Regards  :)

Bisa Member

Bisa

Posted
  • Author
Posted

First of all

the åäö converting prevents anything else of my script to be run when I load the page

I'm sorry but my English is too bad to understand what you mean with this

 

Anyway, I have many objections to your code, and the first is a simple question: why not using mysql_real_escape_string() (or similar functions for other db's)?

I do not agree about altering what the user posted, so I will not change quotes to backticks.

Neither will I change non-latin characters to html entities: what if tomorrow you decide to use those data for other than a web page?

Another thing you should avoid is using stripslashes() when you're not sure that magic_quotes_gpc is on.

 

Regards  :)

 

Thnx for the feedback =)

 

1. about mysql_real_escape_string(), I tried using that but since I'm not putting stuff into a db at the moment I left out the link_identifier and that stopped the rest of the script to be executed so I simply removed the mysql_real_escape_string() for now.

 

2. html entities - well, I am unable to have my browser show å, ä and ö so I figured if I converted them I would solve that problem but yea, you are right I am planning on sending the user input via email and then it's not optimal to show html entities but instead the real characters.

 

Anyone got some code examples of how could put this to good use?

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.