transparencia Posted January 4, 2009 Share Posted January 4, 2009 Hello! Is this well written? preg_split("/[\s.,_\"\'\%\>\<?!-]/", $kernel->vars['string']); What others characters should I filter to prevent an SQL injection or other exploit? Quote Link to comment https://forums.phpfreaks.com/topic/139392-solved-is-this-preg_split-well-formed/ Share on other sites More sharing options...
corbin Posted January 4, 2009 Share Posted January 4, 2009 The only character that you 'must' filter is '. Do you want to filter for some other reason? If you want to escape HTML, just use htmlentities(). Quote Link to comment https://forums.phpfreaks.com/topic/139392-solved-is-this-preg_split-well-formed/#findComment-729153 Share on other sites More sharing options...
.josh Posted January 4, 2009 Share Posted January 4, 2009 lol why are you using preg_split? preg_split is a regex version of explode. All it does is take a string and split it up into an array, based on a pattern. So for example, if you have this: $string = "What's up, doc? Nothin' much, man..."; and you do this: $string = preg_split("/[\s.,_\"\'\%\>\<?!-]/", $string); You're going to end up with this: Array ( [0] => What [1] => s [2] => up [3] => [4] => doc [5] => [6] => Nothin [7] => [8] => much [9] => [10] => man [11] => [12] => [13] => ) Unless you are wanting your data to be a specific format (like for instance, the data is a username and you only want it to contain alphanumeric characters), the goal should be to escape characters, not remove them. Otherwise, you're going to find yourself storing a whole lot of swiss cheesed data. Quote Link to comment https://forums.phpfreaks.com/topic/139392-solved-is-this-preg_split-well-formed/#findComment-729157 Share on other sites More sharing options...
transparencia Posted January 4, 2009 Author Share Posted January 4, 2009 I know! The string is as search string, I choose to separate the words to do a mySQL full text AND search (Search Word1 AND Word2 AND Word3, etc..). All words on the string must appear on the results. That is the reason I want to prevent SQL injection and exploits. Because the string is directly input on the database. So I guess, if only ' is necessary to be cut down I could do it like this (with the other %>< while I'm at it, just to be sure )? preg_split("/[\s.,_'%><?!-]/", $kernel->vars['string']); Quote Link to comment https://forums.phpfreaks.com/topic/139392-solved-is-this-preg_split-well-formed/#findComment-729163 Share on other sites More sharing options...
corbin Posted January 4, 2009 Share Posted January 4, 2009 http://php.net/mysql_real_escape_string I would just escape all of the parts. Quote Link to comment https://forums.phpfreaks.com/topic/139392-solved-is-this-preg_split-well-formed/#findComment-729187 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.