tidus97 Posted January 20, 2009 Share Posted January 20, 2009 would replacing all spaces in inputted text be ample enough to prevent against these attacks? for example, INSERT INTO table (this) VALUE('this') would become INSERT%$space$%INTO%$space$%table%$space$%(this)%$space$%VALUE('this') or something. i know this wont work on all html. something like <h1>this</h1> will still work fine for example, but thats not the point of this part of the cleaning process lol. Quote Link to comment Share on other sites More sharing options...
ratcateme Posted January 20, 2009 Share Posted January 20, 2009 the best way to prevent mysql injections is by taking all user input and sterilizing it like $username = mysql_real_escape_string($_POST['username']); keeps you code easy to read and understand and you can put $username into your queries with no worries about injections Scott. Quote Link to comment Share on other sites More sharing options...
tidus97 Posted January 20, 2009 Author Share Posted January 20, 2009 i know. but i dont want to use that. it just inserts \'s everywhere. yes, i know this is to make any code that may have been inputed useless, but it sort of sucks when i need to output the inputed text as a comment. im making a sort of shoutbox. Quote Link to comment Share on other sites More sharing options...
ratcateme Posted January 20, 2009 Share Posted January 20, 2009 try using stripslashes() before you output it to the user Scott. Quote Link to comment Share on other sites More sharing options...
Prismatic Posted January 20, 2009 Share Posted January 20, 2009 i know. but i dont want to use that. it just inserts \'s everywhere. yes, i know this is to make any code that may have been inputed useless, but it sort of sucks when i need to output the inputed text as a comment. im making a sort of shoutbox. you run stripslashes on the output. Really, it's your best bet. Quote Link to comment Share on other sites More sharing options...
AviNahum Posted January 20, 2009 Share Posted January 20, 2009 so i didn't really understod what you trying to do... explain again please... Quote Link to comment Share on other sites More sharing options...
tidus97 Posted January 20, 2009 Author Share Posted January 20, 2009 oh wierd. it works alot better than i thought it would function cleanupForStorage($x,$exep=null){ $x = mysql_real_escape_string($x); $x = strip_tags($x,$inExep); return $x; } function cleanupForOutput($x){ $x = stripslashes($x); return $x; } $string = '<h1>Hello, World!</h1>""""""" do <i>you</i> like\hate slashes? and these "quotes"'; $string=cleanupForStorage($string,'<h1>'); echo "This is for storage: ".$string."<br />"; $string=cleanupForOutput($string); echo "This is for output: ".$string."<br />"; output: This is for storage: Hello, World!\"\"\"\"\"\"\" do you like\\hate slashes? and these \"quotes\" This is for output: Hello, World!""""""" do you like\hate slashes? and these "quotes" which is good, but despite keeping the h1 tags, they disappear. Quote Link to comment Share on other sites More sharing options...
haku Posted January 20, 2009 Share Posted January 20, 2009 mysql_real_escape_string escapes the input, and it won't be present in the output. You should use it. Quote Link to comment Share on other sites More sharing options...
tidus97 Posted January 20, 2009 Author Share Posted January 20, 2009 ? im wondering what i could do to prevent tags that are not stripped Quote Link to comment Share on other sites More sharing options...
haku Posted January 20, 2009 Share Posted January 20, 2009 What do you mean prevent tags? HTML tags? They aren't used in injection attacks. But if you really want to strip them out, you can use striptags(). But you should do this when pulling data out of the database before outputting to the screen, not when putting the data into the database. Quote Link to comment Share on other sites More sharing options...
tidus97 Posted January 20, 2009 Author Share Posted January 20, 2009 sorry that was a typo. i meant preserve. ive told strip tags to keep h1 but in the end its not there. this is a bit offtopic though, i can start another topic if yas like Quote Link to comment Share on other sites More sharing options...
ratcateme Posted January 20, 2009 Share Posted January 20, 2009 got your var names wrong in the function try this function cleanupForStorage($x,$exep=null){ $x = mysql_real_escape_string($x); $x = strip_tags($x,$exep); return $x; } Scott. Quote Link to comment Share on other sites More sharing options...
tidus97 Posted January 20, 2009 Author Share Posted January 20, 2009 bah thats what happens when u build build a function from cuts and pastes from something else works wonderfully now. thx guys, got that all sorted. function cleanupForStorage($x,$inExep=null){ $x = mysql_real_escape_string($x); $x = strip_tags($x,$inExep); return $x; } function cleanupForOutput($x,$exep=null){ $order = array('\r\n' , '\n', '\r'); $x = str_replace($order, '<br />', $x); $x = stripslashes($x); return $x; } $string = '<b>Hello, World!</b>""""""" do <i>you</i> like\hate slashes? and these "quotes"? what about new lines'; $string=cleanupForStorage($string,'<b>'); echo "This is for storage: ".$string."<br />"; $string=cleanupForOutput($string); echo "This is for output: ".$string."<br />"; result: This is for storage: <b>Hello, World!</b>\"\"\"\"\"\"\" do you like\\hate slashes? and these \"quotes\"?\nwhat\nabout\nnew\nlines This is for output: Hello, World!""""""" do you like\hate slashes? and these "quotes"? what about new lines Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.