[SOLVED] Remove stuff for mysql injection.

[lynxus]

Hi,

Im having problems cleaning some vars.

Ive tried strip slashes and that doesnt work.

Ive tried the mysql clean fucntion with no avail.

 

Ijust want things like % / \ ' all removed and replaced with summat like _

 

$username = "";

$username = $_POST['username'];

 

Ive tried str_replace but im having problems getting it to do the 's and the \'s

 

Any ideas how to clean the vars to really only be text, numbers and a few things like http:// / etc.

 

-G

 

[jonsjava]

using str_replace (or str_ireplace):

 

<?php
function strip_these($input){
$stuff_to_strip = array("\\","/","%");
return str_ireplace($stuff_to_strip,"",$input);
}
print strip_these("thisisa\\tes/t%");

Oh, and the reason you were having issues with "\" is because \ is used to escape characters. If you wanted to do a $ or ", and have it output it, instead of evaluate it, you would do this:

<?php
echo "\"I like \$. It makes me so happy\", says Joe";
?>

as for the ', you were most likely using ' like this

<?php
print str_replace(''','',$input);
?>

to use a single quote (or a double quote) inside a single quote (or a double quote), you must escape it.

[waynew]

For a username, you'll probably want to use this BEFORE sending data to your database:

 

//change min and max length values accordingly
$min = 1;
$max = 10;

//will only allow alphanumerical characters
if(!eregi("^[a-zA-Z0-9]{".$min.",".$max."}$",$username)){
       //do not allow
}
else{
      //we're in business
}

[jonsjava]

*sigh* sure. just go ahead and use regular expressions   . I was just showing them how to do it with the function mentioned.  Actually, I suck at regular expressions.

[Ken2k7]

I believe the ereg family will be deprecated so preg is preferred.

[lynxus]

Thanks guys!

 

Ive gone with this for the time being:

 

		$username = $_POST['username'];


	if ($username == ""){
	$username = "DidntEnterOne";
	}

	function strip_these($input){
    $stuff_to_strip = array("\\","/","%","'","&");
    return str_ireplace($stuff_to_strip,"",$input);
    }

	$username = strip_these($username);

 

 

Im hoping this will stop or at least deter some injections / bad stuff.

[lynxus]

Actually ive used the regex for the username and the othe rbit for some other vars

 

Thanks

 

[gevans]

Relasitcally you should just check if any unwanted characters are in the string. If they are let the user know.

 

When it does past the 'check' if it's going into the database, then use mysql_real_escape_string().

 

At the moment you're still allowing html, javascript, and forms of attempted sql injections through.

 

Also your user may not know that he/she can't use a & (for example) in their username. Your site will be far more usable if you alert them of this rather than changing their username to something they didn't want.

[waynew]

You should really only be using mysql_real_escape_string() to stop injections. Those characters you mention will be rendered  harmless by mysql_real_escape_string(). What you're doing at the moment is black listing - that is setting aside what ISN'T allowed. What you should be doing is white listing - i.e. setting aside what IS allowed.

 

 

[lynxus]

the escape function isnt the problem. The problem is the chars itself.

They play havoc with some of the dynamic javascript im creating.

 

So as long as the username doesnt contain those values then everything runs well.

 

Im assuming if someone cant send those chars then they have next to no chance of injecting anyway?

[gevans]

If you're not using mysql_real_escape_string there are ways around that.

 

What about these characters;

 

"

 

'.''

 

And to re-iterate you should tell the user they can't use them and let ehm choose a different uesername, not just change the one they originally wanted.

[lynxus]

Thanks for your input.

 

I will look at using that to stop the injections.

 

I will offer a user to change the name.

Ive just been throwing code together to get a test up and running before i clean and modify the stuff

 

Thanks so much for your help.

 

-G

[grissom]

Hey lynxus, are you from Yorkshire ?

[lynxus]

No, much further down south .