lynxus Posted May 29, 2009 Share Posted May 29, 2009 Hi, Im having problems cleaning some vars. Ive tried strip slashes and that doesnt work. Ive tried the mysql clean fucntion with no avail. Ijust want things like % / \ ' all removed and replaced with summat like _ $username = ""; $username = $_POST['username']; Ive tried str_replace but im having problems getting it to do the 's and the \'s Any ideas how to clean the vars to really only be text, numbers and a few things like http:// / etc. -G Quote Link to comment Share on other sites More sharing options...
jonsjava Posted May 29, 2009 Share Posted May 29, 2009 using str_replace (or str_ireplace): <?php function strip_these($input){ $stuff_to_strip = array("\\","/","%"); return str_ireplace($stuff_to_strip,"",$input); } print strip_these("thisisa\\tes/t%"); Oh, and the reason you were having issues with "\" is because \ is used to escape characters. If you wanted to do a $ or ", and have it output it, instead of evaluate it, you would do this: <?php echo "\"I like \$. It makes me so happy\", says Joe"; ?> as for the ', you were most likely using ' like this <?php print str_replace(''','',$input); ?> to use a single quote (or a double quote) inside a single quote (or a double quote), you must escape it. Quote Link to comment Share on other sites More sharing options...
waynew Posted May 29, 2009 Share Posted May 29, 2009 For a username, you'll probably want to use this BEFORE sending data to your database: //change min and max length values accordingly $min = 1; $max = 10; //will only allow alphanumerical characters if(!eregi("^[a-zA-Z0-9]{".$min.",".$max."}$",$username)){ //do not allow } else{ //we're in business } Quote Link to comment Share on other sites More sharing options...
jonsjava Posted May 29, 2009 Share Posted May 29, 2009 *sigh* sure. just go ahead and use regular expressions . I was just showing them how to do it with the function mentioned. Actually, I suck at regular expressions. Quote Link to comment Share on other sites More sharing options...
Ken2k7 Posted May 29, 2009 Share Posted May 29, 2009 I believe the ereg family will be deprecated so preg is preferred. Quote Link to comment Share on other sites More sharing options...
lynxus Posted May 29, 2009 Author Share Posted May 29, 2009 Thanks guys! Ive gone with this for the time being: $username = $_POST['username']; if ($username == ""){ $username = "DidntEnterOne"; } function strip_these($input){ $stuff_to_strip = array("\\","/","%","'","&"); return str_ireplace($stuff_to_strip,"",$input); } $username = strip_these($username); Im hoping this will stop or at least deter some injections / bad stuff. Quote Link to comment Share on other sites More sharing options...
lynxus Posted May 29, 2009 Author Share Posted May 29, 2009 Actually ive used the regex for the username and the othe rbit for some other vars Thanks Quote Link to comment Share on other sites More sharing options...
gevans Posted May 29, 2009 Share Posted May 29, 2009 Relasitcally you should just check if any unwanted characters are in the string. If they are let the user know. When it does past the 'check' if it's going into the database, then use mysql_real_escape_string(). At the moment you're still allowing html, javascript, and forms of attempted sql injections through. Also your user may not know that he/she can't use a & (for example) in their username. Your site will be far more usable if you alert them of this rather than changing their username to something they didn't want. Quote Link to comment Share on other sites More sharing options...
waynew Posted May 29, 2009 Share Posted May 29, 2009 You should really only be using mysql_real_escape_string() to stop injections. Those characters you mention will be rendered harmless by mysql_real_escape_string(). What you're doing at the moment is black listing - that is setting aside what ISN'T allowed. What you should be doing is white listing - i.e. setting aside what IS allowed. Quote Link to comment Share on other sites More sharing options...
lynxus Posted May 29, 2009 Author Share Posted May 29, 2009 the escape function isnt the problem. The problem is the chars itself. They play havoc with some of the dynamic javascript im creating. So as long as the username doesnt contain those values then everything runs well. Im assuming if someone cant send those chars then they have next to no chance of injecting anyway? Quote Link to comment Share on other sites More sharing options...
gevans Posted May 29, 2009 Share Posted May 29, 2009 If you're not using mysql_real_escape_string there are ways around that. What about these characters; " '.'' And to re-iterate you should tell the user they can't use them and let ehm choose a different uesername, not just change the one they originally wanted. Quote Link to comment Share on other sites More sharing options...
lynxus Posted May 29, 2009 Author Share Posted May 29, 2009 Thanks for your input. I will look at using that to stop the injections. I will offer a user to change the name. Ive just been throwing code together to get a test up and running before i clean and modify the stuff Thanks so much for your help. -G Quote Link to comment Share on other sites More sharing options...
grissom Posted May 29, 2009 Share Posted May 29, 2009 Hey lynxus, are you from Yorkshire ? Quote Link to comment Share on other sites More sharing options...
lynxus Posted May 29, 2009 Author Share Posted May 29, 2009 No, much further down south . Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.