MDanz Posted August 23, 2009 Share Posted August 23, 2009 i have this form <form action="search.php" method="get"> <center> <input name="search" type="text" value="" size="25" /> <input type="submit" name="submit" value="search"> </center> </form> i want only text and numbers to be input .... no html how to do this? Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/ Share on other sites More sharing options...
Fog Juice Posted August 23, 2009 Share Posted August 23, 2009 i have this form <form action="search.php" method="get"> <center> <input name="search" type="text" value="" size="25" /> <input type="submit" name="submit" value="search"> </center> </form> i want only text and numbers to be input .... no html how to do this? $search = eregi_replace("([A-Z0-9]+)","",$_GET['search']); Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904230 Share on other sites More sharing options...
MDanz Posted August 23, 2009 Author Share Posted August 23, 2009 where do i place it/ implement it? Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904231 Share on other sites More sharing options...
Fog Juice Posted August 23, 2009 Share Posted August 23, 2009 where do i place it/ implement it? In your example you set the result page on your form to search.php, so place that code I gave you in search.php. Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904234 Share on other sites More sharing options...
MDanz Posted August 23, 2009 Author Share Posted August 23, 2009 i did that now search not working, just blank page?? Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904236 Share on other sites More sharing options...
Fog Juice Posted August 23, 2009 Share Posted August 23, 2009 i did that now search not working, just blank page?? What else do you want? Your question isn't very clear if you want more than what I've given you. Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904238 Share on other sites More sharing options...
Goldeneye Posted August 23, 2009 Share Posted August 23, 2009 If you want only Alpha-Numeric characters, then try the strip_tags() function. You can also do something like this if you find Regular-Expressions too inefficient/confusing: <?php $_GET['search'] = 'This string contains only Alphabetic characters.'; if(ctype_alnum($str) === false) exit('Invalid characters were detected in your search-query'); else { //Execute your code used for valid search-queries } ?> See ctype_alnum() in the PHP Manual. Don't forget to encode your $_GET['search'] variable with something such as urlencode() before passing it through the URL-Query-String. Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904248 Share on other sites More sharing options...
gergy008 Posted August 23, 2009 Share Posted August 23, 2009 i have this form <form action="search.php" method="get"> <center> <input name="search" type="text" value="" size="25" /> <input type="submit" name="submit" value="search"> </center> </form> i want only text and numbers to be input .... no html how to do this? Just use the real_escape_string() function. Internet cut out sorry for late reply. Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904252 Share on other sites More sharing options...
Goldeneye Posted August 23, 2009 Share Posted August 23, 2009 i have this form <form action="search.php" method="get"> <center> <input name="search" type="text" value="" size="25" /> <input type="submit" name="submit" value="search"> </center> </form> i want only text and numbers to be input .... no html how to do this? Just use the real_escape_string() function. Internet cut out sorry for late reply. Using mysql_real_escape_string() won't restrict the query to only Alpha-Numeric characters. It will only escape appropriate characters with a back-slash ('\'). mysql_real_escape_string() should only be used for MySQL-Queries. Link to comment https://forums.phpfreaks.com/topic/171472-prevent-xss-attack-in-textfield/#findComment-904260 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.