Jump to content

prevent xss attack in textfield

MDanz

By MDanz
in PHP Coding Help

 Share

Recommended Posts

Fog Juice Member

Fog Juice

Posted
Posted

i have this form

 

 <form action="search.php" method="get">
<center>
   <input name="search" type="text" value="" size="25" />
   <input type="submit" name="submit" value="search">

</center>

</form>

 

i want only text and numbers to be input .... no html

 

how to do this?

 

$search = eregi_replace("([A-Z0-9]+)","",$_GET['search']);

Goldeneye Regular Member

Goldeneye

Posted
Posted

If you want only Alpha-Numeric characters, then try the strip_tags() function. You can also do something like this if you find Regular-Expressions too inefficient/confusing:

 

<?php
$_GET['search'] = 'This string contains only Alphabetic characters.';
if(ctype_alnum($str) === false) exit('Invalid characters were detected in your search-query');
else {
	//Execute your code used for valid search-queries
}
?>

 

See ctype_alnum() in the PHP Manual.

 

Don't forget to encode your $_GET['search'] variable with something such as urlencode() before passing it through the URL-Query-String.

gergy008 Member

gergy008

Posted
Posted

i have this form

 

 <form action="search.php" method="get">
<center>
   <input name="search" type="text" value="" size="25" />
   <input type="submit" name="submit" value="search">

</center>

</form>

 

i want only text and numbers to be input .... no html

 

how to do this?

 

Just use the real_escape_string() function.

 

Internet cut out sorry for late reply.

Goldeneye Regular Member

Goldeneye

Posted
Posted

i have this form

 

 <form action="search.php" method="get">
<center>
   <input name="search" type="text" value="" size="25" />
   <input type="submit" name="submit" value="search">

</center>

</form>

 

i want only text and numbers to be input .... no html

 

how to do this?

 

Just use the real_escape_string() function.

 

Internet cut out sorry for late reply.

 

Using mysql_real_escape_string() won't restrict the query to only Alpha-Numeric characters. It will only escape appropriate characters with a back-slash ('\'). mysql_real_escape_string() should only be used for MySQL-Queries.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.