How would I protect......

[MySQL_Narb]

I have a from, actually, a good amount of forms. How can I make it so you can't type the characters: '!~*&^%().;-_ in the form? Where it completely blocks those characters.

[slyte33]

if (!preg_match("/^[-_a-zA-Z0-9]+$/", $_POST['test']))

 

{ //If what your wanting contains those illegal characters...

echo "Contains illegal characters";

}

[MySQL_Narb]

Thank you!

[MySQL_Narb]

Wait, when I added it, everytime I try and post it doesn't work. It keeps saying illegal characters, test here: http://chataddict.netau.net/index.php

 

Username: demo Pass: demo

 

Code:

 

<?php require "global_settings.php"; ?>
<title><?php echo $sitetitle; ?></title>
<center><style type="text/css">

a:link {
color:#24374C;
text-decoration:bold;
}

a:visited {
color:#24374C;
text-decoration:bold;
}

a:active {
outline: none;
color:#24374C;
text-decoration:bold;
}

body {background-color:#b0c4de}

div.box {
width:250px;
padding:10px;
border:3px double #000000;
margin:10px;
background-color:#74AFF2;
}

p
{
border-top-style:dotted;
border-right-style:solid;
border-bottom-style:dotted;
border-left-style:solid;
}

div.menu-blue {
BORDER-RIGHT: #333366 1px solid;
BORDER-LEFT: #6699cc 1px solid;
BORDER-TOP: #6699cc 1px solid;
BORDER-BOTTOM: #333366 1px solid;

FONT-WEIGHT: normal;
FONT-SIZE: 2px;
COLOR: #ffffff;
FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif;
BACKGROUND-COLOR: #23559C;
TEXT-DECORATION: none;
font-stretch : condensed;
}

.menu-top  {
BORDER-RIGHT: 1px solid #333366; BORDER-TOP: 1px solid #6699CC; FONT-WEIGHT: normal; FONT-SIZE: 2px; BORDER-LEFT: 1px solid #6699CC; COLOR: #FFFFFF; BORDER-BOTTOM: 1px solid #333366; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; BACKGROUND-COLOR: #23559C; TEXT-DECORATION: none;
font-stretch : condensed
}

</style>
<center>
<div class='menu-blue'>
<div align="center"> 
<table width="600" cellspacing="1" cellpadding="5" style="background-color:#23559C"> 
<tr> 
<td style="background-color:#FFFFFF"> 


    <div align="center"> 
    <table border="0"> 
    
    </form> 
    </table>
<?php

$con = mysql_connect("$dbhost", "$dbuser", "$dbpassword") or die(mysql_errno());
if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
    $_POST = array_map('stripslashes', $_POST);
}

$name = mysql_real_escape_string($_POST['name']);
$message = mysql_real_escape_string($_POST['message']);

    if (!preg_match("/^[-_a-zA-Z0-9]+$/", $message))

   { 
      echo "<div class='box'>Contains illegal characters!</div>";
   }
else
   {

if (!$name) {
    echo "<div class='box'><b><span style='color:red'>You must be logged in to post!</span></b></div>";
}
else
{

//connect
$connect = mysql_connect("$dbhost","$dbuser","$dbpassword") or die("Connection failed!");
mysql_select_db("$db") or die("Database fail!");

//write
$write = mysql_query("INSERT INTO posts VALUES ('','$name','$message')") or die(mysql_error());

echo "<div class='box'><font face='arial'><b><span style='color:green'>Posted! Your name was:</span> $name</b> - Your message was....<br><br><b>$message - <a href='index.php'>View it!</a></b>";
}
   }
?>

[slyte33]

Are you replacing $_POST['test'] with $_POST['message'] , as the i gave above says that.

Also add an "exit;" at the end, before the "}"

[MySQL_Narb]

 

if (!preg_match("/^[-_a-zA-Z0-9]+$/", $_POST['message']))
   { 
   echo "<div class='box'>Contains illegal characters!</div>"; 
     exit
   }
   

 

=

 

Parse error: syntax error, unexpected '}' in /home/a5488351/public_html/post.php on line 88

[slyte33]

replace

if (!preg_match("/^[-_a-zA-Z0-9]+$/", $_POST['message']))
   { 
      echo "<div class='box'>Contains illegal characters!</div>";
   }
   exit

 

with

 

if (!preg_match("/^[-_a-zA-Z0-9]+$/", $_POST['message']))
   { 
      echo "<div class='box'>Contains illegal characters!</div>";
exit;
   }
   

[MySQL_Narb]

Still gives me the same crap!

 

"Contains Illegal Characters"

 

When I type in regular text, like: AAA and aaa

 

I know it has something to do with

 

"/^[-_a-zA-Z0-9]+$/"

 

But what?

[slyte33]

Let's test something..

 

replace

 

<textarea name="message" rows="10"></textarea>

 

with

 

<input type=text name=message>

 

see if that helps, it will be a smaller box, but this is for tests 

 

[MySQL_Narb]

I'll try it, and I'll edit this message when I'm done.

 

Still the same thing.

[MySQL_Narb]

It's working now. I don't know why it decides to work now...

 

Thank you!

[MySQL_Narb]

Once again, I found another error.

 

You cannot use spaces or 's...or anything really!

[slyte33]

Sorry, i feel very dumb.. replace all you have with this:

remove any characters contained in the slashes you dont want out:

 

so you can remove any of this:

^[-_a-zA-Z0-9]+$

 

if (preg_match("/^[-_a-zA-Z0-9]+$/", $_POST['message']))

  {

      echo "<div class='box'>Contains illegal characters!</div>";

exit;

  }

[MySQL_Narb]

But it still won't allow periods, quotations, spaces, etc.

[slyte33]

Ok so a much quicker and easier way to do this would be:

 

$message = strip_tags($_POST['message']);

 

then replace:

echo $_POST['message'];

 

with

 

echo "$message";

 

[MySQL_Narb]

Why do you have echo

"$message";

?

 

When messages are posted they are stored in the database and viewed by extracting that data. Whats

echo "$message";

suppose to be?

[slyte33]

$message = strip_tags($_POST['message']);

 

$message is the same thing as echoing out the actual post, except this will strip all html tags from it.

[Zane]

you have your preg_match wrong.. the ^ (carrot) should be inside the brackets.

if (preg_match("/[^-_a-zA-Z0-9]+/", $_POST['test']))

[cags]

"/[^-_a-zA-Z0-9]+/" 

Will match one or more of any character other than those listed.

 

^[-_a-zA-Z0-9]+$

Will match if the string consists of only the allowed characters.

 

Are they not both equally viable options? The only difference is whether you consider the item as validated when preg_match returns true or false.

 

you have your preg_match wrong.. the ^ (carrot) should be inside the brackets.

Is that not a caret character as opposed to an orange vegetable?