Protecting forms

[MySQL_Narb]

Alright, I want to protect some forms of mine from SQL Injections, because I had someone earlier spamming, and not just regular spamming. They edited all the current user posts to their name, and somehow started commenting without being logged in nor making an account.

 

So, is their anyway I can protect a form from these two characters ONLY: *`

 

Thanks, and please don't submit a code that blocks out the option to use any spaces or periods, etc. I just want those two blocked ONLY.

[mikesta707]

mysql_real_escape_string() is commonly used for protecting against sql injections

[MySQL_Narb]

I've tried it before, but it's not really working. They are getting passed it. I think the easiest way to block 'em is just the way I asked for. But thanks, and it always made this r/n/ or what-ever it was at the end of messages.

[mikesta707]

well mysql_real_escape_string is made specifically to protect sql queries against sql injections. are you sure that it was a SQL injection? How were you using mysql_real_escape_string()?

[MySQL_Narb]

I removed my code already. I forgot how I would use it.

[PFMaBiSmAd]

Without mysql_real_escape_string() to protect against sql injection, a hacker can easily dump all the information in your tables. This would give him information about usernames and assuming you are not hashing your passwords, it would directly give him those and if you are hashing your passwords but are not using a 'salt' string, he could easily determine commonly used passwords.

 

Your user login system could also not be actually preventing access to the forms and form processing code.

 

Edit: and if your login system is just what you posted in the other thread, where if the $_POST['name'] value is not in your banned table you allow a post to be INSERTED, that is not going to stop anybody. All they need to do is use any name that has not yet been banned.

[MySQL_Narb]

But how would I just block out the certain characters I want to block out?

[MadTechie]

Just replace it with nothing str_replace

 

[mrMarcus]

why just these two character: *`

 

what if i was to insert: " /><script>window.location="http://www.example.com";</script>

 

i didn't use either of your *` characters, and now everytime somebody goes to the page where i left the comment, they get redirected to http://www.example.com.  you might want to think about some heavier sanitizing than just: *`

 

EDIT: and a simple redirection XSS attack is the least of your worries .. with javascript, cookies can be manipulated/set/read, iframes can be inserted to execute malicious scripts, and much, much more.

[PFMaBiSmAd]

All data (content) that comes from an external source that is being output on a web page needs this - http://www.phpfreaks.com/forums/index.php/topic,274065.msg1295197.html#msg1295197 to prevent any HTML/CSS/Javascript in it from being rendered as HTML/CSS/Javascript

[MadTechie]

MySQL_Narb  seam to know exactly what he wants and not taking advice, so i'm letting him get on with it

 

But how would I just block out the certain characters I want to block out?

[keldorn]

\r\n means a new line.

$input = htmlentities($_POST['var'],ENT_QUOTES);

that will turn things like '  and "  into  &quote;  which will appear in the browser as a  ' or "

 

If its not sql injection you may have deep security holes in your script.  A lot of the time sometimes you can send posts or gets via cURL or fputs and do stuff you can't normally  with a browser, Remember validate all user inputs. All scripts make sure there logged in to access them if there protected.