Jump to content

input security! Please help!

samoi

By samoi
in PHP Coding Help

 Share

Recommended Posts

samoi Regular Member

samoi

Posted
Posted

Hello guys!

 

I have a field input called, "subject" for example!

 

now I need to clear all the bad input if there is some because it's going to be stored in the db !

 

<?
$subject0 = $_POST['subject'];

$subject1 = preg_replace('/\n/', '<br />', $subject0); // replace new line with <br />!

$subject2 = mysql_real_escape_string($subject1); 

$subject3 = htmlspecialchars($subject2);


// insert $subject3 to db!

?>

 

However, <br /> is not applied anymore ! in the preg_replace!

I only need behind all this is to secure the inputs, and replace \n with <br />!

 

Any help will be appreciated !

Link to comment
https://forums.phpfreaks.com/topic/178876-input-security-please-help/
Share on other sites
mrMarcus Member

mrMarcus

Posted
Posted

i only have 2 seconds here so someone else will assist .. one thing:

 

no need to rename your initial variable ($subject0) over and over again.  just use the same one all the way through, this way, you get get yourself mixed up.

 

best to create a function to handle your sanitizing.

samoi Regular Member

samoi

Posted
  • Author
Posted

i only have 2 seconds here so someone else will assist .. one thing:

 

no need to rename your initial variable ($subject0) over and over again.  just use the same one all the way through, this way, you get get yourself mixed up.

 

best to create a function to handle your sanitizing.

 

 

Thank you for offering the help!

 

I just want it to be clear a little bit!

:)

 

I wrote a function for the htmlspecialchars() and mysql_real_escape_string()

Just like:

<?

function clean($text){
$cleaned = mysql_real_escape_string($text);
$cleaned = htmlspecialchars($cleaned);

return $cleaned;
}

// But still ignores the <br /> applying to the subject!

?>

samoi Regular Member

samoi

Posted
  • Author
Posted

This is the code I use to remove certain text:

 

$before = array('(', ')', '^', '<', '>', '`', '*');
$after   = array('', '', '', '', '', '', '');
$output  = str_replace($before, $after, $message);

 

 

Thank you, but that would throw away the <br /> tag!

 

Thanks again for helping!

Mark Baker Member

Mark Baker

Posted
Posted

Is it only specialized in displaying the new line only??? or it will display and thing like \t or whatever else?

Only new lines. A browser will render white space tabs, spaces, returns, etc as a single space. nl2br() at least allows you to preserve returns when rendered in the browser. Otherwise, wrapping the output in <pre> tags will preserve all white space
samoi Regular Member

samoi

Posted
  • Author
Posted

Look at this !

:(

 

This worked out in everything probably! but not with double and single quotes !

Hello "world"! OR Hello 'World'!

Would be \"World\" OR \'World\' When displaying it!

 

Help please

 

<?
error_reporting(E_ALL & E_NOTICE);

$con = mysql_connect("localhost", "root", "root");
$db = mysql_select_db("posting");

if(isset($_POST['submit'], $_POST['post'])){
$post = $_POST['post'];
if(empty($post)){
	echo 'It\'s empty!';
	die();
}else{


	    $cleaned = strip_tags($post);
    		$cleaned = htmlspecialchars(mysql_real_escape_string($cleaned));
    		$cleaned = str_replace("%20", "", $cleaned);



	$SQL = mysql_query("INSERT INTO post(post)VALUES('".$cleaned."')");
	if($SQL){
		echo 'INSERTED';
	}
	else{
		echo 'Not!';
	}
}



}else{
?>
<form action="" method="post">
<textarea name="post"></textarea><br />
<input type="submit" name="submit" value="submit" />
</form>
<?

$MSQL = mysql_query("SELECT * FROM post order by id DESC limit 1");
echo '';
while($row = mysql_fetch_row($MSQL)){
$r = nl2br($row[1]);
// $rep = preg_replace('/\\"/', '"', $r); // this did not work! 
echo $r. "<br />"; // Hello \"World\"! <- this is the output looking even in the db !!
}

}

?>

 

Help please!

cags Member

cags

Posted
Posted

So you are saying that when you retrieve information from the database you have slashes infront of characters such as quotes? Well in that get magic_quotes must be enabled on your server. This means that your characters will be double escaped. To fix it either disable the magic_quotes or call stripslashes on the output before echo'ing it out.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.