hexadeximal Posted January 24, 2010 Share Posted January 24, 2010 Hello, i just signed in and i would apreciate your sophisticated help... lots of my custom dynamic websites where injected...and i tried to create three funtions in order to call them for input validation so as to avoid injections. 1. prot_txt() = protect string inputs such as username, first name etc...(usuallu post values) 2. numer() = protect numerical data usualy id's used in urls 3. prot_email() = protect email inputs (contact forms) to avoid header injections.... please tell me if any of this is vulnerable.... thank you in advance... function prot_txt($str) { $str = utf8_encode($str); $str = utf8_decode($str); $str = str_replace("\"", " ", $str); $str = str_replace("\'", " ", $str); $str = str_replace("alert", " ", $str); $str = str_replace("(", " ", $str); $str = str_replace(")", " ", $str); $str = str_replace("/", " ", $str); $str = str_replace("<", " ", $str); $str = str_replace(">", " ", $str); $str = str_replace(">", " ", $str); $str = str_replace(";", " ", $str); $str = str_replace("\\", " ", $str); $str = str_replace("-", " ", $str); $str = str_replace("--", " ", $str); $str = str_replace("+", " ", $str); $str = str_replace("=", " ", $str); $str = str_replace("on", " ", $str); $str = str_replace("script", " ", $str); $str = str_replace("java", " ", $str); $str = htmlspecialchars($str); $str = addslashes($str); $str = mysql_real_escape_string($str); $str = htmlentities($str); if(substr_count($str, 'alert') > 0 OR substr_count($str, '</') > 0 OR substr_count($str, '<') > 0 OR substr_count($str, '>') > 0 OR substr_count($str, '\"') > 0 OR substr_count($str, '\'') > 0 OR substr_count($str, '\\') > 0 OR substr_count($str, 'mouseover') > 0 OR substr_count($str, '%') > 0 OR substr_count($str, '(') > 0 OR substr_count($str, ')') > 0) { die("No access"); } else { return $str; } } function numer($str) { $str = utf8_encode($str); $str = utf8_decode($str); $str = str_replace("\"", " ", $str); $str = str_replace("\'", " ", $str); $str = str_replace("alert", " ", $str); $str = str_replace("(", " ", $str); $str = str_replace(")", " ", $str); $str = str_replace("/", " ", $str); $str = str_replace(".", " ", $str); $str = str_replace("<", " ", $str); $str = str_replace(">", " ", $str); $str = str_replace(">", " ", $str); $str = str_replace(";", " ", $str); $str = str_replace("\\", " ", $str); $str = str_replace("-", " ", $str); $str = str_replace("+", " ", $str); $str = str_replace("=", " ", $str); $str = str_replace("on", " ", $str); $str = str_replace("script", " ", $str); $str = str_replace("java", " ", $str); $str = htmlspecialchars($str); $str = addslashes($str); $str = mysql_real_escape_string($str); $str = htmlentities($str); if($str <> "") { if(is_numeric($str)) { return $str; } else { die("No access"); } } } function prot_email($str) { $str = utf8_encode($str); $str = utf8_decode($str); //return iconv("ISO-8859-1", "utf-8", $str); if(strpos($str, "<") === false && strpos($str, ">") === false && strpos($str, "'") === false && strpos($str, '"') === false) { $str = htmlspecialchars(addslashes(mysql_real_escape_string($str))); return $str; } else { die("No access"); } } Link to comment https://forums.phpfreaks.com/topic/189636-i-need-your-opinion-regarding-3-security-functions/ Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.