Protecting Input fields from illegal characters.

[stevengreen22]

Hi all,

 

I'm working on this site which I'll soon ask the guys in the testing forum to have a peek at.  It's essentially an online community that was a uni project that has spiraled and grown exponetially.

 

I've spent many many hours in front of books and tutorals etc to put it together and as far as scripting goes, it seems to be fine.  The problem i'm having...The tut's that I read / watched were using eregi_replace to protect text fields and this is now unsuported.

 

I want my site to be as secure as it can be, within reason.

 

I've tried using preg_replace instead and have searched for the syntax but i keep getting strang results.

I'm working on the "bio" field at the moment and then when that works I can move on and a-ply the same idea to the other fields.

 

This si what I have and what I've changed.

if ($_POST['parse_var'] == "bio"){

 

$bio_body = $_POST['bio_body'];

//$bio_body = str_replace("'", "'", $bio_body);  (WAS TESTING THIS BUT NO JOY)

//$bio_body = str_replace("`", "'", $bio_body);

        $bio_body = mysql_real_escape_string($bio_body);

        $bio_body = nl2br(htmlspecialchars($bio_body));

 

        $bio = $_POST['bio'];

$bio = eregi_replace("'", "'", $bio);          (This works but is not as secure)

$bio = eregi_replace("`", "'", $bio);

        $bio = mysql_real_escape_string($bio);

        $bio = nl2br(htmlspecialchars($_POST['bio']));

 

        $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'");

      and so on....}

 

 

When I change it to str_replace if I type in don't the whole word is deleted.  when I type in preg I get an error.

Can someone please give me the correct code / syntax for getting the result I want.

 

I just want to make sure that every single field that has a user input is protected against any malicious attacks.

Thanks.

 

 

 

 

[stevengreen22]

I've just realised one of the mistakes was using bio_body instead of bio.  please check code anyway

[stevengreen22]

$bio = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['bio']);

 

This works in eliminating EVERYTHING from the field but...I'd like people to be able to write "don't" etc. 

[stevengreen22]

Can anyone help please?

[stevengreen22]

No one at all....wow....good effort

[fxuser]

I would try something like this:

 

   $var = preg_replace('/[A-Za-z0-9']*/', '', "$var");

[sasa]

$bio = preg_replace('#[^A-Za-z 0-9\']#i', '', $_POST['bio']);

[stevengreen22]

Hi,

 

Thanks for the ideas, I'm still having no success.

Below is the full c ode for that parsing script, I think there may be anb issue somewhere else but I cna't see it (am new to php)

 

if ($_POST['parse_var'] == "bio"){

 

$bio = $_POST['bio'];

$bio = str_replace("'", "′", $bio);

//$bio = str_replace("`", "′", $bio);

    $bio = mysql_real_escape_string($bio);

    $bio = nl2br(htmlspecialchars($bio));

 

$bio = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['bio']);

 

       

//' is not allowed

//$bio = preg_replace('#[^A-Za-z 0-9]#i', '', $_POST['bio']);

 

//' cancels entire text with error

//$bio = preg_replace('#[^A-Za-z 0-9\']#i', '', $_POST['bio']);

 

//doesn't load, parse error

//$bio = preg_replace('/[A-Za-z0-9']*/', '', "$bio");

 

//was working - original

//$bio = $_POST['bio'];

//$bio = eregi_replace("'", "'", $bio);

//$bio = eregi_replace("`", "'", $bio);

        //$bio = mysql_real_escape_string($bio);

        //$bio = nl2br(htmlspecialchars($_POST['bio']));

        $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'");

        if ($sqlUpdate){

            $success_msg = '<font color="#009900">Your About section has been updated.</font>';

        } else {

$error_msg = '<font color="#FF0000">Problems connecting to server, please try again later.</font>';

}

 

}