Secure code has stopped my submit query working...

[seany123]

I had a programmer who was doing a job for me look over one of my pages and added this security to my POST submit button:

 

		##### secure #####
		if(!empty($_POST['user_url']) & preg_match('/(order.*?by|union.*?select|select.*?from|update.*?set|"|\'|\/*)/', $_POST['user_url'])) exit;
		if(!empty($_POST['user_url']) & !preg_match('/https?:\/\/[\w\d:#@%\/;$()~\\_?+-=.&]*/', $_POST['user_url'])) exit;
		#################

 

However now it doesnt matter what i type into the text box it always Exits the script...

 

can anyone see whats happening here?

 

PS. the purpose the of the text box is to insert URLs into my database... so it would need to allow that format.

[Pikachu2000]

First, try changing the bitwise & operators to AND && operators.

[seany123]

Sorry im confused as to what needs changing, as i said somebody else actaully added them two lines, are they really needed for security reasons?

[Pikachu2000]

I didn't say to get rid of the two lines, now did I? Whoever wrote it used the wrong operators. & is a bitwise operator, && is a logical operator. You need the logical operator there.

 

if( empty( . . . ) && preg_match( . . . )
// not 
if( empty( . . . ) & preg_match( . . . )