Guest Posted February 20, 2012 Share Posted February 20, 2012 Basically, I do NOT want these characters to be allowed in username, title, or message fields: <,>, and any other that can have my site vulnerable to injections and whatnot. The current codes I use take the disapproved characters out, but post a blank post on my forums if you use them in the user,title, or message fields. So, it shows no poster or clickable title. I just need the code fixed up so it can't be used for injections and all that. <script src="http://code.jquery.com/jquery-latest.js" type="text/javascript" charset="utf-8"></script> <script language="javascript" type="text/javascript"> //<![CDATA[ $(document).ready(function(){ $("form#formpost").submit(function() { var success = 0; var username = $('#user').attr('value'); $.ajax({ type: "GET", url: "userthread.php", data: "username="+ username, success: function(r){ success = r; }, async:false }); if(success == 1) { alert("Username already taken."); return false; }else return true; }); }); //]]> </script> <center> <center> <table height="300px" bgcolor="#FFFF00" cellspacing="1" width="75%"> <tbody> <tr> <td> <table height="433" bgcolor="#000000" cellpadding="10px" cellspacing="1" width="995"> <tbody> <tr> <td bgcolor="#000000" valign="top" width="20%"> <div id="menu" align="right" > <a href="/forums/index.php">HOME</a> | <a href="mailto:xxxxxxx@xxxxxxxx.com">CONTACT</a> | <a href="">ABOUT (soon)</a> </div> <?php $host="localhost"; $user="xxxxxxx_xxxxxxx"; $pass="xxxxxxxxxxx"; $fid = $_GET['fid']; require "global.php"; if ($_POST) { if (! trim($message) ) { // message is blank } try{ $dbh = new PDO("mysql:host=$host;dbname=xxxxxxx_xxxxxxx", $user, $pass); $user = preg_replace("/[^A-Z a-z0-9]/", "", $_POST['user']); $password = $_POST['password']; $message = preg_replace("/[^A-Za-z0-9]/", "", $_POST['message']); $title = $_POST['title']; $date = time(); //*** set the error reporting attribute ***// $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //insert and count $data = $dbh->exec("INSERT INTO threads (tid, fid, title, user, dateline) VALUES (DEFAULT, $fid, '$title', '$user', $date)"); $fid = $dbh->lastInsertId(); //$data = sprintf("INSERT INTO posts VALUES (DEFAULT, $tid, '$user', '$message', $date)"); //mysql_query($data); //header( 'Location: viewthread.php?tid='.$tid ); header( 'Location: newpost.php?fid='.$fid ); exit; //close connection $dbh = NULL; } catch(PDOException $e) { echo $e->getMessage(); } } echo ' <font size=5><b>Add a New Post:</b></font> <form action="" method="POST" name="formpost" id="formpost"> <table> <tr><td>Username:</td><td><input name="user" id="user" /></td></tr> <tr><td>Password (optional):</td><td><input type="password" name="password"></td></tr> <tr><td>Post Title:</td><td><input name="title" /></td></tr> <tr><td valign="top">Message: </td><td><textarea rows="10" cols="50" name="message"></textarea></td></tr> </table> <input type="submit" value=" Add new post " /> </form>'; ?> </center> Thanks! Link to comment Share on other sites More sharing options...
WatsonN Posted February 20, 2012 Share Posted February 20, 2012 You can use mysql_real_escape_string() to prevent injections from user content. http://php.net/manual/en/function.mysql-real-escape-string.php A MySQL connection is required before using mysql_real_escape_string() otherwise an error of level E_WARNING is generated, and FALSE is returned. If link_identifier isn't defined, the last MySQL connection is used. Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice. Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks. Note: mysql_real_escape_string() does not escape % and _. These are wildcards in MySQL if combined with LIKE, GRANT, or REVOKE EDIT: added notes Link to comment Share on other sites More sharing options...
Guest Posted February 20, 2012 Share Posted February 20, 2012 There's so many codes on that page, though. Not sure which to use. That's why I was hoping someone could do it for me since I supplied the code. Link to comment Share on other sites More sharing options...
WatsonN Posted February 20, 2012 Share Posted February 20, 2012 Echo out the content before and after trim where you think everything is being deleted and see what you can tell. I'm sorry, but I'm not doing it all for you, but I 'm more than glad to help Link to comment Share on other sites More sharing options...
trq Posted February 20, 2012 Share Posted February 20, 2012 There's so many codes on that page, though. Not sure which to use. That's why I was hoping someone could do it for me since I supplied the code. If you want someone to work for you, post your request in the freelance board. This board is for *help* with your own code. Link to comment Share on other sites More sharing options...
Recommended Posts