validating the input

[Love2c0de]

Hello, I have a site which allows users to upload files and download files. I am trying to validate the user input in the text form fields to make sure no special characters are found.

 

Here is my code:

<?php
     $form = "<form action='index.php' method='POST' enctype='multipart/form-data'>
             <table>
			     <tr>
				     <td>Demo Title:</td>
					 <td><input type='text' name='title' /></td>
				 </tr>
				 <tr>
				     <td>Description:</td>
					 <td><textarea name='description' cols='35' rows='5'></textarea></td>
				 </tr>
			     <tr>
				     <td></td>
				     <td><input type='file' name='myfile' /></td>
				 </tr>
				 <tr>
				     <td></td>
				     <td><input type='submit' name='submitbutton' value='Submit' /></td>
				 </tr>

			 </table>
          </form>";
		  
		 function check_input($data) {
             $illegalChars = "!@#$%^&*()+=-[]\\\';,./{}|\":<>?";

                 for($loop = 0;$loop<=$data.length-1;$loop++) {
                 if($illegalChars.strstr($data)!= -1){//if an illegal character was found...
	                 



	             }
             }
         
                 $data = trim($data);
                 $data = stripslashes($data);
                 $data = htmlspecialchars($data, ENT_QUOTES);
             $data = mysql_real_escape_string($data);
                 return $data;
             }  
		  
		 if(isset($_POST['submitbutton'])){
		     
		     $title = check_input($_POST['title']);
			 $description = check_input($_POST['description']);

			 $name = $_FILES['myfile']['name'];
			 $type = $_FILES['myfile']['type'];
			 $size = $_FILES['myfile']['size'];
			 $tmpname = $_FILES['myfile']['tmp_name'];
			 $date = date("d/m/Y");
			 $ext = substr($name, strrpos($name, '.'));

			 if($type != "application/octet-stream"){
			     echo "$form.You cannot upload that file type. .dem files only!";
			 }
			 else{
			     if($name) {

			         if($title && $description){
				    
			         require("connect.php");

					 $query = mysql_query("INSERT INTO demos VALUES ('', '$name','$title', '$description', '$date')");

                         move_uploaded_file($tmpname, "files/"."$name");
				     echo "$form.Your file has been successfully uploaded.";
				 }
				 else{
				     echo "$form.You did not fill in the form completely.";
				 }
			 }
			 else {
			     echo "$form.You did not select a file.";
			 }
			 }
} 
 else{
	 echo "$form";
 }

At the moment, the code is converting the special characters into their relative character code but I want the function to delete any special character from the string. If that's not a good way to do it, I'd like to leave the function as it is, but when displaying the table data back to the page, I'd like it to print only the actual alphanumeric characters and not the converted special characters. For instance, if I enter abc123xyz~%$ then when reading the table data to the page, I want it to just read abc123xyz. I hope I have explained well enough.

 

What is the best way to achieve this?

 

Thank you in advance for any information you can put my way.

 

Regards,

 

 

BuNgLe

 

 

[PeoMachine]

Try to use the preg_replace function:

 

<?php

    $cleanData = preg_replace('/[^a-zA-Z0-9]/', '', $inputData);

?>

 

It will remove all thats not between A-Z, a-z and 0-9.