Filter problem with different versions

oceans · July 2, 2007

Dear People,

I have developed my PHP codes in PHP ver 5.2 (my work is 100% functional), my web server provider gave me ver 5.1, I got all my functions working (I think so, I will be finishing my test soon) EXECPT the following, can any one suggest an alternative.

My idea:

If the user inputs the (‘) (`) (“) (\) change it to (-).

What I used:

function ConvertSingleQuote1($string)
{
return str_replace("'", "-", $string);
}
function ConvertSingleQuote2($string)
{
return str_replace("`", "-", $string);
}
function ConvertDoubleQuote($string)
{
return str_replace("\"", "-", $string);
}
function ConvertSingleBackSlash($string)
{
return str_replace("\\", "-", $string);
}

	$InputFromScreen[$i]=strip_tags(rtrim(ltrim(strtoupper($_POST["Txt".$i]))));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertSingleQuote1"));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertSingleQuote2"));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertDoubleQuote"));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertSingleBackSlash"));

Please help me thanks.

oceans · July 2, 2007

Dear People,

I think I misled you, only the following portion does NOT go good the rest are OK, I posted the whole thing above to show my intention.

function ConvertSingleBackSlash($string)
{
return str_replace("\\", "-", $string);
}
$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertSingleBackSlash"));

Thanks..

teng84 · July 2, 2007

you can use preg replace but post it on the regex help

oceans · July 2, 2007

Dear Friend,

I could not understand you, can you (expand) thanks.

teng84 · July 2, 2007

Dear Friend,

I could not understand you, can you (expand) thanks.

you can use preg_replace()

$string='a\'n`a"';

$pattern='(\"|\'|`)';

echo preg_replace($pattern,'-',$string);

sample ^^

oceans · July 2, 2007

Dear Friend,

Thanks, your idea works good but I could not remove (\).

Can you please help thanks.

oceans · July 2, 2007

Dear teng84,

It works, I will try on my server, Thanks for your knid time...

oceans · July 2, 2007

Dear Friend,

Based on your experience, is my precaution enough to save my (mysql) and (php) operations from melicious data entry.

Thanks.

oceans · July 2, 2007

Dear Friends,

Anyone want to contribute, thanks.

mmarif4u · July 2, 2007

AS very simple example :

<?php
$string = 'April 15, 2003';
$pattern = '/(\w+) (\d+), (\d+)/i';
$replacement = '${1}1,$3';
echo preg_replace($pattern, $replacement, $string);
?>

If u want to study it briefly click this link:

http://www.php.net/preg_replace

oceans · July 2, 2007

Thanks Mmarif4U,

I understood Teng84, this portion is working OK with my server space provider. I manage to (‘) (`) (“) (\) change it to (-).

I do all these, so that at run time people will not bring down "page" or worst still bring down "mysql" with bad inputs,

Do you think my filtering is good enough?

$InputFromScreen[$i]=strip_tags(rtrim(ltrim(strtoupper($_POST["Txt".$i]))));

and

preg_replace($pattern, $replacement, $string);

mmarif4u · July 2, 2007

U use a lot of functions in one line, i think its ok.

Do u know that what each function work like strip_tags, ltrim,rtirm.

I think soo u know it well.

In my opinion ur code is ok according to escaping html inputs, some bad characters.

Secure from malicious users input.

One thing if u using db than my suggestion is also use:

mysql_real_escape_string function for filtering data.

oceans · July 2, 2007

Dear mmarif4U,

Thanks, I am worried about malicious inputs, thus I did all that plus (`) (') (") (\) can you give an example on the mysql function. I hope this function will work with my server provider he uses php5.0 and mysql 5.0

thanks.

shell i use it this way

"

$InputFromScreen=mysql_real_escape_string($InputFromScreen);

"

redarrow · July 2, 2007

First thing your php and mysql version are good verry good

there are still hosting companys using php 4.

Why do you use ltrim and rtrim when you can just use trim dont get that at all.

Also how come you dont use mysql_reel_escape() anyway?

Or even addslases to protect your database.

also every form that a user can provide information to the web site must have a gotcha to

make sure that the person submitting is a human and not a bot spammer.

my last quistion why are you not using all theose strip functions in an array?

all the best redarrow.

ps. if you can also tell us why you think your web site goes down

also and a code can prevent this?

mmarif4u · July 2, 2007

Dont worry about ur functions it will work on server, bcoz most service provider use php5.0 and above nowadays.

Other thing to prevent from malicious users u have to filter input from them.

oceans · July 2, 2007

Dear People,

Thanks for pointing out.

(1) Thanks I should trim at one go.

(2) $String= mysql_reel_escape($String); Is this correct

(3) Add slashes ( I don’t understand)

(4) Gothca ( I don’t understand)

(5) I had problem with array pointers earlier, thus I left it as it is

(6) Also I can’t understand your PS question

I am a programmer, but this is the first time I am doing a web based database program, I will take all advices from you, thanks. I really hope you will advice me thanks.

oceans · July 2, 2007

Dear mmarif4U,

I noted that when I placed

"

$InputFromScreen=mysql_real_escape_string($InputFromScreen);

"

along with my regular code, I got database related error message, thus could you please suggest where exectly I should be palcing this.

Dear Redarrow,

Please help me as well.

Thanks

mmarif4u · July 2, 2007

Your Q's:

(1) Thanks I should trim at one go.

(2) $String= mysql_reel_escape($String); Is this correct

(3) Add slashes ( I don’t understand)

(4) Gothca ( I don’t understand)

(5) I had problem with array pointers earlier, thus I left it as it is

(6) Also I can’t understand your PS question

Answers:

1) Yes u can use trim for GET, POST.

2) This will be like this: $string1 = mysql_real_escape_string($string);

3) Add slashes is another php function: u can use it like :

$string1 = mysql_real_escape_string(addslashes(($string)); So now also php is filtering ur data with mysql

function.

4) Gothca: this Captcha not gothca this is a function where a user will put random characters according to the function see here: http://www.captcha.net/

5) It depends on ur skill.

6) Also I can’t understand your PS question (What is mean by PS i did not get it.)

mmarif4u · July 2, 2007

Try it like this:

$InputFromScreen1=$_POST('something');
$InputFromScreen=mysql_real_escape_string($InputFromScreen1);

OR simply:

$InputFromScreen=mysql_real_escape_string($_POST('something'));

oceans · July 2, 2007

Thanks mmaarif4u,

Lets deal one by one

for the real escape i got this error

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\Product\Member\0101LogIn.php on line 66

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\Product\Member\0101LogIn.php on line 66

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Access denied for user 'ODBC'@'localhost' (using password: NO) in C:\wamp\www\Product\Member\0101LogIn.php on line 66

Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\Product\Member\0101LogIn.php on line 66

mmarif4u · July 2, 2007

C:\wamp\www\Product\Member\0101LogIn.php on line 66

Can u post the code above some lines and below some lines of line 66.

Bcoz from where i see this error mean that u not connected to mysql db properly,

Some thing is wrong there.

oceans · July 2, 2007

ok ok ok yes yes yes i agree ( sorry i sould give you good full picture of what i do)

	
if (isset($_POST['Submit'])) 
{
for ($i=1; $i<=$NumberOfTxtBoxes; $i++)
{
	$InputFromScreen[$i]=strip_tags(rtrim(ltrim(strtoupper($_POST["Txt".$i]))));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertSingleQuote1"));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertSingleQuote2"));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertDoubleQuote"));
	$InputFromScreen[$i]=filter_var($InputFromScreen[$i], FILTER_CALLBACK,array("options"=>"ConvertSingleBackSlash"));
	$InputFromScreen[$i]=addslashes($InputFromScreen[$i]);
                          $InputFromScreen[$i]=mysql_real_escape_string( $InputFromScreen[$i]);

}
}

line 66 is the "mysql_real_escape_string"

I agree i have not conencted to db at this point, i am collecting and storing first

"ad slash" working good

I think Red arrow mentioned to "(`) (') (") (\)" as why I did not use array, ok since I am using "preg_replace" I will leave it as it is.

I mean the PS is "ps. if you can also tell us why you think your web site goes down

also and a code can prevent this?"

mmarif4u · July 2, 2007

Here bcoz the data is coming from array so it will give error using mysql_real_escape_string.

I will suggest u to use either addslashes or stripslashes.

oceans · July 2, 2007

Mmarif4U,

You want me to

use

$InputFromScreen[$i]=addslashes($InputFromScreen[$i]);

AND

$InputFromScreen[$i]=stripslashes($InputFromScreen[$i]);

and do not use your

$InputFromScreen[$i]=mysql_real_escape_string( $InputFromScreen[$i]);

in fact I personaly came up with (`) (') (") (\) to save my DB.

I don't mind sweating a little more to put in (mysql_real_escape_string) some where.

mmarif4u · July 2, 2007

Mmarif4U,

You want me to

use

$InputFromScreen[$i]=addslashes($InputFromScreen[$i]);

AND

$InputFromScreen[$i]=stripslashes($InputFromScreen[$i]);

and do not use your

$InputFromScreen[$i]=mysql_real_escape_string( $InputFromScreen[$i]);

in fact I personaly came up with (`) (') (") (\) to save my DB.

I don't mind sweating a little more to put in (mysql_real_escape_string) some where.

Yes u can use it like that.

For mysql_real_escape_string u can use somewhere else.

but my suggestion is use mysql_real_escape_string or stripslashes in ur future coding.

Hope this is will help u.

Sign In

Filter problem with different versions

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Archived

Important Information