Jump to content


Photo

Function not working right


  • Please log in to reply
4 replies to this topic

#1 Thy Gamer

Thy Gamer
  • New Members
  • Pip
  • Newbie
  • 3 posts

Posted 02 April 2006 - 10:16 PM

<?php
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
//return $tempinput;
return($tempinput); //Not sure what one to use but they aint working
//Echo $tempinput;
}

$tempinput = " /<>/<r>/<R>/\/\/\/\/\<B><R><R> LOL PANTS javascript SELECT * FROM";
SafeGurad($tempinput);

php?>

It does not filter threw like it should, any idea why?

#2 ToonMariner

ToonMariner
  • Members
  • PipPipPip
  • Advanced Member
  • 3,342 posts
  • LocationNewcastle upon Tyne, UK

Posted 03 April 2006 - 01:23 AM

From your code I can olny guess that the <> replacements are not workin as expected.

&gt &lt need a ; after them!
follow me on twitter @PHPsycho

#3 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 03 April 2006 - 05:04 AM

You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken

#4 Guest_footballkid4_*

Guest_footballkid4_*
  • Guests

Posted 03 April 2006 - 05:21 AM

[!--quoteo(post=361104:date=Apr 2 2006, 10:04 PM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Apr 2 2006, 10:04 PM) View Post[/div][div class=\'quotemain\'][!--quotec--]
You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken
[/quote]
I was looking at that too, and I was just about to post about it.

Here are a few other things you should know:
1) You don't need to replace any of the SELECT * FROM's to anthing, because you aren't putting this statement inside mysql_query(), PHP just interprets it as regular text.
- Another reason: Even if you replaced SELET * FROM, what stops them from using: DROP TABLE table, or TRUNCATE TABLE table, or INSERT INTO table, or UPDATE table, or DELETE FROM table, or SELECT columname FROM table, or CREATE TABLE, or any of the other syntax bases.

2) You really don't need to change out <script> for anything either if you are using htmlentities()
- Also, this poses a similar problem as the last one. Say you wanted to replace <script>, but the user typed <script language="javascript"> or even <script language="javascript" asdf="yes"> which most good browsers will still understand

You should really get into preg_replace for what you are trying to do:
preg_replace( "@<script[^>].+?>@is" , "" , $input )
etc...

#5 Kyo765

Kyo765
  • New Members
  • Pip
  • Newbie
  • 1 posts

Posted 04 April 2006 - 08:07 PM

<?php
error_reporting(E_ALL);
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
return $tempinput;

}

$tempinput = "%20 /<>///\/\/\/\/\ LOL PANTS javascript SELECT * FROM";
echo SafeGurad($tempinput);
php?>

you got to fix your spelling and logic yourself tho.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users