Jump to content

Archived

This topic is now archived and is closed to further replies.

Thy Gamer

Function not working right

Recommended Posts

[code]<?php
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
//return $tempinput;
return($tempinput); //Not sure what one to use but they aint working
//Echo $tempinput;
}

$tempinput = " /<>/<r>/<R>/\/\/\/\/\<B><R><R> LOL PANTS javascript SELECT * FROM";
SafeGurad($tempinput);

php?> [/code]

It does not filter threw like it should, any idea why?

Share this post


Link to post
Share on other sites
From your code I can olny guess that the <> replacements are not workin as expected.

&gt &lt need a ; after them!

Share this post


Link to post
Share on other sites
You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken

Share this post


Link to post
Share on other sites
Guest footballkid4
[!--quoteo(post=361104:date=Apr 2 2006, 10:04 PM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Apr 2 2006, 10:04 PM) [snapback]361104[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken
[/quote]
I was looking at that too, and I was just about to post about it.

Here are a few other things you should know:
1) You don't need to replace any of the SELECT * FROM's to anthing, because you aren't putting this statement inside mysql_query(), PHP just interprets it as regular text.
- Another reason: Even if you replaced SELET * FROM, what stops them from using: DROP TABLE table, or TRUNCATE TABLE table, or INSERT INTO table, or UPDATE table, or DELETE FROM table, or SELECT columname FROM table, or CREATE TABLE, or any of the other syntax bases.

2) You really don't need to change out <script> for anything either if you are using htmlentities()
- Also, this poses a similar problem as the last one. Say you wanted to replace <script>, but the user typed <script language="javascript"> or even <script language="javascript" asdf="yes"> which most good browsers will still understand

You should really get into preg_replace for what you are trying to do:
[code]preg_replace( "@<script[^>].+?>@is" , "" , $input )[/code]
etc...

Share this post


Link to post
Share on other sites
[code]
<?php
error_reporting(E_ALL);
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
return $tempinput;

}

$tempinput = "%20 /<>///\/\/\/\/\ LOL PANTS javascript SELECT * FROM";
echo SafeGurad($tempinput);
php?>
[/code]

you got to fix your spelling and logic yourself tho.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.