Jump to content

Function not working right


Thy Gamer

Recommended Posts

[code]<?php
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
//return $tempinput;
return($tempinput); //Not sure what one to use but they aint working
//Echo $tempinput;
}

$tempinput = " /<>/<r>/<R>/\/\/\/\/\<B><R><R> LOL PANTS javascript SELECT * FROM";
SafeGurad($tempinput);

php?> [/code]

It does not filter threw like it should, any idea why?
Link to comment
Share on other sites

You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken
Link to comment
Share on other sites

Guest footballkid4
[!--quoteo(post=361104:date=Apr 2 2006, 10:04 PM:name=kenrbnsn)--][div class=\'quotetop\']QUOTE(kenrbnsn @ Apr 2 2006, 10:04 PM) [snapback]361104[/snapback][/div][div class=\'quotemain\'][!--quotec--]
You should also look at the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a]().

BTW, the world you have spelled "Aloud" is really spelled "Allowed". If English is not your first language I can understand your mistake. If it is, I suggest learning how to use the correct word for the context.

Ken
[/quote]
I was looking at that too, and I was just about to post about it.

Here are a few other things you should know:
1) You don't need to replace any of the SELECT * FROM's to anthing, because you aren't putting this statement inside mysql_query(), PHP just interprets it as regular text.
- Another reason: Even if you replaced SELET * FROM, what stops them from using: DROP TABLE table, or TRUNCATE TABLE table, or INSERT INTO table, or UPDATE table, or DELETE FROM table, or SELECT columname FROM table, or CREATE TABLE, or any of the other syntax bases.

2) You really don't need to change out <script> for anything either if you are using htmlentities()
- Also, this poses a similar problem as the last one. Say you wanted to replace <script>, but the user typed <script language="javascript"> or even <script language="javascript" asdf="yes"> which most good browsers will still understand

You should really get into preg_replace for what you are trying to do:
[code]preg_replace( "@<script[^>].+?>@is" , "" , $input )[/code]
etc...
Link to comment
Share on other sites

[code]
<?php
error_reporting(E_ALL);
function SafeGurad($tempinput) {
$tempinput = str_replace("%20","",$tempinput);
$tempinput = addslashes($tempinput);
$tempinput = str_replace("javascript","No_Java_Script_Allowed!",$tempinput);
$tempinput = str_replace("</script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("<script>","No_Script_Allowed!",$tempinput);
$tempinput = str_replace("SELECT * FROM","No_SQL_Script_Aloud!",$tempinput);
$tempinput = str_replace("<","&lt",$tempinput);
$tempinput = str_replace(">","&gt",$tempinput);
return $tempinput;

}

$tempinput = "%20 /<>///\/\/\/\/\ LOL PANTS javascript SELECT * FROM";
echo SafeGurad($tempinput);
php?>
[/code]

you got to fix your spelling and logic yourself tho.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.