Protection against people entering code in inputs

[JoelRocks]

Hey guys,

 

Just made my login page, but i am worried about people putting code in their usernames or when they enter anything into an input in a form. How can i combat this? i have already made the fields all lowercase to make my life easier in the database.

 

Striptags? or go further?

 

Thanks,

Joel

[MadTechie]

i assume your talking about SQL injection.. or XSS..

 

$username = addslashes($_POST['username']);
$sql = "select * from USERS where username = $username";

 

$usermessage = htmlentities(POST['message']);
echo $usermessage;

 

if that doesn't help, please post more detail..

 

 

[unidox]

Also try mysql_escape_strings()

[MadTechie]

mysql_escape_string() (string not strings) has been deprecated, use mysql_real_escape_string()

mysql_real_escape_string

 

[JoelRocks]

Ok thanks for the replies, i am going to use all of these to create a function for every input field. But, i need a function where you can specify characters that are disallowed for example "_". I think maybe using a preg match to detect illegal characters and throw up and error.

 

Thanks,

 

Joel

[MadTechie]

$data = "test_er";
if (preg_match('/_/i', $data ))
{
die("error _ detected");
}

[cooldude832]

just cause you used the word "code" i'll say that if you have inputs that you don't want tags in you can use striptags on it to remove all xhtml tags in it.