JoelRocks Posted October 27, 2007 Share Posted October 27, 2007 Hey guys, Just made my login page, but i am worried about people putting code in their usernames or when they enter anything into an input in a form. How can i combat this? i have already made the fields all lowercase to make my life easier in the database. Striptags? or go further? Thanks, Joel Link to comment https://forums.phpfreaks.com/topic/74991-protection-against-people-entering-code-in-inputs/ Share on other sites More sharing options...
MadTechie Posted October 27, 2007 Share Posted October 27, 2007 i assume your talking about SQL injection.. or XSS.. $username = addslashes($_POST['username']); $sql = "select * from USERS where username = $username"; $usermessage = htmlentities(POST['message']); echo $usermessage; if that doesn't help, please post more detail.. Link to comment https://forums.phpfreaks.com/topic/74991-protection-against-people-entering-code-in-inputs/#findComment-379233 Share on other sites More sharing options...
unidox Posted October 27, 2007 Share Posted October 27, 2007 Also try mysql_escape_strings() Link to comment https://forums.phpfreaks.com/topic/74991-protection-against-people-entering-code-in-inputs/#findComment-379296 Share on other sites More sharing options...
MadTechie Posted October 27, 2007 Share Posted October 27, 2007 mysql_escape_string() (string not strings) has been deprecated, use mysql_real_escape_string() mysql_real_escape_string Link to comment https://forums.phpfreaks.com/topic/74991-protection-against-people-entering-code-in-inputs/#findComment-379308 Share on other sites More sharing options...
JoelRocks Posted October 29, 2007 Author Share Posted October 29, 2007 Ok thanks for the replies, i am going to use all of these to create a function for every input field. But, i need a function where you can specify characters that are disallowed for example "_". I think maybe using a preg match to detect illegal characters and throw up and error. Thanks, Joel Link to comment https://forums.phpfreaks.com/topic/74991-protection-against-people-entering-code-in-inputs/#findComment-380393 Share on other sites More sharing options...
MadTechie Posted October 29, 2007 Share Posted October 29, 2007 $data = "test_er"; if (preg_match('/_/i', $data )) { die("error _ detected"); } Link to comment https://forums.phpfreaks.com/topic/74991-protection-against-people-entering-code-in-inputs/#findComment-380395 Share on other sites More sharing options...
cooldude832 Posted October 29, 2007 Share Posted October 29, 2007 just cause you used the word "code" i'll say that if you have inputs that you don't want tags in you can use striptags on it to remove all xhtml tags in it. Link to comment https://forums.phpfreaks.com/topic/74991-protection-against-people-entering-code-in-inputs/#findComment-380397 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.