Removing unwanted characters from users input

**nathj** · Jan 8 '08, 04:40 PM

Originally posted by daknightuk

I have a HTML page which posts information to a PHP page which contains a query for mysql to add records to a database

I want to strip all special characters and only allow 0-9 and a-z but also allow an email address field and a website address field.

I have been trawling through the web for days and it seems there are many ways of doing this but I am very confused.

This is to prevent from SQL injection attack

Hi,

there are, as you have found many ways to do just this.

I have used the following simple approach:

[php]
function secure($data)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , ',' => '' , '*' => '' , '/' => '' );
$data = strtr($data , $replace);
return $data;
}
[/php]
I have this as a function on a data acess object.

I'm sur there are more comprehensive ways of doing this but so far it seems to work for me.

Also you can add to the array at will and even have asecond array for non-email fields that removes the '@' sign

You could also use the htmlspecialchar s function in php
Cheers
nathj

**Markus** · Jan 8 '08, 06:13 PM

Regular expressions are good for this sort of thing :)

[php]
$__usernameExp = '/[^a-zA-Z0-9]/'; //regExp - Anything BUT characters noted.
if(preg_match($ __usernameExp, $some_string){
echo "String may contain Letters and Numbers only";
}

//email
$__emailExp = '/^[a-z0-9_\+-]+(\.[a-z0-9_\+-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,4})$/';
if(!preg_match( $__emailExp, $some_other_str ing){
echo "Please enter a valid email!";
}
[/php]

Hope that is alright for you :)

**daknightuk** · Jan 8 '08, 07:05 PM

Hi,

Thanks guys both great and thats helped me alot. I was wondering can the 2nd one be integrated into the original form so as to alert the user "as they are completing the form".

I'm using dreamweaver and I see that there is a property for behaviours where you can set it onblur to run a javascript. Any ideas whether I could get it to run the PHP code? I'm thinking not as it is SSL but maybe you have some ideas?

This would save me having to submit to the PHP file which runs the SQL query.

I don't really want to have to return the user back to the original form unless I can really help it.

David

**Markus** · Jan 8 '08, 08:28 PM

Originally posted by daknightuk

Hi,

Thanks guys both great and thats helped me alot. I was wondering can the 2nd one be integrated into the original form so as to alert the user "as they are completing the form".

I'm using dreamweaver and I see that there is a property for behaviours where you can set it onblur to run a javascript. Any ideas whether I could get it to run the PHP code? I'm thinking not as it is SSL but maybe you have some ideas?

This would save me having to submit to the PHP file which runs the SQL query.

I don't really want to have to return the user back to the original form unless I can really help it.

David

Sure!
Either javascript or ajax will do the job :)

If you'd like me to put together a psuedo type code i can :)

**daknightuk** · Jan 13 '08, 10:25 PM

I am going with the code which markusn00b suggested but I want to be able to pick up apostrophe's using it, is there any way of doing that because I understand they are the basis of most SQL injection attacks.

I dont need the javascript now as I found a website and viewed the source code which gave me all the stuff I needed ;)

**Markus** · Jan 13 '08, 10:40 PM

The code i supplied should pick up apostrophes...

Is it not doing so?

**daknightuk** · Jan 13 '08, 11:26 PM

Originally posted by markusn00b

The code i supplied should pick up apostrophes...

Is it not doing so?

It is now, I was trying to get it so that if it found invalid chars it would just replace them as well but I think i've messed up combining the 2 functions now ...eek

**daknightuk** · Jan 13 '08, 11:48 PM

Originally posted by daknightuk

It is now, I was trying to get it so that if it found invalid chars it would just replace them as well but I think i've messed up combining the 2 functions now ...eek

I'm sort of figuring it out now.... but I noted that it picks up spaces so i'm just looking at other examples of the function to try and work out how I ignore the space also

**daknightuk** · Jan 14 '08, 12:35 AM

Heres my finished code:

Code:

<?php
	$FAILED = "0";
	$COMP01 = $_POST['COMP1'];
	$IFADDR1 = $_POST['IFADDR1'];
	$IFADDR2 = $_POST['IFADDR2'];
	$IFADDR3 = $_POST['IFADDR3'];
	$IFADDR4 = $_POST['IFADDR4'];
	$TELENO = $_POST['TELENO'];
	$PC = $_POST['PC'];	
	$EMAILADD = $_POST['EMAILADD'];
    $WEB = $_POST['WEB'];
	$DESC = $_POST['DESC'];
	$TYPE = $_POST['LISTBOX'];

    $COMP01=check($COMP01);  // checks format and returns value as caps
    $COMP01=check($COMP01);
    $IFADDR1=check ($IFADDR1);
	$IFADDR2=check ($IFADDR2);
	$IFADDR3=check ($IFADDR3);
	$IFADDR4=check ($IFADDR4);
	check ($TELENO); // these 2 values I don't want to be converted to caps
	check ($DESC);
	
	// CHECKS THE PASSED STRING TO ENSURE IT IS ONLY 0-9 , A-Z OR A SPACE
	
	function check($mystring)
	{
   	$__usernameExp = '/[^a-zA-Z0-9\s]/'; //regExp - Anything BUT characters noted.
	$mystring = strtoupper  ($mystring); //converts the string to CAPS - this is optional
	echo $mystring;
 		if(preg_match($__usernameExp, $mystring)) { 
				$FAILED = "1";							//SETS THE FAILED VALIDATION FLAG TO 1
		}
	return ($mystring);
	}
	

if ($FAILED == "0") {			//ONLY EXECUTES CODE IF THE VALIDATION FLAG IS 0
			
		include 'dbconn.php';           // includes database connection information
		mysql_connect($hostname,$usernm,$authent);
		@mysql_select_db($databse) or die( "Unable to select database");	
		$query = "INSERT INTO `details` (`CUSTID`,`NAME`,`ADDRESS1`,`ADDRESS2`,`ADDRESS3`,`ADDRESS4`,`TELEPHONE`,`POSTCODE`,`EMAIL`,`WEBSITE`,`DESCRIPTION`,`TYPE`) VALUES (NULL,'$COMP01','$IFADDR1','$IFADDR2','$IFADDR3','$IFADDR4','$TELENO','$PC','$EMAILADD','$WEB','$DESC','$TYPE')";
		echo mysql_error(); 
		mysql_query($query);
		echo mysql_error(); 
		mysql_close();
		echo $query;
		
		}
else
		{
			echo "QUERY WAS NOT EXECUTED DUE TO INVALID CHARACTERS";
		}
	
	
?>

I'm not validating the email address or the web address because I've used SPRY within macromedia to validate those although theres no reason why they can't be checked.

Notice that I want most of the fields to populate the database in CAPS - this is so that every database entry is consistent.

Removing unwanted characters from users input

Removing unwanted characters from users input

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment