I have a HTML page which posts information to a PHP page which contains a query for mysql to add records to a database
I want to strip all special characters and only allow 0-9 and a-z but also allow an email address field and a website address field.
I have been trawling through the web for days and it seems there are many ways of doing this but I am very confused.
This is to prevent from SQL injection attack
9 3404 nathj 938
Recognized Expert Contributor
I have a HTML page which posts information to a PHP page which contains a query for mysql to add records to a database
I want to strip all special characters and only allow 0-9 and a-z but also allow an email address field and a website address field.
I have been trawling through the web for days and it seems there are many ways of doing this but I am very confused.
This is to prevent from SQL injection attack
Hi,
there are, as you have found many ways to do just this.
I have used the following simple approach:
[php]
function secure($data)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , ',' => '' , '*' => '' , '/' => '' );
$data = strtr($data , $replace);
return $data;
}
[/php]
I have this as a function on a data acess object.
I'm sur there are more comprehensive ways of doing this but so far it seems to work for me.
Also you can add to the array at will and even have asecond array for non-email fields that removes the '@' sign
You could also use the htmlspecialchar s function in php
Cheers
nathj
Markus 6,050
Recognized Expert Expert
Regular expressions are good for this sort of thing :)
[php]
$__usernameExp = '/[^a-zA-Z0-9]/'; //regExp - Anything BUT characters noted.
if(preg_match($ __usernameExp, $some_string){
echo "String may contain Letters and Numbers only";
}
//email
$__emailExp = '/^[a-z0-9_\+-]+(\.[a-z0-9_\+-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,4})$/';
if(!preg_match( $__emailExp, $some_other_str ing){
echo "Please enter a valid email!";
}
[/php]
Hope that is alright for you :)
Hi,
Thanks guys both great and thats helped me alot. I was wondering can the 2nd one be integrated into the original form so as to alert the user "as they are completing the form".
I'm using dreamweaver and I see that there is a property for behaviours where you can set it onblur to run a javascript. Any ideas whether I could get it to run the PHP code? I'm thinking not as it is SSL but maybe you have some ideas?
This would save me having to submit to the PHP file which runs the SQL query.
I don't really want to have to return the user back to the original form unless I can really help it.
David
Markus 6,050
Recognized Expert Expert
Hi,
Thanks guys both great and thats helped me alot. I was wondering can the 2nd one be integrated into the original form so as to alert the user "as they are completing the form".
I'm using dreamweaver and I see that there is a property for behaviours where you can set it onblur to run a javascript. Any ideas whether I could get it to run the PHP code? I'm thinking not as it is SSL but maybe you have some ideas?
This would save me having to submit to the PHP file which runs the SQL query.
I don't really want to have to return the user back to the original form unless I can really help it.
David
Sure!
Either javascript or ajax will do the job :)
If you'd like me to put together a psuedo type code i can :)
I am going with the code which markusn00b suggested but I want to be able to pick up apostrophe's using it, is there any way of doing that because I understand they are the basis of most SQL injection attacks.
I dont need the javascript now as I found a website and viewed the source code which gave me all the stuff I needed ;)
Markus 6,050
Recognized Expert Expert
The code i supplied should pick up apostrophes...
Is it not doing so?
The code i supplied should pick up apostrophes...
Is it not doing so?
It is now, I was trying to get it so that if it found invalid chars it would just replace them as well but I think i've messed up combining the 2 functions now ...eek
It is now, I was trying to get it so that if it found invalid chars it would just replace them as well but I think i've messed up combining the 2 functions now ...eek
I'm sort of figuring it out now.... but I noted that it picks up spaces so i'm just looking at other examples of the function to try and work out how I ignore the space also
Heres my finished code: -
<?php
-
$FAILED = "0";
-
$COMP01 = $_POST['COMP1'];
-
$IFADDR1 = $_POST['IFADDR1'];
-
$IFADDR2 = $_POST['IFADDR2'];
-
$IFADDR3 = $_POST['IFADDR3'];
-
$IFADDR4 = $_POST['IFADDR4'];
-
$TELENO = $_POST['TELENO'];
-
$PC = $_POST['PC'];
-
$EMAILADD = $_POST['EMAILADD'];
-
$WEB = $_POST['WEB'];
-
$DESC = $_POST['DESC'];
-
$TYPE = $_POST['LISTBOX'];
-
-
$COMP01=check($COMP01); // checks format and returns value as caps
-
$COMP01=check($COMP01);
-
$IFADDR1=check ($IFADDR1);
-
$IFADDR2=check ($IFADDR2);
-
$IFADDR3=check ($IFADDR3);
-
$IFADDR4=check ($IFADDR4);
-
check ($TELENO); // these 2 values I don't want to be converted to caps
-
check ($DESC);
-
-
// CHECKS THE PASSED STRING TO ENSURE IT IS ONLY 0-9 , A-Z OR A SPACE
-
-
function check($mystring)
-
{
-
$__usernameExp = '/[^a-zA-Z0-9\s]/'; //regExp - Anything BUT characters noted.
-
$mystring = strtoupper ($mystring); //converts the string to CAPS - this is optional
-
echo $mystring;
-
if(preg_match($__usernameExp, $mystring)) {
-
$FAILED = "1"; //SETS THE FAILED VALIDATION FLAG TO 1
-
}
-
return ($mystring);
-
}
-
-
-
if ($FAILED == "0") { //ONLY EXECUTES CODE IF THE VALIDATION FLAG IS 0
-
-
include 'dbconn.php'; // includes database connection information
-
mysql_connect($hostname,$usernm,$authent);
-
@mysql_select_db($databse) or die( "Unable to select database");
-
$query = "INSERT INTO `details` (`CUSTID`,`NAME`,`ADDRESS1`,`ADDRESS2`,`ADDRESS3`,`ADDRESS4`,`TELEPHONE`,`POSTCODE`,`EMAIL`,`WEBSITE`,`DESCRIPTION`,`TYPE`) VALUES (NULL,'$COMP01','$IFADDR1','$IFADDR2','$IFADDR3','$IFADDR4','$TELENO','$PC','$EMAILADD','$WEB','$DESC','$TYPE')";
-
echo mysql_error();
-
mysql_query($query);
-
echo mysql_error();
-
mysql_close();
-
echo $query;
-
-
}
-
else
-
{
-
echo "QUERY WAS NOT EXECUTED DUE TO INVALID CHARACTERS";
-
}
-
-
-
?>
-
I'm not validating the email address or the web address because I've used SPRY within macromedia to validate those although theres no reason why they can't be checked.
Notice that I want most of the fields to populate the database in CAPS - this is so that every database entry is consistent.
Sign in to post your reply or Sign up for a free account.
Similar topics |
by: Phil Amey |
last post by:
In a web based form I am able to make sure that there is text in an input field but I want to restrict the user from using such characters as ~
# & '
How can I modify this JavaScript below to enable this ?
if (document.form1.ProjectTitle.value == ""){
alert("Please complete the Project Title: field")
document.form1.ProjectTitle.focus()
validFlag = false
return validFlag
|
by: Peter O'Reilly |
last post by:
I have an HTML form with a textarea input box. When the user conducts a
post request (e.g. clicks the submit button), an HTML preview page is
presented to them with the information they have filled out in the prior
page's form elements.
Naturally some users like to copy and paste text into the textarea box and
presumably do so from say a word processor program. Some Macintosh based
users I know of experience problems with foreign...
|
by: Frank.Sebesta |
last post by:
I have a wedge mag stripe reader that I swipe when ask to input
information in a query.
How do I filter the unwanted characters.
Apparently there are two mag stripes that are read every time I swipe
the card.
The first line has the name information and the second line has the
number that I want to use.
The number looks like this when I swipe a card.
%00123478?
I need to filter out the % and the ?
|
by: gopal srinivasan |
last post by:
Hi,
I have a text like this -
"This is a message containing tabs and white spaces"
Now this text contains tabs and white spaces. I want remove the tabs
and white spaces(if it more than once between two words).
Is there any function we have in C which will find out the tabs and
white spaces and returns the text in the follwong way -
|
by: David Beck |
last post by:
I donwnload some files for processing every day that have unwanted
characters in them. In VB6 I use the InputB to read in the text and the
StrConv.
vLinesFromFile = StrConv(InputB(LOF(nFileNumGENERIC), nFileNumGENERIC),
vbUnicode)
If the string has any unwanted characters (e.g. Chr(26)), I use the
replace to remove them and save the file.
| |
by: lovecreatesbeauty |
last post by:
/*
When should we worry about the unwanted chars in input stream? Can we
predicate this kind of behavior and prevent it before debugging and
testing? What's the guideline for dealing with it?
As shown below line #21, I should remove the unwanted characters in
input stream there at that time. Do I miss some other possible errors
in i/o which will happen to occur sometimes in other places? And
welcome your kind comments on following the...
|
by: et |
last post by:
How can I strip out unwanted characters in a string before updating the
database? For instance, in names & addresses in our client table, we want
only letters and numbers, no punctuation. Is there a way to do this?
|
by: kingflux |
last post by:
Hello, and thank you in advance for any help you can provide.
Each line in our datagrid control contains a product number,
description, and a textbox for the user to enter a quantity-to-order.
Users enter quantities (not necessarily on every line), click the Next
button, and continue. Sometimes users return to a previous page, by
clicking the Previous button, and see quantities that they did not
enter. More often, users return to a...
|
by: ramu |
last post by:
Hi,
Suppose I have a string like this:
"I have a string \"and a inner string\\\" I want to remove space in
this string but not in the inner string"
In the above string I have to remove spaces, but not in the inner
string(\"and a inner string\\\"). Will anyone please tell me how to do
this?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |