By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,346 Members | 2,339 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,346 IT Pros & Developers. It's quick & easy.

Removing unwanted characters from users input

P: 10
I have a HTML page which posts information to a PHP page which contains a query for mysql to add records to a database

I want to strip all special characters and only allow 0-9 and a-z but also allow an email address field and a website address field.

I have been trawling through the web for days and it seems there are many ways of doing this but I am very confused.

This is to prevent from SQL injection attack
Jan 8 '08 #1
Share this Question
Share on Google+
9 Replies


nathj
Expert 100+
P: 938
I have a HTML page which posts information to a PHP page which contains a query for mysql to add records to a database

I want to strip all special characters and only allow 0-9 and a-z but also allow an email address field and a website address field.

I have been trawling through the web for days and it seems there are many ways of doing this but I am very confused.

This is to prevent from SQL injection attack
Hi,

there are, as you have found many ways to do just this.

I have used the following simple approach:

[php]
function secure($data)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , ',' => '' , '*' => '' , '/' => '' );
$data = strtr($data , $replace);
return $data;
}
[/php]
I have this as a function on a data acess object.

I'm sur there are more comprehensive ways of doing this but so far it seems to work for me.

Also you can add to the array at will and even have asecond array for non-email fields that removes the '@' sign

You could also use the htmlspecialchars function in php
Cheers
nathj
Jan 8 '08 #2

Markus
Expert 5K+
P: 6,050
Regular expressions are good for this sort of thing :)

[php]
$__usernameExp = '/[^a-zA-Z0-9]/'; //regExp - Anything BUT characters noted.
if(preg_match($__usernameExp, $some_string){
echo "String may contain Letters and Numbers only";
}

//email
$__emailExp = '/^[a-z0-9_\+-]+(\.[a-z0-9_\+-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*\.([a-z]{2,4})$/';
if(!preg_match($__emailExp, $some_other_string){
echo "Please enter a valid email!";
}
[/php]

Hope that is alright for you :)
Jan 8 '08 #3

P: 10
Hi,

Thanks guys both great and thats helped me alot. I was wondering can the 2nd one be integrated into the original form so as to alert the user "as they are completing the form".

I'm using dreamweaver and I see that there is a property for behaviours where you can set it onblur to run a javascript. Any ideas whether I could get it to run the PHP code? I'm thinking not as it is SSL but maybe you have some ideas?

This would save me having to submit to the PHP file which runs the SQL query.

I don't really want to have to return the user back to the original form unless I can really help it.

David
Jan 8 '08 #4

Markus
Expert 5K+
P: 6,050
Hi,

Thanks guys both great and thats helped me alot. I was wondering can the 2nd one be integrated into the original form so as to alert the user "as they are completing the form".

I'm using dreamweaver and I see that there is a property for behaviours where you can set it onblur to run a javascript. Any ideas whether I could get it to run the PHP code? I'm thinking not as it is SSL but maybe you have some ideas?

This would save me having to submit to the PHP file which runs the SQL query.

I don't really want to have to return the user back to the original form unless I can really help it.

David
Sure!
Either javascript or ajax will do the job :)

If you'd like me to put together a psuedo type code i can :)
Jan 8 '08 #5

P: 10
I am going with the code which markusn00b suggested but I want to be able to pick up apostrophe's using it, is there any way of doing that because I understand they are the basis of most SQL injection attacks.

I dont need the javascript now as I found a website and viewed the source code which gave me all the stuff I needed ;)
Jan 13 '08 #6

Markus
Expert 5K+
P: 6,050
The code i supplied should pick up apostrophes...

Is it not doing so?
Jan 13 '08 #7

P: 10
The code i supplied should pick up apostrophes...

Is it not doing so?
It is now, I was trying to get it so that if it found invalid chars it would just replace them as well but I think i've messed up combining the 2 functions now ...eek
Jan 13 '08 #8

P: 10
It is now, I was trying to get it so that if it found invalid chars it would just replace them as well but I think i've messed up combining the 2 functions now ...eek
I'm sort of figuring it out now.... but I noted that it picks up spaces so i'm just looking at other examples of the function to try and work out how I ignore the space also
Jan 13 '08 #9

P: 10
Heres my finished code:
Expand|Select|Wrap|Line Numbers
  1. <?php
  2.     $FAILED = "0";
  3.     $COMP01 = $_POST['COMP1'];
  4.     $IFADDR1 = $_POST['IFADDR1'];
  5.     $IFADDR2 = $_POST['IFADDR2'];
  6.     $IFADDR3 = $_POST['IFADDR3'];
  7.     $IFADDR4 = $_POST['IFADDR4'];
  8.     $TELENO = $_POST['TELENO'];
  9.     $PC = $_POST['PC'];    
  10.     $EMAILADD = $_POST['EMAILADD'];
  11.     $WEB = $_POST['WEB'];
  12.     $DESC = $_POST['DESC'];
  13.     $TYPE = $_POST['LISTBOX'];
  14.  
  15.     $COMP01=check($COMP01);  // checks format and returns value as caps
  16.     $COMP01=check($COMP01);
  17.     $IFADDR1=check ($IFADDR1);
  18.     $IFADDR2=check ($IFADDR2);
  19.     $IFADDR3=check ($IFADDR3);
  20.     $IFADDR4=check ($IFADDR4);
  21.     check ($TELENO); // these 2 values I don't want to be converted to caps
  22.     check ($DESC);
  23.  
  24.     // CHECKS THE PASSED STRING TO ENSURE IT IS ONLY 0-9 , A-Z OR A SPACE
  25.  
  26.     function check($mystring)
  27.     {
  28.        $__usernameExp = '/[^a-zA-Z0-9\s]/'; //regExp - Anything BUT characters noted.
  29.     $mystring = strtoupper  ($mystring); //converts the string to CAPS - this is optional
  30.     echo $mystring;
  31.          if(preg_match($__usernameExp, $mystring)) { 
  32.                 $FAILED = "1";                            //SETS THE FAILED VALIDATION FLAG TO 1
  33.         }
  34.     return ($mystring);
  35.     }
  36.  
  37.  
  38. if ($FAILED == "0") {            //ONLY EXECUTES CODE IF THE VALIDATION FLAG IS 0
  39.  
  40.         include 'dbconn.php';           // includes database connection information
  41.         mysql_connect($hostname,$usernm,$authent);
  42.         @mysql_select_db($databse) or die( "Unable to select database");    
  43.         $query = "INSERT INTO `details` (`CUSTID`,`NAME`,`ADDRESS1`,`ADDRESS2`,`ADDRESS3`,`ADDRESS4`,`TELEPHONE`,`POSTCODE`,`EMAIL`,`WEBSITE`,`DESCRIPTION`,`TYPE`) VALUES (NULL,'$COMP01','$IFADDR1','$IFADDR2','$IFADDR3','$IFADDR4','$TELENO','$PC','$EMAILADD','$WEB','$DESC','$TYPE')";
  44.         echo mysql_error(); 
  45.         mysql_query($query);
  46.         echo mysql_error(); 
  47.         mysql_close();
  48.         echo $query;
  49.  
  50.         }
  51. else
  52.         {
  53.             echo "QUERY WAS NOT EXECUTED DUE TO INVALID CHARACTERS";
  54.         }
  55.  
  56.  
  57. ?>
  58.  
I'm not validating the email address or the web address because I've used SPRY within macromedia to validate those although theres no reason why they can't be checked.

Notice that I want most of the fields to populate the database in CAPS - this is so that every database entry is consistent.
Jan 14 '08 #10

Post your reply

Sign in to post your reply or Sign up for a free account.