Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Apr 2006
    Posts
    47
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Scrubbing user form input

    Hello.

    I'm trying to make sure my site is safe from SQL injection attacks. I've been doing some research and have already modified my user permissions to only allow appropriate query types. However I am having some trouble finding an example of how to scrub the user form submissions to search for illegal characters. I read that due to the number of special characters, the best way to do so is to ALLOW certain characters and filter out everything else, rather than REJECTING illegal characters and allowing everything else.

    Therefore, I would like to write code to scrub the user input and make sure it contains only the following characters:

    abcdefghijklmnopqrstuvwxyz
    ABCDEFGHIJKLMNOPQRSTUVWXYZ
    0123456789
    @.-_+

    If any other characters appear, I'll stop the script and send headers to send the browser to an error page. My question is: how do I go about scrubbing the input? I imagine I'll need to create some sort of variable or array that holds the legal characters and compare them to the user input. However, I really don't know how to begin doing this. Any help is appreciated.

  • #2
    New Coder
    Join Date
    Nov 2006
    Location
    UK
    Posts
    52
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Try looking at preg_match
    - Mark

  • #3
    New Coder
    Join Date
    Apr 2006
    Posts
    47
    Thanks
    2
    Thanked 0 Times in 0 Posts
    okay I'm working on it, here's what I have so far:



    Code:
    if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+",$fieldname))
    
    {
    
    // (code to manipulate database goes here)
    
    }
     
    
    else
    {
    
    header("Location: illegalchars.php");
    
    }
    Does this look alright? I'm not sure if I've got syntax and logic right as I don't quite understand the function. Thanks.

  • #4
    New Coder
    Join Date
    Apr 2006
    Posts
    47
    Thanks
    2
    Thanked 0 Times in 0 Posts
    okay I decided since I'll be doing this multiple times on every page I'm going to place it into a function, here's what I have:

    Code:
    function check_field($field_name)
    {
      if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+\",$field_name))
        return TRUE;
      else
        return FALSE;
    }
    
    
    
    if(!check_field($loginname))
    {
      header("Location:illegalchars.php");  // this is line 31, I'm getting an unexpected t-string here
    }
    I'm getting an unexpected T_String error on line 31 (commented that line above) Can anyone see the problem?

  • #5
    New Coder
    Join Date
    Apr 2006
    Posts
    47
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Update:

    I've gotten the errors solved, but it's not working. It still sends the data to SQL and doesn't redirect to illegalchars.php There is no warning saying headers had been sent, I tried plugging the function into the login form and it's behaving just like it was before, it'll come back and say the password is incorrect, but doesn't seem to detect any illegal characters.

    Here's my updated code:

    Code:
    function check_field($field_name)
    {
      if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+\"]/",$field_name))
        
    return TRUE;
      else
        return FALSE;
    }
    
    if(!check_field($loginname))
    {
      header("Location:illegalchars.php");  
    }
    Any help is really appreciated. Thanks.
    Last edited by Morf; 12-27-2006 at 07:14 AM.

  • #6
    New Coder
    Join Date
    Apr 2006
    Posts
    47
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Update! I got it!

    here's the correct code for anyone curious:

    Code:
    function check_field($field_name)
    {
      if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+]/",$field_name))
        
    return TRUE;
      else
        return FALSE;
    }
    
    if(!check_field($_POST[loginname]))
    {
      header("Location:illegalchars.php");  
    break;
    }


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •