sooty2006 Posted December 17, 2010 Share Posted December 17, 2010 I have a game website with alot of user textareas and textbox's.Quite recently i have had to ban a person from the site because he was getting data from the server via a textboxsupposably.What i want to do is make sure nothing other than plain text can get through.Here is a typical input form: if(isset($_POST['save'])){if(!$_POST['text']){$message .= "You must enter some text."; }else{mysql_query("UPDATE `users` SET `text` = '$_POST[text]' WHERE `usersid` = '$USER'");$message .= "Text saved!"; }} is there a php function i can use to check the text for stuff that should not be there?Thanks Again. Link to comment Share on other sites More sharing options...
sooty2006 Posted December 17, 2010 Author Share Posted December 17, 2010 Link to comment Share on other sites More sharing options...
Sami Posted December 17, 2010 Share Posted December 17, 2010 It's best if you use mysql_real_escape_string, then backslash will also work, and only plain text will get into your database :)But you'll have to do something else about the HTML tags Link to comment Share on other sites More sharing options...
jeffman Posted December 17, 2010 Share Posted December 17, 2010 Hmm. Maybe I misunderstood the question. Link to comment Share on other sites More sharing options...
sooty2006 Posted December 17, 2010 Author Share Posted December 17, 2010 thanks ill give it a try ! Link to comment Share on other sites More sharing options...
sooty2006 Posted December 17, 2010 Author Share Posted December 17, 2010 what would be best using i.e more secure?$_POST$_GET$_REQUEST? Link to comment Share on other sites More sharing options...
Sami Posted December 17, 2010 Share Posted December 17, 2010 That's up to you what to use.None are more or less secure, as I know, but I'm always using POST, because GET just makes mess in the adress bar. Link to comment Share on other sites More sharing options...
Dilated Posted December 17, 2010 Share Posted December 17, 2010 That's up to you what to use.None are more or less secure, as I know, but I'm always using POST, because GET just makes mess in the adress bar.This is why GET could be perceived to be less secure than POST since the only variables GET can pass are through the query string, whereas POST can use the request body for data. It's less secure for the user if there is any important data in the query string.OP, yes, you should definitely be escaping your sql values, its a different escape function depending on which DB system youre using.You can use htmlspecialchars() on the string to escape all the potential markup, however, if you actually want to remove all markup completely, a regex would be better:$text = preg_replace('/<[^>]+>|&[^\s]+;/', '', $text); That will remove all markup and entities. You should also do an htmlspecialchars() on the string afterwards for good measure. Link to comment Share on other sites More sharing options...
Fmdpa Posted December 17, 2010 Share Posted December 17, 2010 mysql_query("UPDATE `users` SET `text` = '$_POST[text]' WHERE `usersid` = '$USER'"); NEVER, NEVER, NEVER directly interpolate user-defined data into the query string. $_POST is not much more secure than $_GET, except for that fact that the data is not visibly passed through the url. However, any $_POST data can be manipulated just like $_GET. You must escape any user-defined variables that will be interpolated into the query. Also, make sure $USER is based off of a $_SESSION variable, or something like that. NOT a hidden input or cookie. Remember, even hidden inputs can be modified. There are websites that I've come across that get important data from hidden inputs. It is a serious breach in security. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.