kingb00zer Posted May 2, 2011 Share Posted May 2, 2011 hey Im just wondering what the best way to go about protecting forms from not only sql injection but especially in the username fields stripping anything that is not alphanumeric. Link to comment Share on other sites More sharing options...
birbal Posted May 2, 2011 Share Posted May 2, 2011 you can use regex based filter to filter any undesired inputs using using preg_*() functions Link to comment Share on other sites More sharing options...
jeffman Posted May 2, 2011 Share Posted May 2, 2011 I don't know your application, so this might not apply. Many users find it annoying and confusing when their text gets massaged. Consider the possibility of bouncing it back with a warning instead of accepting it and "fixing" it. Link to comment Share on other sites More sharing options...
kingb00zer Posted May 5, 2011 Author Share Posted May 5, 2011 Nevermind I worked it all out, i forgot that I put it in comments to check if i messed up chance of using old set up but both are fine now. I think I might be close but what have i done wrong here? i entered the name test*&^%/ing to see if it enters testing into the db and it didnt remove any of it. // strip invalid charactors from input fields$username_strip= $_POST['username'];$username= preg_replace("/[^a-z,A-Z,0-9\s]/", "", $username_strip); Link to comment Share on other sites More sharing options...
kingb00zer Posted May 5, 2011 Author Share Posted May 5, 2011 thank you for your help Link to comment Share on other sites More sharing options...
birbal Posted May 5, 2011 Share Posted May 5, 2011 It should be somthing like... [^a-zA-Z0-9\s]+ Link to comment Share on other sites More sharing options...
justsomeguy Posted May 5, 2011 Share Posted May 5, 2011 Why are you worried about filtering out those characters, anyway? Is there any security to be gained by limiting the characters in someone's username? Link to comment Share on other sites More sharing options...
kingb00zer Posted May 6, 2011 Author Share Posted May 6, 2011 Why are you worried about filtering out those characters, anyway? Is there any security to be gained by limiting the characters in someone's username?Im making a turn based browser game, in the username field i want only aplha numeric. in some of the in game fields i only want numeric. and from what I read about sql injection if I can strip other symbols from someones input it can stop people from hacking into and editing my databse. Link to comment Share on other sites More sharing options...
jeffman Posted May 6, 2011 Share Posted May 6, 2011 You're right to be concerned. But if you mess with a username or password, either your user won't know about it (and can't ever log in) or they'll be ticked off because they don't have a name they chose.Better to validate the name and bounce the form back if they choose one that doesn't validate. Link to comment Share on other sites More sharing options...
Synook Posted May 6, 2011 Share Posted May 6, 2011 Why not just sanitize it? Link to comment Share on other sites More sharing options...
justsomeguy Posted May 6, 2011 Share Posted May 6, 2011 Really, the only thing you need to do is escape quotes. You don't need to filter anything out, at least it has nothing to do with security. If you allow everything you'll want to use something like htmlspecialchars to prevent client-side attacks, but filtering out characters doesn't really stop SQL injection attacks (or, more specifically, if all you're doing is filtering characters then you're not stopping attacks). You should be using a function like mysql_real_escape_string instead. The MySQL extension for PHP only allows one statement at a time, so you don't even need to worry about people trying to chain SQL statements together. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.