...

View Full Version : Scrubbing user form input



Morf
12-26-2006, 10:11 AM
Hello.

I'm trying to make sure my site is safe from SQL injection attacks. I've been doing some research and have already modified my user permissions to only allow appropriate query types. However I am having some trouble finding an example of how to scrub the user form submissions to search for illegal characters. I read that due to the number of special characters, the best way to do so is to ALLOW certain characters and filter out everything else, rather than REJECTING illegal characters and allowing everything else.

Therefore, I would like to write code to scrub the user input and make sure it contains only the following characters:

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
0123456789
@.-_+

If any other characters appear, I'll stop the script and send headers to send the browser to an error page. My question is: how do I go about scrubbing the input? I imagine I'll need to create some sort of variable or array that holds the legal characters and compare them to the user input. However, I really don't know how to begin doing this. Any help is appreciated. :thumbsup:

Linark
12-26-2006, 12:03 PM
Try looking at preg_match (http://www.php.net/preg_match)

Morf
12-27-2006, 06:19 AM
okay I'm working on it, here's what I have so far:





if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+",$fieldname))

{

// (code to manipulate database goes here)

}


else
{

header("Location: illegalchars.php");

}


Does this look alright? I'm not sure if I've got syntax and logic right as I don't quite understand the function. Thanks.

Morf
12-27-2006, 06:50 AM
okay I decided since I'll be doing this multiple times on every page I'm going to place it into a function, here's what I have:



function check_field($field_name)
{
if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+\",$field_name))
return TRUE;
else
return FALSE;
}



if(!check_field($loginname))
{
header("Location:illegalchars.php"); // this is line 31, I'm getting an unexpected t-string here
}


I'm getting an unexpected T_String error on line 31 (commented that line above) Can anyone see the problem?

Morf
12-27-2006, 07:11 AM
Update:

I've gotten the errors solved, but it's not working. It still sends the data to SQL and doesn't redirect to illegalchars.php There is no warning saying headers had been sent, I tried plugging the function into the login form and it's behaving just like it was before, it'll come back and say the password is incorrect, but doesn't seem to detect any illegal characters.

Here's my updated code:




function check_field($field_name)
{
if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+\"]/",$field_name))

return TRUE;
else
return FALSE;
}

if(!check_field($loginname))
{
header("Location:illegalchars.php");
}



Any help is really appreciated. Thanks.

Morf
12-27-2006, 07:18 AM
Update! I got it!

here's the correct code for anyone curious:



function check_field($field_name)
{
if(!preg_match("/[^a-zA-Z0-9\.\-\_\@\.\+]/",$field_name))

return TRUE;
else
return FALSE;
}

if(!check_field($_POST[loginname]))
{
header("Location:illegalchars.php");
break;
}



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum