...

View Full Version : [?] Database search form results



buggy
03-08-2010, 05:37 PM
I'm building a database search form and so far so good but with 1 little niggle ..the results ...

I have a submissions page where visitors can input there own data I use
htmlentities(mysql_real_escape_string($foo)
for protection but the problem is if someone (a hacker) submits an input field


<input type="text" value="foo">

yes its parsed but the results when searching come back as:


&lt;input type=&quot;text&quot; value=&quot;foo&quot;

so my question is how can I filter out those results from the results page or better still not allow code like input fields to be submitted in the first place?

please note all numbers, letters and special characters need to be allowed to be submitted

Fou-Lu
03-08-2010, 07:09 PM
Please refer to this thread in regards of where to post these threads: http://www.codingforums.com/showthread.php?t=145507
The snippets are not for questions. Moving to the PHP forum.

As for you're question, ensure that you're data input is only what you allow. You can do this with preg_match (http://php.ca/manual/en/function.preg-match.php), and it looks like using filter_var with a FILTER_VALIDATE_URL will match you're criteria.

buggy
03-08-2010, 07:11 PM
Sorry for posting in wrong section, I'm normally on tha ball with that sort of thing as I run a forum myself ... please move to correct forum.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum