Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Mar 2009
    Posts
    101
    Thanks
    14
    Thanked 1 Time in 1 Post

    Question Is this adequate form-field security?

    Every form field on our site I have running through this function; is this adequate protection from SQL injection and spam-hijacking? Or am I missing something crucial?

    PHP Code:
    function field_sanitize_basic($input) {
        if (!
    is_array($input))
        {
            
    $input = array($input);
        }

        
    $gobbledegook_alphabet = array('passwd','password','Bcc','mime','Content-Type','','','','|','','','','','','','','','','','','','','''','','','','','','','','''','','','','','','','','','','','','','','','''','','','','','','','','','','','','','','''','','','','','','','','','','','','','''','','','','','','','','','''','','',''); 

        foreach(
    $input as $key => $valueold){

            foreach(
    $gobbledegook_alphabet as $value2) { 
                if (
    stristr($valueold$value2) !== false) { 
                    
    $valueold $input[$key] = str_ireplace($value2'*'$valueold); 
                    
    $_SESSION['field_sanitize_basic_warning'] = '<p class="note_bold">Some potentially unsafe text in your submission was removed!</p>';
                } 
            } 

            
    $valueold htmlspecialchars($valueold);
            
    $valueold stripslashes($valueold);
            
    $valueclean $valueold;
            
    $value $input[$key] = $valueclean;
        }
        return 
    $input[0];

    (Oh, the whole doing the input and return as an array, is because I'm working on returning errors and the like -- ignore some oddness about that part. I'm just curious right now about the actual security/substitution stuff.)

    Thanks for any feedback!
    Liam

  • #2
    Regular Coder
    Join Date
    Mar 2005
    Location
    Spokane, WA
    Posts
    148
    Thanks
    4
    Thanked 4 Times in 4 Posts
    Any reason you're not just using mysql_real_escape_string()?

    http://php.net/manual/en/function.my...ape-string.php

  • #3
    Regular Coder
    Join Date
    Mar 2009
    Posts
    101
    Thanks
    14
    Thanked 1 Time in 1 Post
    Quote Originally Posted by RyanB88 View Post
    Any reason you're not just using mysql_real_escape_string()?

    http://php.net/manual/en/function.my...ape-string.php
    Oops.
    I messed up. This example is one for forms in which the results are sent via e-mail and are displayed on the Web page -- not for MySQL inserts, which is what I indicated when I said "SQL injection."

    To be clear, EVERY form field goes through this process above, but what I didn't say was that EVERY form field that gets used in a SQL query ALSO goes through a mysql_real_escape_string() before inclusion in the query.

    Sorry. Thanks!


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •