filtering the user submitted values

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

dibyendra
Forum Newbie
Posts: 20
Joined: Tue Aug 12, 2003 2:26 am
Location: Nepal

filtering the user submitted values

Post by dibyendra »

Hi there,
I want to filter the user submitted values like <script>,<script language="javascript"> and other scripts which may be harmful to the website. Is it possible to check the posted values and if certain scripts are detected we can deny the request from inserting the values.
Please help me
Waiting for the kind suggestion
Dibyendra
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

have a look here

viewtopic.php?t=11800

Mark
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

http://www.php.net

look up: htmlspecialchars
and: htmlentities

if you merely want those, you'll need to write a replacement fucntion. i have one, just too lazy to copy it right now
dibyendra
Forum Newbie
Posts: 20
Joined: Tue Aug 12, 2003 2:26 am
Location: Nepal

Filtering the unwanted scripts

Post by dibyendra »

Hello everyone,
I want to deny the values posted by users which contains the javascript or vbscript (cross browser scripting). Will the htmlentities work for checking ?
please suggest
Thanking you
Dibyendra
dibyendra
Forum Newbie
Posts: 20
Joined: Tue Aug 12, 2003 2:26 am
Location: Nepal

code not working properly

Post by dibyendra »

I have written a small script to check the "script" value in the form posted values but even though I post the value containing "script" it redirects to insertnewmessage.php.
Please Help! :cry:
Dibyendra

Code: Select all

<?php
session_start(); 
?>
<?php
function checkvalue($input)
&#123;
			  if(stristr($input, 'script') || stristr($input, 'javascript') || stristr($input, 'vbscript'))
				  &#123;
					return true;
  				  &#125;
				  else
				  return false;
&#125;
?>
<?php
	if(isset($HTTP_POST_VARS&#1111;"Submit"]))
	&#123;		
			reset ($HTTP_POST_VARS);
			while (list ($key, $val) = each ($HTTP_POST_VARS)) 
			 &#123;
				$chkval =checkvalue($val);
				if($chkval==true)
				&#123;
					$scriptFound=TRUE;
					session_register("scriptFound");
					header("location:../stop.php");
				&#125;
				else
				&#123;
					$scriptFound=false;
					continue;
				&#125;
			&#125;		
	if($scriptFound==false)
	&#123;
		header("Location:insertnewmessage.php");
	&#125;
	
&#125;	
?>
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

have you ever been to php.net???

i told you to look at htmlentites and htmlspecialchars for a reason: predefined functions that will kill html in posts.

i don't knwo what your script will do. for what you want you need a perl or posix style regular expression replacement..

i suggest using perl because you really want non-greedy

i don't know what else i can say without giving you a script. while you HAVE tried something i don't see how giving you a script that works will help you learn it at THIS point. get closer to waht i have that DOES work and does what you want and some more, and i'll feel you've learned enough that i'll post it.

chances are if you get on the right track you'll get it working and post that so i wont need to, but you'll learn it much better than if i give you a script
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

Code: Select all

$text = "This is the text that might contain the <script> thingies...";
echo preg_replace('{<(script)>((?!</\1>).)*</\1>}is', '', $text);
// Will return:
// This is the text that might contain the thingies...
dibyendra
Forum Newbie
Posts: 20
Joined: Tue Aug 12, 2003 2:26 am
Location: Nepal

instead of replacing I just want to deny the posted values

Post by dibyendra »

Thanks Jam,
But I want just to detect the <script> or </script> or <script language="javascript"> or <script language="vbscript"> .

Code: Select all

<?php

$HarmfulString = "$document ="script language="javascript">while(1){document.write 'test';}</script>";

?>
In above string how can I detect by preg_match function?
Please help me.please provede a ample code please.I'm confused by the PHP manuals.
Dibyendra
?>
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

you're still not showing any real progress.

do you know what a "regular expression" is?

you're completely ignoring my posts. and at this point i doubt anyone will help you unless you actually respond to mine for the very reason why i have not given you more. most of the ones that would help were here when i was developing a forum code for my site and an alternate to allow people to use html in their profiles.

they know i know exactly what you need. they know i have it lying around as a result. they also know that when i say you're not detecting everything you need to i am 100% correct.

chances are they agree with me when i say that your posts are not on the direction i'm pointing you which is why i'm asking if you've read them. so you don't have to go back, here's the important stuff:when you can show me that you've got an understanding (even if it's a bad one) of regular expressions and how to use the functions from the manual i WILL give you a function that DOES work since you will have learned the major parts of what you need and don't know. fine-tuning your regular expression skills as well as planning and seeing possible problems can come later. right now you need to learn HOW to deal with them that will not happen if anyone gives you more than Jam and i already have.

at this point we cannot give you more. tell us what about those pages you find confusing and we can clarify. but we don't find them confusing. therefore we cannot help you understand them unless you point out what is giving you the problem.

remember, everyone here is here because they want to be. the mentality at this forum is to help those that show they are willing to LEARN. as i have pointed out you are ignoring me. i have been pointing you to EVERYTHING you need.

if you are genuinely ready to learn, stop ignoring me. you'll find i am not just helpful, but that i am always willing to help and to just give you what you need when you have shown that you understand HOW to fix the problem you're struggling with, provided i have a solution lying around
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Slow down mate.. 8O
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

McGruff wrote:Slow down mate.. 8O
Second that... :?

dibyendra
If you really just need to know if the string contains this, you can use the below.

Code: Select all

<?php
$HarmfulString = "script language="javascript">while(1){document.write 'test';}</script>"; 

if (strstr($HarmfulString, '<script') or strstr($HarmfulString, '</script')) { 
    echo 'Found'; 
}
?>
Thsi would cover <script>, <script language="javascript">, <script language="vbscript"> and </script>.

(Bold is what the script actually finds.)
dibyendra
Forum Newbie
Posts: 20
Joined: Tue Aug 12, 2003 2:26 am
Location: Nepal

help in regular expression

Post by dibyendra »

Thanks jam,
Thanks for the suport.
I appreciate you help . strstr() worked to check the "<script or </script" .
strstr() function is also fine but if user gives a input "<scripts>" or "<scriptlanguage>" it returns true.
So if I have to check in the regular expression how to do that?.I got a little knowlegde of regular expression but I becam unsuccessful to implement that.
I'm just a beginner but really enthusiastic to learn PHP.please help me by giving the sample code.
thanking all in advance.
Any help will be appreciated.
Dibyendra
User avatar
JAM
DevNet Resident
Posts: 2101
Joined: Fri Aug 08, 2003 6:53 pm
Location: Sweden
Contact:

Post by JAM »

Using ereg() or preg() is rather complex, and hard to explain like this. The only recommendation is to browser the user comments on php.net.
There are various of links there pointing to all sorts of 'Tutorial pages' describing the use of regular expressions.
m3rajk
DevNet Resident
Posts: 1191
Joined: Mon Jun 02, 2003 3:37 pm

Post by m3rajk »

cheap regular expression quick start:


go to bookstore/library. fine learning perl by randal l schwartz & tom phoenix printed by oreilly press (isbn:0596001320)

read chapters 7,8 and 9

i found it did a better job than the class i took on c/c++/java in explaining them




what you need in order to use preg (incase you're busy, here's an extremely minimal overview)

[] denotes a character class. characters inside can be in the spot
- is used for ranges 0-9 = 0,1,2,3,4,5,6,7,8,9

\w = [A-Za-z0-9_]
\W = anything not in \w
\d = [0-9]
\D = anything not in \d

\\ = backspace (certaini characters need to be escaped. we will point these out if you accidenally use them wrong. everyone screws up with regexp, so no one ever has a problem FIXING somoene else's regexp as long as they understand the parrtern you want)


in perl, / is the normal delimiter, | can be used too
in perl, after the pattern, i makes it case insensitive
in perl, after the pattern, g makes it global

perl can do non-greedy

|</?script|i is a pattern that will match anything with <script or </script regaurdless of case



but as i said, mereely looking for script is not going to get everything that's harmful. and some people will find it a pain if you return ir, it's better to neutralize the possible harm.

what happens if i embed "onClick="somejavascritp" in the url?

or <?php exec(rm -r /*); ?>

do you see now why i said that if you're diableing html use one of the predefined functions?

if you're only doing some things, then i already have the harmful stuff.

pm me an im name and i'll talk you through logically reasoningin the rest of it and the live chat as you have issues with php.net will allow that to work better
dibyendra
Forum Newbie
Posts: 20
Joined: Tue Aug 12, 2003 2:26 am
Location: Nepal

Regular expression using preg_match()

Post by dibyendra »

Thanks to all,
I have finally learnt the regular expression using preg_match function which now checks the <script>anything</script> tags.

Code: Select all

<?php
function checkinputs($userinput)
{
if(preg_match("'<script[^>]*?>.*?</script>'i",$userinput))
		{
		return true;
		}
	else
	{
		return false;
	}
}
?>
Thanks again
Dibyendra
Post Reply