How 2 avoid special characters from a string

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
nithinkk
Forum Commoner
Posts: 55
Joined: Sat Nov 28, 2009 7:57 am

How 2 avoid special characters from a string

Post by nithinkk »

i got a string rocks

$rocks=" With ( this one command, you can determine ) if the majority of the code has + been designed to rely on register globals. If grep yields a great number of matches, it’s likely that superglobals aren’t needed and can be safely disabled. On the other hand, - if the application is large and the command fails to return any or few | lines, you probably \have quite a/ bit for work to do to “mod- ernize” the program’s >input processing< mechanism."

How can i avoid special characters from a string ?
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: How 2 avoid special characters from a string

Post by Christopher »

( You're ) post + does not \make/ much "sen-se".

You can use functions like str_replace(), preg_replace(), htmlentities(), htmlspecialchars() to remove/translate characters in strings.
(#10850)
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: How 2 avoid special characters from a string

Post by AbraCadaver »

Your string roxorz!
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
nithinkk
Forum Commoner
Posts: 55
Joined: Sat Nov 28, 2009 7:57 am

Re: How 2 avoid special characters from a string

Post by nithinkk »

Thanks a lot :-)
This is what i did :-)

// Cleaning the Strings before inserting to database
$rocks = preg_replace('/[^(\x20-\x7F)]*/','', $rocks);
$rocks = preg_replace('/[^a-zA-Z0-9-]/', ' ', $rocks);
$rocks = preg_replace('/^[-]+/', ' ', $rocks);
$rocks = preg_replace('/[-]+$/', ' ', $rocks);
$rocks = preg_replace('/[-]{2,}/', ' ', $rocks);
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How 2 avoid special characters from a string

Post by Mordred »

Wow, you're really afraid of that - sign, aren't you?

If you want to insert the string safely in a database, use the built-in database escape mechanism. For mysql, this would be mysql_real_escape_string()
Removing random characters from the string without understanding the problem is simply begging for trouble.
nithinkk
Forum Commoner
Posts: 55
Joined: Sat Nov 28, 2009 7:57 am

Re: How 2 avoid special characters from a string

Post by nithinkk »

Code: Select all

 mysql_real_escape_string($rocks)
[text] Does mysql escape string enough for security ????? [/text]
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: How 2 avoid special characters from a string

Post by Mordred »

Code: Select all

$rocks = mysql_real_escape_string($rocks);
Does mysql escape string enough for security ?????
Almost. It is required, but not sufficient.
nithinkk
Forum Commoner
Posts: 55
Joined: Sat Nov 28, 2009 7:57 am

Re: How 2 avoid special characters from a string

Post by nithinkk »

[text]so can you tell me how to secure it properly !!! Actually that string is a feedback which is taken from user.....so i want to clean it before inserting it ....[/text]
Post Reply