Secure Form "Comment" field
Moderator: General Moderators
Secure Form "Comment" field
I venture carefully out into the heavy traffic on this coder's highway, being a novice with PHP.
If I am not too simplistic in my question, is there a SIMPLE rule I can apply to a Comment field in my form to protect my site from the evil warrior? i.e. Perhaps a basic regular expression, or the like, that dissallows specific characters, such as angle brackets, from being injected into a form field?
In my hunt around for a solution, it all seems so long winded.
If there is a simple and clean solution for filtering out the trash, would you mind sharing the secret of how to do it?
Cheers and thanks,
Geoff
If I am not too simplistic in my question, is there a SIMPLE rule I can apply to a Comment field in my form to protect my site from the evil warrior? i.e. Perhaps a basic regular expression, or the like, that dissallows specific characters, such as angle brackets, from being injected into a form field?
In my hunt around for a solution, it all seems so long winded.
If there is a simple and clean solution for filtering out the trash, would you mind sharing the secret of how to do it?
Cheers and thanks,
Geoff
Just a gene
I am trying to find a general script that I can use in several places for protecting a "comments" area of a form, whether it be a feedback form, a "tell a friend" form, a sign up form, etc. Most of these have a "comments" block at the end for the user to say anything.
I guess I'm just hoping to find an all-purpose filter for protecting this area. I do already use a reg_exp for validating email addresses, but I hoped there would be something for general text.
Make sense?
Thanks for replying!
Geoff
I guess I'm just hoping to find an all-purpose filter for protecting this area. I do already use a reg_exp for validating email addresses, but I hoped there would be something for general text.
Make sense?
Thanks for replying!
Geoff
Code: Select all
function rcc($string)
{
$string = str_split($string);
foreach ($string as $key => $char) if (((ord($char) < 32) || (ord($char) > 126)) && (ord($char) != 10)) unset($string[$key]);
return implode($string);
}Thanks.. but?
Hey thanks a lot for that... I ran it and get this error:
Fatal error: Call to undefined function: str_split() in /home/ghdyys/public_html/tell_a_friend.php on line 101
Make sense?
Geoff
Fatal error: Call to undefined function: str_split() in /home/ghdyys/public_html/tell_a_friend.php on line 101
Make sense?
Geoff
Yeah it is a PHP 5 function. I can write you a PHP 4 version tomorrow. Basically all the rcc function does is remove anything that isn't standard ASCII text, with the exception of line feeds. Once you have done that, you would need to then escape it for insertion into a database, or use htmlentities for use in a browser, unless you want the html to render..
Here you go, you will probably want to filter out javascript & possibly images, html/css as well.
Code: Select all
function filter($string)
{
$strlen = strlen($string);
$strnew = '';
for ($i = 0; $i < $strlen; $i++) if (((ord($string{$i}) >= 32) && (ord($string{$i}) <= 126)) || (ord($string{$i}) == 10)) $strnew .= $string{$i};
return $strnew;
}astions, this filter only removes some "non-printable" characters, it doesn't in any way prevent XSS.
GeoffR, there is no generic filter that can help you, you need to carefully apply a correct method of escaping data before using it in any way. This is an extensive topic to cover in a forum post, so you are advised to go read a book on PHP security, Chris Shiflett has a good one I hear.
GeoffR, there is no generic filter that can help you, you need to carefully apply a correct method of escaping data before using it in any way. This is an extensive topic to cover in a forum post, so you are advised to go read a book on PHP security, Chris Shiflett has a good one I hear.
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
Different objects have different requirements. An "all around" filter would just be a bad idea. Think of what you allow or what you disallow, and prioritize one.
i.e.
For usernames, you'll only want numbers, letters, and underscores, so you prioritize what's allowed.
For SQL, you don't want unescaped characters, so you prioritize what's disallowed.
Each item deserves it's own filter.
i.e.
For usernames, you'll only want numbers, letters, and underscores, so you prioritize what's allowed.
For SQL, you don't want unescaped characters, so you prioritize what's disallowed.
Each item deserves it's own filter.