Page 1 of 1
Secure Form "Comment" field
Posted: Fri Jun 15, 2007 1:15 am
by GeoffR
I venture carefully out into the heavy traffic on this coder's highway, being a novice with PHP.
If I am not too simplistic in my question, is there a SIMPLE rule I can apply to a Comment field in my form to protect my site from the evil warrior? i.e. Perhaps a basic regular expression, or the like, that dissallows specific characters, such as angle brackets, from being injected into a form field?
In my hunt around for a solution, it all seems so long winded.
If there is a simple and clean solution for filtering out the trash, would you mind sharing the secret of how to do it?
Cheers and thanks,
Geoff
Posted: Fri Jun 15, 2007 1:28 am
by Benjamin
Whatcha trying to filter? A story? A resume? A Novel?
Whatcha trying to save it to? A database? A file? An email?
Clarify can do with questions we have.
Just a gene
Posted: Fri Jun 15, 2007 1:33 am
by GeoffR
I am trying to find a general script that I can use in several places for protecting a "comments" area of a form, whether it be a feedback form, a "tell a friend" form, a sign up form, etc. Most of these have a "comments" block at the end for the user to say anything.
I guess I'm just hoping to find an all-purpose filter for protecting this area. I do already use a reg_exp for validating email addresses, but I hoped there would be something for general text.
Make sense?
Thanks for replying!
Geoff
Posted: Fri Jun 15, 2007 1:48 am
by Benjamin
Code: Select all
function rcc($string)
{
$string = str_split($string);
foreach ($string as $key => $char) if (((ord($char) < 32) || (ord($char) > 126)) && (ord($char) != 10)) unset($string[$key]);
return implode($string);
}
Thanks.. but?
Posted: Fri Jun 15, 2007 1:54 am
by GeoffR
Hey thanks a lot for that... I ran it and get this error:
Fatal error: Call to undefined function: str_split() in /home/ghdyys/public_html/tell_a_friend.php on line 101
Make sense?
Geoff
Posted: Fri Jun 15, 2007 2:08 am
by Benjamin
Yeah it is a PHP 5 function. I can write you a PHP 4 version tomorrow. Basically all the rcc function does is remove anything that isn't standard ASCII text, with the exception of line feeds. Once you have done that, you would need to then escape it for insertion into a database, or use htmlentities for use in a browser, unless you want the html to render..
Posted: Fri Jun 15, 2007 3:06 pm
by Benjamin
Here you go, you will probably want to filter out javascript & possibly images, html/css as well.
Code: Select all
function filter($string)
{
$strlen = strlen($string);
$strnew = '';
for ($i = 0; $i < $strlen; $i++) if (((ord($string{$i}) >= 32) && (ord($string{$i}) <= 126)) || (ord($string{$i}) == 10)) $strnew .= $string{$i};
return $strnew;
}
Posted: Mon Jun 18, 2007 5:29 am
by Mordred
astions, this filter only removes some "non-printable" characters, it doesn't in any way prevent XSS.
GeoffR, there is no generic filter that can help you, you need to carefully apply a correct method of escaping data before using it in any way. This is an extensive topic to cover in a forum post, so you are advised to go read a book on PHP security, Chris Shiflett has a good one I hear.
Posted: Mon Jun 18, 2007 10:09 am
by Benjamin
I know what it removes, I wrote it. Maybe he should look into htmlpurifier for cleaning html, or just strip it out all together.
Posted: Mon Jun 18, 2007 3:11 pm
by superdezign
Different objects have different requirements. An "all around" filter would just be a bad idea. Think of what you allow or what you disallow, and prioritize one.
i.e.
For usernames, you'll only want numbers, letters, and underscores, so you prioritize what's allowed.
For SQL, you don't want unescaped characters, so you prioritize what's disallowed.
Each item deserves it's own filter.
Thanks
Posted: Mon Jun 18, 2007 5:41 pm
by GeoffR
Thanks for your help and advice with this, it is much appreciated.
Regards,
Geoff