Re: UTF8 - Foreign characters not matching
Posted: Wed Jun 30, 2010 8:09 am
Oh, my example was just meant to detect obvious crap, so you could not insert that to your database at all, rather than filtering anything. Preg_match only returns a number of matches, which you can interpret here as true or false (i.e. whether the input string matched the pattern, or not).
You could apply it like this:
Note that the "Sanitized: (...)" may still look wrong (or not similar to what it should be inside the query string) if it contains html entities, such as & or " etc.
This is just because you're printing $input as HTML here, which you wouldn't do if you're merely using it inside SQL queries. To output (as HTML) any string that comes from user input directly (e.g. from a form) or indirectly (retrieved from database, e.g. previously stored form input), use htmlspecialchars.
So just for debugging purposes, you could change that last line to:
You could apply it like this:
Code: Select all
$input = $_POST[input];
if (get_magic_quotes_gpc()) $input = stripslashes($input); // just in case you're on an old server, probably not necessary (but won't hurt either)
if (preg_match('/((select|delete).+from|update.+set|(alter|truncate|drop).+table|<[a-z])/i',$input)
{
print("Sorry, your input seems invalid so I won't store it.");
}
else
{
$input = mysql_real_escape_string($input);
// now use $input in any SQL query
print("Sanitized: $input");
}This is just because you're printing $input as HTML here, which you wouldn't do if you're merely using it inside SQL queries. To output (as HTML) any string that comes from user input directly (e.g. from a form) or indirectly (retrieved from database, e.g. previously stored form input), use htmlspecialchars.
So just for debugging purposes, you could change that last line to:
Code: Select all
print("Sanitized: ".htmlspecialchars($input));