Forums
This topic is locked
MYSQL \ PHP Strip characters from user input
Posted 08 Jan 2008 16:44:28
1
has voted
08 Jan 2008 16:44:28 DAVID KNIGHT posted:
I have a html document which posts to a php script which inserts the posted data into a MYSQL database.I need to strip out all characters as follows:
1. To only permit 0-9 and a-z in certain fields (GENERAL TEXT FIELD)
2. To only permit 0-9, a-z, the . and the @ symbol in certain fields (EMAIL ADDRESS)
3. To only permit 0-9, a-z, the : \ symbols in certain fields (WEBSITE ADDRESS)
Theres so many different ways of doing this and so many commands I am totally confused.
I'm trying to ensure the user inputs correct values and also to prevent against SQL Injection attack.
Can anyone help?
Replies
Replied 15 Jan 2008 16:21:52
15 Jan 2008 16:21:52 Roddy Dairion replied:
I would recommend you use javascript instead of php to validate a form.
Replied 19 Jan 2008 14:01:28
19 Jan 2008 14:01:28 Alan C replied:
Hi David,
I agree with Roddy - what I do (offered as a suggestion, not the only way <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
javascript on the page to examine the email address that is input and all the other fields, so you can only submit the information once it is satisfactory - that means that the user never gets to send it until it has passed all the validation. Then when it gets to the server, do it all again - yes, do it all again. There are some people out there who will have automated attacks (am I just paranoid?) and try to get around your checks.
Then and only then use php to change things - obvious stuff that will make life easier - make postcodes upper case before you store then, then they will always show upper case and print, it looks better.
Change first character of addresses to upper case
make emails all lower case
Etc
php has some great functions for doing this and you build them into functions, or if you are using DW you can hack its code
Hope that helps
I agree with Roddy - what I do (offered as a suggestion, not the only way <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
javascript on the page to examine the email address that is input and all the other fields, so you can only submit the information once it is satisfactory - that means that the user never gets to send it until it has passed all the validation. Then when it gets to the server, do it all again - yes, do it all again. There are some people out there who will have automated attacks (am I just paranoid?) and try to get around your checks.
Then and only then use php to change things - obvious stuff that will make life easier - make postcodes upper case before you store then, then they will always show upper case and print, it looks better.
Change first character of addresses to upper case
make emails all lower case
Etc
php has some great functions for doing this and you build them into functions, or if you are using DW you can hack its code
Hope that helps