php and form

I'm making a simple script so visitors can add posts to my pages. Everything is functioning properly, I just have a question about security. Can anyone point me to an article about the different filters I should put the posts through before adding them to the database. I'm pretty sure I saw an article a few months ago where the author had a list of preg_replace functions to put the strings through, but I can't find anything similar now that I need it.

 

Not sure on this but you should google "php injection". Or something along those lines.

 

Replace all !@#$%^& to there HTML codes:
I can't post code here, because forum engine edits it.

        $string = str_replace ("<", "&# 60;", $string);
        $string = str_replace (">", "&# 62;", $string);
        $string = str_replace ('"', "&# 34;", $string);
        $string = str_replace ("'", "&# 39;", $string);
        $string = str_replace ("%", "&# 37;", $string);
        $string = str_replace ("!", "&# 33;", $string);
        $string = str_replace ("$", "&# 36;", $string);

PHP:

You must edit this code: delete space between &# and XX digits.
Also google 'xss' and 'sql injection' if you are using mysql.

 

Dear wormser,

Here you go with some nice tutorial.

1. http://www.htmlcenter.com/tutorials/tutorials.cfm/149/PHP/


but i prefer mixture of javascript and PHP form validation like

1. http://www.php-mysql-tutorial.com/form-validation-with-php.php

you can find many if you google with php+form+validation

Add +preg_replace if you wish to search more specific.

Thanks.

Coolsaint

 

Thanks guys, just what I needed. I guess "injection" is the word of the day.