how would i go about vaildating my forms with is_numeric, or regex, and protecting against from sql injection using mysql_real_escape_string(), htmlspecialchars(). there are 3 things i would like to validate for/protect. each in a different form, one for one or two words, 0-30 characters one for a number, 1-3 digits one for a text block (paragraph) could someone explain how i would validate/protect each type of form. thanks =]
is_numeric for a number and what for letters can a text block contain (all or just only letters and no symbols?)
whatever would allow english to be spoken with no problems. Periods, quotes, commas, etc no slashes tho.
Here is a basic one On recieving PHP end: <? if(isset($_POST['1']) == true && strlen($_POST['1'])<31) { mysql_real_escape_string(strip_tags($_POST['1'])); // 30 chars or less and is sanitized. } if(is_numeric($_POST['2']) == true && strlen($_POST['2'])<4) { //Is a number and is 3 chars or less } if(isset($_POST['3']) == true && strlen($_POST['3'])<1000) { mysql_real_escape_string(strip_tags($_POST['3'])); //is less than 1000 chars and is sanitized; } ?> PHP:
.. i dont use an array to handle post.. i dont understand what this script is doing (im a complete noob to mysql_real_escape_string, strip_tags, htmlspecialchars and all that protection stuff) this is my first time using this type of form on a web page. Can you explain the code?
$_POST is a global array of all variables sent by a post form. and mysql_real_escape_string adds backslashes to characters such as quotes and backslashes. and strip_tags removes most tags that can be used in html and php.
could i use htmlspecialchars() as well, so that & and stuff will be correctly stored? and could i get my $_POST like normal like $_POST['name'] instead of $_POST['1']? thanks.
I dont think strip_tags strips & it only strips html such as "<". But yes you can use htmlspecialchars() instead of that. and yes. the example was only if your input was say: <input name="1" value="pie"> Code (markup):
okay, this adds \ before all the excaped characters, but it also shows when it is echoed. is there any way i can strip the clashes (will strip_slashes work?)
FYI: Make sure your script filters metacharacters from user input so that your site would be 100% RFI (remote file inclusion) safe.
huh? metacharacters? im new to this php sanitization thing, can you explain this thing you call metacharacters?
Some metacharacters are: ^ $ \ / ( ) | ? + * [ ] { } < > , . Can be used to inject malicious coding into a site.
would htmlspecialchars() strip that? and return it as & or whatever? because im using mysql_real_escape_string(htmlspecialchars()); would this filter those?, also, it puts slashes before " and other excaped characters, would strip_slashes(); get rid of these?
Yeah it might, give me a link to your site, Will see whether its RFI vulnerable. ( I'll cause no harm, just a simple test )
well all my forms are in my admin panel, (except login) and i dont exactly know how to sanitise that one, but i think phpbb3 may do that automatically (thats how the login script is handled). I will make a page that is accessibly to anyone. EDIT: the site has been PM'd to you. (dont want 'hackers' to see this and exploit possibly loopholes i missed.)