1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to Stop Inappropriate Contents to Insert in Database (PHP)

Discussion in 'PHP' started by seomanualsubmission, Sep 27, 2020.

  1. #1
    Hi,

    Created a website for my client https://www.jeenmount.com/ and client need to see what people searching for on his site. So we are inserting each search in database or increase number of search if Key already exist there.

    My issue is inappropriate search like below

    ">alert(String.fromCharCode(88,83,83))
    place for destination wedding'A=0
    pink city mall in jaipur" or (1,2)=(select*from(se
    pink city mall in jaipur99999' union select unhex(
    heritage wedding resort hotel jaipur" and "x"="y
    heritage wedding resort hotel jaipur and 1>1

    I think this types of search are doing by Bots or any other things.
    SEMrush
    What i am looking for is ...... If search queries are with these types of strings or inappropriate characters then either clear code and adjust in proper format or avoid to insert in database.

    Please help us that how can we do that.

    Using already "mysql_real_escape_string" "htmlspecialchars" for security but unable to stop inappropriate contents to insert in database.

    Hope for quick response.
     
    seomanualsubmission, Sep 27, 2020 IP
    SEMrush
  2. JEET

    JEET Notable Member

    Messages:
    3,493
    Likes Received:
    424
    Best Answers:
    16
    Trophy Points:
    235
    #2
    Most of these are hack codes bro.

    Like that alert javascript search.

    They are hoping that if you echo/print the search term on a webpage, then that javascript code will get executed in browser.
    Some websites show "recent/popular searches" to their website visitors, and they show the search term on website.
    So that alert code will come out as a search term from database, and when you will echo/print it, the code will get executed in browser.
    I think this one is made to show an ad for that wedding hall to all your website visitors...
    However, <script> </script> is missing, so it won't get executed, but will look bad.

    That other one, with "select query", that is trying to execute a query to your database.
    That is failing because of your escaping the string before sending it to database.

    That "&1>1" is also hack code.

    Do a strip_tags($input) on the search term before sending it to database.
    That removes all html, so that javascript code will get removed, or at least will become harmless.

    Normally, for something like this, I replace all garbage characters in the input, so only english alphabets and numbers can go as search term.

    Secondly, limit the max length that can be seen as verified search term.
    Like:

    <?php

    $term = $_POST['term'];

    //remove html from term
    $term= trim(strip_tags($term));

    //make sure user submitted something, and its not just empty $term
    if( strlen($term)>2 ){

    //take only fixed length from search term, like first 8 chars
    $term= substr($term, 0, 8);

    $term= addslashes($term);
    //you can use real escape here instead of addslashes, does same thing.
    //or you can use PHP's new sanitize, also does the same thing what addslashes does.

    $sql= "select field1, field2 from tableName where field like '%$term%' limit 10 ";

    //execute query, display result etc etc

    //if result was found, only then add search term to database.
    //no point adding a search term which has no results...

    }//strlen check for $term ends
    ?>

    Another option is, make a large file of expected spam words,
    check the submitted search term against those spam words.
    If found, then ignore the search query.
    Like:

    <?php

    $spam=array( 'alert', 'select', 'union', '1>1' );

    $term= addslashes(trim(strip_tags($_POST['term'])));

    foreach( $spam as $word ){
    if( strpos( strtolower($term), $word ) !== false ){
    //spam word found, ignore or do whatever
    }
    }


    ?>
     
    JEET, Sep 27, 2020 IP
    seomanualsubmission likes this.
  3. sarahk

    sarahk iTamer Staff

    Messages:
    26,445
    Likes Received:
    3,957
    Best Answers:
    111
    Trophy Points:
    665
    #3
    +1 on the SQL Injection advice

    Only think I'd change is how you access your $_POST variable
    I'd recommend

    $term = filter_input(INPUT_POST, 'search', FILTER_SANITIZE_STRING);
    PHP:
    and you do that for EVERYTHING an end-user enters before you let it anywhere near your database.
     
    sarahk, Sep 27, 2020 IP
    seomanualsubmission and JEET like this.