My site has some injection filters that don't let through characters like: öäõü@£$€{[] The filters are supposed to keep users from SQL injection. Script has register_globals ON. My users can't post messages properly. How can this be fixed? if(str_replace("/", "", $_SERVER['PHP_SELF']) != 'adminpostfile.php'){ // ant injection filters if (count($HTTP_GET_VARS) > 0) {foreach ($_GET as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"UTF-8");} } } if (count($HTTP_POST_VARS) > 0) {foreach ($_POST as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"UTF-8");} } } if (count($HTTP_COOKIE_VARS) > 0) {foreach ($_COOKIE as $name => $value) { if(is_array($value)){ ${$name} = $value; }else{ ${$name} = htmlentities($value,ENT_QUOTES,"UTF-8");} } } //ant injection filters } PHP: The weird thing is that it let's me post special characters on my offline windows server... The production server is running a linux system.
That worked, thanks. Will that open any security holes or what so ever? Also I've always had a weird issue. When I type anything behind the url like ' SELECT * FROM blabla, it will give me 10s of sql errors. Is there a way to make it not do that? On my local windows server it doesn't do that... Weird.
One of the many: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'_xsap WHERE id=''' at line 1Duplicate entry '' for key 1 That appeared when I typed ' behind the url.
What do you mean? I just demonstrated how I brought up the errors... Does this mean the site can be injected?
Oh sorry, I'll just debug it without having a clue how it works... Seriously though, post any pages which send SQL queries, including any SQL handling classes.