Hi, this is my first post here I am trying to implement some php form validation like in this tutorial here [cannot use links yet] but for some reason it doesn't work for me. So, I have a html form that on submiting calls a php script, wich in turns inserts the data from the fields into a mysql database. I want to filter some of the fields so no special characters can be introduced, like sql injections and something like that. For some reason the inputs are not filtered, I isert special characters into the form's fields and the script doesn't seem to check them cause if I look into the database the input is there, unfiltered at all. I have this part of the code function check_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } // input-uri din formular $name = check_input($_POST['name']); $adress = check_input($_POST['adress']); $phone = check_input($_POST['phone']); // additionl code // end additional code INSERT into db line sequence // Code (markup): What am I doing wrong ?
It depends on what 'special characters' you mean... but You can use the array_map() function to apply mysql_real_escape_string() (which will backslash special characters) on to all your $_POST's. function check_input($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; } $_POST = array_map('mysql_real_escape_string', $_POST); // input-uri din formular $name = check_input($_POST['name']); $adress = check_input($_POST['adress']); $phone = check_input($_POST['phone']); // additionl code // end additional code //INSERT into db line sequence PHP:
I mean character like #$%&^ <>, the ones that can be used for sql injections and xss vulnerabilities. I tried your suggestion and it doesn't work either, for some reason the values are inserted into the database without any filtering.
If what you mean by filter is to remove them, then htmlspecialchars() is unuseful (in this case) as it will leave them intact however convert them to entities, theirfore if you want to remove them you could do, something like the following (and assign all your disallowed chars within the array) and it will strip/remove them: <?php function rem_special_chars($input){ //array of disallowed chars (to remove)... $chars = array('$', '%', '#', '?', ',', '{', '}', '*', '@'); return str_replace($chars, '', $input); } //would consider this a requirement to prevent sql injections (since your planning on inserting user submitted data to db) $_POST = array_map('mysql_real_escape_string', $_POST); //this will apply the function on all $_POST elements... $_POST = array_map('rem_special_chars', $_POST); ?> PHP:
All I want to do is basic protection form SQL injection and xss, spamming etc ! I tried your method and it seems to work so far ecept one filed wich is still unfiltered but I think that has to do with some of my code, anyway its good for now. Thanks I tried to implement the stuff from this tutorial http://myphpform.com/validating-forms.php
Does your Server support PHP5? If so you should look at PDO and PDOrepare, that gets rid of the need of all the stripslashes and mysql_real_escape_string.
Yes, I have PHP5. I read some about PDO, but that is over my knlolwdge at this time, I just needed basic validation .