Cleaning User Input, Is This Safe Enough?
I've written a small function that cleans up all user input before entering it to the DB. I'm wondering, is this sufficient or am I missing someting?
function clean_text($text) {
$text = str_replace("<", "<", $text);
$text = str_replace(">", ">", $text);
$text = strip_tags($text);
$text = htmlspecialchars($text, ENT_NOQUOTES);
$text = mysql_real_escape_string($text);
return $text;
}
View Complete Forum Thread with Replies
See Related Forum Messages: Follow the Links Below to View Complete Thread
Cleaning Up User Form Input In Php
Does anyone please know why when trying to clear up user input that has been entered into a form, php only clears up most of it and not all? For example, using stripslashes to remove all slashes from a variable after a user has submitted quotation marks ("") into a form. The quotation marks cause the variable being parsed to contain slashes. e.g. a user enters """""" into a form , the variable returned to php becomes """"" So if I only wanted the quotation marks, I thought the stripslashes function would achieve this. However, it only removes 3 of the 5 slashes leaving 2 unwanted slashes behind.
Cleaning User Input (Removing HTML/stripping Slashes Etc...)
How can I remove HTML and add slashes to a variable? I know I can add slashes with addslashes($var); but I need to know how to remove all HTML at the same time. Also - Are there any other characters I should strip from the variable (it will be stored in a database and displayed on a web page).
Cleaning MS Word Input
I have a problem with a form, and I have tried various permutations of htmlentities() and html_entity_decode() to resolve, but without success. Here is the workflow. 1: User pastes MS Word formatted text into form field. 2: Server uses mail() to send input text to mail client. 3: Recipient pastes text into html file. The problem is that MS Word contains peculiar characters for things like bullets, which come out as tabs, which then come out as different, but spurious, html characters in the html translation. Does anyone know of a function(s) that can clean up MS Word input into something that can be simply pasted as plain text without spurious characters?
How Do I Test Safe Form Input?
I am using Apache 1.3.x with PHP 4.3.x and MySQL v4. Short question: Before I put my web form available on the internet, how can I test it from mis-use in such that special characters are ignored? I have tried entering data such as `/bin/date > /tmp/1234` and this does not create a temporary file (which is what I would expect, meaning that my form is safe). Same question at greater length: I understand how form input can be misused, and I understand that I can clean the data input using addslashes() or by having magic_quotes turned on. I have decided on the latter but want to ensure my form is safe and that storeing my data in my mysql database isn't open to hacking by CGI/Form manipulation. I have tried entering data such as `/bin/date > /tmp/1234` and this does not create a temporary file (which is what I would expect, meaning that my form is safe). Have I tested it successfully against Form/CGI hacking?
Make Data Safe To Input To Mysql Database
I'm just wondering what kind of things I should do to make sure that inputs from a form are safe to put into a mysql table? I'm currently using ereg() on an input to make sure that only numbers are entered, but on other forms I've got thiongs such as names and other details. How do I make sure that they're not going to break my table?
User/password Safe To Depend On One Var
is it ok to depend the login to just 1 variable $_SESSION['login']. 1 for login ok . otherwise it doesn't exist, also is it ok if the username/password check is one file and the actual page is another, user_pass.php does all the checking PHP Code:
User Input...
I have a form with a field that expects user to input HTML tags. I know I have to use htmlspecialchars for that input but what if the user inputs PHP code? I've looked at the help file and I can only find strip_tags which removes both PHP and HTML tags. If a user wants to crash/corrupt/hack into your site by entering PHP code, what kind of things can he type? Must he include PHP tags to work? If he must use PHP tags, I could just write a function to remove only the PHP tags and not the HTML tags.
User Input?
Is there a way to get user input from a php script that doesn't have to do with html? I would like to ask the user(me) to input a directory(preferably in a gui way such as a folder selection dialog) to do some work with. Is this possible when running the script directly on my comp(not off a server(remote or local))? The script is a management thing that I'd like to create to help generate some html code. Essentially I want it to scan a dir(but don't want to hard code it) and have it generate a list of links for the files in that dir(which are images). Maybe even asking for a description for each. Even if it was a little shell program to change the directory(sorta like dos) would be much better than having to enter in the directory name by hand.
Php User Input
When running PHP as a binary, is there a way to ask for user input?
Verifying User Input
I want to be able to search through a string that gets filled into my form. Make sure there are no quotes, semicolons and that kind of thing, that will mess up my database query. PHP Code:
What To Strip From User Input:
I recently suffered massive bot attacks against my contact page. Someone sent me over 350 e-mails from my form in less than a couple of hours. As this form only sends e-mail to an address dedicated for this purpose, this isn't more than an inconvenience. In re-writing it, I decided to write better stripslash and strip_tags functions of my own. I have the function stripping out left and right angle brackets, and forward and back slashes. I replace these with blanks (I am the only one that views these e-mails and I think I can figure out what was meant). That should break most script and malicious html tags. What else should I watch for and strip? I thought it might be wise to replace "=" signs with blanks. Should I worry about words like "query" or "fopen"? Part of my solution to preventing bot attacks against my form is to force manual input by varying the name="" values. I have eighteen different possibilities for each field on the form. I choose which to use randomly. I check each possibility when processing to see if it is set and send posters to a 404 page if they post to the wrong or all possible variables. I also include a random string of 5 digits as an authorization code in a hidden field. I use mysql database to let the processing page know what variables and authorization code to expect, associated with the poster's ip. Use the wrong authorization code and you go to the 404 page. If your ip doesn't show up on in the database, you get a "404 page not found." I delete records from the database after processing, including old, unused entries where someone left without completely filling out the form. Does anyone see any reason that won't work to thwart the bots?
User Input Validation
I am intending to make a form on a page, on pushing submit the forms gets posted onto itself so that it checks for empty fields and prompts user to get all fields filled, BUT the filled value should stay, I did this easily on ASP, but could not figure out in PHP. Code:
User Input Filtering
I have a comments system. In this comment system, people can enter certain strings, and it will break my page layout. Such as repeated characters with no spaces. It will just blow the table way out of proportion and completely ruin my layout. How can I break their input up if such a thing happens? Also, how can you number an array of data that is being withdrawn from the database DESC? Such as.. Quote1. itemnumber1 2. itemnumber2 3. itemnumber3 4. itemnumber4
Checking User Input
I want to check to see if there's only letters and numbers in a field, how would I go about doing this?
Filtering User Input...
I want to take text that a user inputs and store it into a variable. That's the easy part. I have and array of 30 elements that I want to store the inputted text into. So.. here's an example... - I want a user to enter text. - I'll store it into a variable like $inputText. - I want to split the text from $inputText into 30 equal sections and store each section into an element in the variable. - I don't care if the words get separated during the filter, as long as the whitespaces stay where they are. Could anyone give me some tips to help me get started or point me towards a tutorial or something?
Security With User Input And Sessions
I have two sort of related questions, if anyone would be so kind as to answer: 1. When I do an form for input (into a database) that is used for subsequently displaying on a web page, is there a function written to parse out all dodgy stuff, like putting HTML tags that could break the page, or filter out SQL that could corrupt or invalidate the entry or is there a regular expression that someone has already done to cover all areas? 2. If I am displaying data from a database and using sessions and the like, should I be putting something like this in my code (I found it in the php manual): header ("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // past header ("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); // always modified header ("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1 header ("Pragma: no-cache"); // HTTP/1.0
Calling A Function Through User Input.
So heres yet another question to a problem where I would have no idea where to look for the answer for so I turn to you :) Say my sites administrator wants to write a news update or blog or whatever. Something like this "Added a new gallery from my trip to Phuket, enjoy: [GID=24] If you liked it tell me." I want the [GID=24] to get replaced by my galery loading function (very nifty and handy) so it would turn into something like this echo "Added a new gallery from my trip to Phuket, enjoy: ".galery($GID)." If you liked it tell me."; I chose this [GID=24] because it is similar to burning board code. I would also like to include a command like [PID=45] witch would run my picture function.
Checking User Input With Eregi Function
The function below (ExpressionTest.php) is for checking user input. The function is supposed to permit only alphabetical characters, the apostrophe ('), and the dash (-) for the "FirstName" variable. For some reason the script below will permit the dash to be used but gives the message "Please enter a valid first name." message when the FirstName variable includes an apostrophe. I have tried switching places for the dash and the apostrophe. But if I place the apostrophe first in the string and the dash second in the string I still get the same message. PHP Code:
How To Get User Input For A Variable Without Using Forms Or Tables
I have created forms and taken user input from the forms into php variables. When validating the fields, if i find my conditions not satisfied on the php variable, i ignore the database connectivity and display error message and having the user to go back to the page and correct the error. Is there a way i can correct the error without going back to the page, and getting the particular user input without having to create another form or table for input into the php variable.
How Do You Do TCL Exec Command On PHP Script That Uses User Input?
The TCL command I am using will do a command-line action on a PHP script: set cannotRunPHP [catch { eval "exec php -q $root/scripts/info/php/info.php" } errMsg] I have to do it this way as both the TCL script and the PHP script run as CLI. However, "info.php" requires user input to run; this causes the TCL script calling the PHP script to hose up and die. Is there a way I can do this so that the TCL script can call the PHP script without any problems? Is there an alternate way of calling the PHP script other than using exec were that to solve this issue?
Displaying Text Fields On User Input
How would I echo a particular amount of text fields depending on how many the user selects from a drop down menu that I have already created. For example say the user selects 4 or whatever other number from a drop down menu how would I echo 4 or whatever the amount of text fields for a user to input text into? An example would be an airline website were you select how many people are travelling and then it echo fields for those people to enter their names.
User Local Time Diplay In Input Field
I'm wondering how can I have the local time of a user into a input field, it might sound or be stupid but even after my search I couldn't find a code si9mple enough, without any bla bla which each not my need.
Dynamically Creating URLS Based On User Input !
I am looking to create pages on the fly or dynamically based on user input. For example if i have www.example.com and they visit this and enter 'bob' in a textfield and press submit they create www.example.com/bob.html . How would I go about this ? I am guessing I need to create a folder when submit is pressed in my website directory ?
SAFE MODE Error But Safe Mode Is Turned Off?
I turned off safe mode in my php.ini config but it says it is still turned on because it is giving me a safe mode error. Even more bizzare is that it is writing to another directory just fine when if, in theory, safe mode was actually turned on it would be restricting all files.
Cleaning Up
I've made the roomlist for my server but as you can see the topics look pretty out of it with all the colour codes and what not. Is there a code that can clean it up a little.
Cleaning Forms
I want to stop people inserting characters into forms (such as !"£$%^&*()><?.,). What's the best way of doing this? Can I stop them from doing it to return a message, or is it better to just wipe the characters before inserting into a database, or both? The only symbols I need is for an e-mail field, which are . - @ otherwise it's just numbers 0-9 and letters A-Z. I found a script to disable input but it doesn't stop people from finding other ways of inputting bad characters.
Cleaning Up An Array
I was trying to filter the contents in an array, and it seems to work, but I've got an issue with the indexes. When I unset() an element, if I count() the number of elements, I still get the same number that I had before filtering. I'd also like to make my indexes go back to 0,1,2,3... Code:
$_POST Behavior From Input=submit Vs Input-type=button
I have been trying to solve an annoying behavior with PHP (I think). Maybe some of you have encountered the same and have some ideas. I have an html form and I use an <input type="button"> element with the onClick event that calls a javascript funtion. Once the script's content has been processed, I execute the form.submit() directive. I would like to combine the html form and the PHP script into one, and use action="<?php echo($PHP_SELF) ?>". When the html form has <input type="button" name="theButton" value="thisisthetrigger" onclick="doThis(this.form)">but PHP cannot 'read' the value of $_POST["theButton"] after form.submit(). If I substitute the <input type="button"> for <input type="submit"> then PHP reads the value just fine. Some may argue to just use the latter option, but that will cost me a trip back to the server to basically do a lot of validation that can be very easily accomplished on the client side.
Cleaning Up After Php Build And Install
I've compiled a custom version of php with extensions persuant to my needs, but now want to clean up the files used in the compilation. When the php cgi is compiled, are all the extensions compiled into the one file, or does the cgi reference libraries pointed to in the php configure statement? If it references other files, how do I know which ones it points to, so as to know what I can and can't delete.
Cleaning Customer Data
At what point is it wise to clean the data entered into a form by your customer, and to what extent? For example, can malicious scripts be sent via a simple e-mail form, or only when data is collected and stored in the database? And is the use of stripslashes() and strip_tags() sufficient to remove any threat, or is there something else I would need to do?
Cleaning Up Session Cookies
I have a problem where session cookies get left inside the temporary folder. Is this a common problem or is there perhaps something I've over looked - there a way to make sure the session variables get cleaned up?
Cleaning Html Tags
somebody knows any way to put off all html tags from a file. I want to store cleaning pages for information purposes.
Cleaning Up Array After Unset()
I'm working on an e-commerce site, and one of the things I need to do is split an existing order into two orders. The problem I'm having is not creating the new order, but getting the remaining items from the original order cleaned up in the array. What I've tried to do so far is: 1) The data is stored in a serialized array in the order_data field in the orders table. When the order is selected, it is unserialized and called $order_data. Each item is a three item array containing price, quantity, and sku (i.e. $order_data[$i]['price'], $order_data[$i]['quantity'], etc.). 2) On the order details page, the items in the order are listed using the price, quantity, and sku fields. There is a checkbox for each item that is used to indicate the items to be split into the new order. The name is split[] (to create an array of just the selected items), and the value is the sku. The $order_data array is put into a session variable. 3) On the page that processes the split, $old_order = $_SESSION['order_data']. So now I have two arrays: $old_data contains the entire original order, and $split contains just the selected items. 4) I then go through and compare each item in $split[] against each item in $old_order. Once the current item in $split finds a match in $old_order, it is put into $new_order, and I use unset() to remove that item from $old_order: for ($i = 0; $i < count($split);$i++) { foreach ($old_order as $key => $value) { if (array_search($split[$i],$value)) { //add item to new order array $new_order[$new_counter]['attribute_sku'] = $value['attribute_sku']; $new_order[$new_counter]['price'] = $value['price']; $new_order[$new_counter]['quantity'] = $value['quantity']; //increment index counter $new_counter = $new_counter + 1; //increment order total $new_order_total = $new_order_total + ($value['price'] * $value['quantity']); //delete item from order_data array unset($old_order[$key]); } else {
Phpdig Cleaning Index
Ive just taken over the hosting of a site which uses phpdig as a site search function, a program I have absolutely no knowledge of. Does anyone know how i can immediately clear the index of redundant data and also how i can set up cronjobs to do this regularly or where to change the frequency of these cronjobs which i believe are already in existence (just too infrequent)
Cleaning Up Data In An Array
I have an array with 10 items in it. How do I go about clearing all spaces before the data? Ex: Before: jacob After: jacob Also some of the data looks like this, World of Warcraft Guide How do I go about checking each value for this   and replacing it with a space if its there?
Strategy For Creating Files And Then Cleaning Up
I'm using PHP 4.3. There is a section of my application in which I'd like users to be able to download a custom file. The file would be different for each user, so I was planning on creating it on the fly when they click "Download". However, I would like to delete the file from the server a certain period of time after they've downloaded it. (It's a 3 or 4K file). How can I do this?
Sorting And Cleaning Array From 4 DB Fields
I have 4 fields in my database that I am trying to combine and present as a unified dropdown. I've gotten the basic sort and display of the info to work, but don't quite know how to remove spaces caused by empty field nor how to make the dropdown unified. Code:
Tool For Cleaning Up PHP Code - HTML Tidy Like
I have a bunch of files with PHP code. These files were written by multiple developers with different coding styles and is just so painful to read them. Could you recommend any tool I could use to clean up PHP code - something like "HTML Tidy for PHP"
Is PHP Safe ?
I'm a web developer and I need to justify the use of PHP to a number of clients. Their main worry seems to be security. I need to be able to explain to them WHY it is safe, and that it is not easy for hackers to crack. I'm having to compare it to an ASP based solution. I must make it clear that I'm NOT trying to find out how to hack, so DO NOT reply with suggestions of how to get into sites. I just need to know why PHP is safer than ASP etc. I also need to know about MySQL security too. So some questions: Is it possible for people to browse and see the raw PHP code behind a page? If not why not. Is it possible for people to make any kind of wierd call to a PHP script which will do strange things (I heard that ASP can suffer from this)? When hosting a PHP/MySQL website, what should we be look out for in terms of making it more secure i.e. DOs and DONTs. Does anyone know of any good ASP flames which I could use i.e. ASP is bad because.... or PHP is better than ASP because..... PS The base OS will more than likelly be LINUX.
How Is Md5 Safe?
I can't tell weather this proves anything or not, but you can actually crack any md5 hash number here... http://gdataonline.com/seekhash.php I thought md5 was safe..
PHPmyadmin Access Denied For User 'user'@'localhost'
WinMe machine as server, with Apache 2 installed and working PHP4 installed and working ( had PHP 5.05 installed and working, but i couldnt get the mysql extensions to load - phpinfo() didnt list mysql :(, so i installed PHP4, which now lists mysql when i run phpinfo). MYSQL 4.1 installed and working. I dont know the console commands too well, but i know its working ok, cos I have used a few simple DOS prompt commands to check its alive and I can connect to the database using MyODBC frontend/driver 3.51 and also using Navicat 2004. When i try to connect to the database via PHPmyadmin from another network PC I have an error: #1045 - Access denied for user 'user'@'localhost' (using password: YES) I have played around alot with different settings in the config.inc.php file.... nothing seems to work. This almost appears to be a simple login problem ( probably is too), but I can access the database locally from the Winme machine with the username and password that wont work over the network! I have tried not using 'localhost' as the host name but the IP address of the Winme PC but I get this error: #1130 - Host 'MYSERVERNAME' is not allowed to connect to this MySQL server
Notice: Use Of Undefined Constant User - Assumed 'user'
I have a script for a shopsystem on a Linux. There it works fine. But when I try to run it on my Windows machine, PHP says things like Notice: Use of undefined constant dbname - assumed 'dbname' in c:apachehtdocsaposhop estshopclassesxxx.clas s.php on line 77 On Windows I run PHP 4.3.2 On Linux runs PHP 4.3.1
|
TRACKER
