[Resolved] [Resolved] Securing _Post varibles

fr8

I have a couple forms that I wish to secure. The only forms that I have that im worried about is my Comment system, Testimonial System and my form for new users.

Im looking at just limiting valid characters.

Example for the user join form only these characters would be allowed:
abcdefghijklmnopqrstuvwxyz1234567890

I have no reason for any other character to be allowed in it.

And for my comment and testimonial systems i wish to allow only:
abcdefghijklmnopqrstuvwxyz1234567890
and the addition of punctuation characters like ?!. and so on.

Will this be easy to implement or will I need to make a day out of it?

pjleonhardt

this is easy to do.. but i cant think of the right function...

fr8

Originally posted by pjleonhardt
this is easy to do.. but i cant think of the right function...

you have given life to this thread.

Does anyone know of the function(s)?

Weedpacket

Probably [man]preg_match[/man].

if(preg_match('/[^a-z0-9]/i',$word))
{ // Blech, unacceptable characters.
}

if(preg_match('/[^a-z0-9 ?!.,;:_-]/i',$word))
{ // Blech, unacceptable characters.
}

fr8

Originally posted by Weedpacket
Probably [man]preg_match[/man].

if(preg_match('/[^a-z0-9]/i',$word))
{ // Blech, unacceptable characters.
}

if(preg_match('/[^a-z0-9 ?!.,;:_-]/i',$word))
{ // Blech, unacceptable characters.
}

[/B]

that does what i need. but i already see that i cant leave this for the fix. What about removing the characters. Chances are if they wrote a beefy testimonial they are not going to right the same one again. How can i just rip out any invalid characters that i would not want them to use? aka <> ect. anything that could lead to an sql injection.

Edit: This does work prefectly for my join form.

laserlight

you could use [man]preg_replace/man instead, and replace out the invalid characters.

fr8

Originally posted by laserlight
you could use [man]preg_replace/man instead, and replace out the invalid characters.

Hmmm. Now when i make a replace i dont want to leave a space. Will [man]preg_replace/man remove it completey?

EDIT: I took some time to read the manual. It is possible to remove the characters and not leave white space.

fr8

Im using [man]preg_replace/man to remove unwanted characters in my testimonials and my comment system. Im looking at removing any character that could be used for a SQL injection but i would like to leave some characters for the user to use.

What are the main characters i want to block?
Right now im blocking:
<>{}" '

Are there more characters i should block?