[Resolved] is this secure enough for forum posts

fr8

Im wondering if this is secure enough for my forum? It test each new thread/reply that is made?

Im stopping these from being used.

<>{}" ' ; -

$REPLACEMENTS = '/[^a-z0-9 \\\\\\\\\\.\\\\\\\\\\n,\/:?!@#$%^()\[\]]/i';

$variable_new = preg_replace($REPLACEMENTS, '',$_POST["variable"]);

edit:

sfullman

See this url on my site:

http://www.samuelfullman.com/team/html/ascii.htm

notice that < is ASCII 060, do this

$array[';'] = '&#038;'; //MAKE SURE YOU REPLACE AMPERSAND FIRST !!!!!!!!!!!!!!
$array['>']='&#060;';
$array['<']='&#062;';
etc..

foreach($array as $n=>$v){
$string=str_replace($n,$v,$string);
}

that should do it. Fast.

Sam

fr8

so i should get rid of the ascii versions also?

With my current setup up if i post

//                       &#060;

//The slashes are there so it schows as ascii not the symbol.

only #060 make it threw.

planetsim

Why dont you just use htmlentities that way you can still allow HTML tags etc.. But it only gets the special characters of it

fr8

I see how that would help but will it stop sql injection? Thats my only thing that im worried about.

Thats the reason i was stoping the above characters.

swr

If you [man]mysql_escape_string[/man] everything you use in a query, you'll be okay.

But you're only human, so if you have to escape things yourself odds are you'll forget to at some point...

Use a database layer that supports placeholders (like PEAR:😃😎. Then as long as you always use placeholders in your SQL you won't have to worry about escaping things, the DB layer will handle it for you.

In a pinch, you can make a quick-and-dirty placeholder-based layer yourself using sprintf...

function sql() {
    $args = func_get_args();
    for ($i = 1; $i < count($args); $i++) {
        $args[$i] = mysql_escape_string($args[$i]);
    }
    $sql = call_user_func_array('sprintf', $args);
    return mysql_query($sql) or die(mysql_error());
}

Instead of this:
mysql_query("select from table where name = '$name' and type = $type);
use this:
sql("select from table where name = '%s' and type = %d", $name, $type);

It's not very good because invalid numbers get silently turned into 0, and it doesn't handle nulls properly, but used properly it will block SQL injection attacks.