Block Special Characters?

joshuamd3

I need to block people from entering this Admin Login Screen. I would just like to block out special characters for hacking in. i have no idea what to do.

<?php
session_start();
include("../vars.php");
include("../headfoot.php");
mysql_connect($db_host, $db_user, $db_pwd);
mysql_select_db($db_name);
$day_now_is = date("Y-m-d");
$login_screen = "<html><head><title>$title</title></head><body><br><br><br><br><div align=\"center\"><font size=\"4\" face=\"Tahoma\"><strong>$title Control Panel</strong></font></div><center><table border=\"0\" style=\"border-collapse: collapse\" bordercolor=\"#111111\" cellpadding=\"0\" cellspacing=\"3\">
<form method=post action=/control/><input type=hidden name=form value=sent><tr>
<td align=\"right\" valign=\"top\"><b>
<font face=\"$fontface\" size=\"2\">Login</font>:</b></td>
<td align=\"left\" valign=\"top\">
<input type=\"text\" name=\"login\" size=\"25\" style=\"font-family: $fontface; font-size: 9pt; font-weight: bold\"></td>
</tr><tr><td align=\"right\" valign=\"top\">
<font face=\"$fontface\" size=\"2\"><b>Password:</b></font></td>
<td align=\"left\" valign=\"top\">
<input type=\"password\" name=\"passwd\" size=\"25\" style=\"font-size: 9pt; font-family: $fontface; font-weight: bold\"></td>
</tr><tr><td></td><td align=\"left\" valign=\"top\">
<input type=\"submit\" value=\"Login\" style=\"font-family: $fontface; font-size: 9pt; font-weight: bold; float: right\"></td>
</tr></form></table></center></body></html>";
if ($_COOKIE['ref']) {
setcookie("ref", $_COOKIE['ref'], time()-964000);
}
if (!isset($_SESSION['asess_name']) || !isset($_SESSION['asess_passwd'])) {
if ($_POST['form'] == 'sent') {
if ($_POST['login'] == "" || $_POST['passwd'] == "") {
echo($login_screen);
echo("<script>alert('The admin Username or Password cannot be blank!');</script>");
session_destroy();
mysql_close;
exit;
} else {
$_SESSION['asess_name'] = $_POST['login'];
$_SESSION['asess_passwd'] = md5($_POST['passwd']);
header("Location: /control/?".session_name()."=".session_id());
mysql_close;
exit;
}
} else {
echo($login_screen);
echo("<script>alert('Your session data was not found, please login.');</script>");
session_destroy();
mysql_close;
exit;
}
} else {
$res = mysql_query("select value from admin where field='login'");
$db_login = mysql_result($res, 0);
$res = mysql_query("select value from admin where field='passwd'");
$db_passwd = mysql_result($res, 0);
if ($_SESSION['asess_name'] != $db_login || $_SESSION['asess_passwd'] != md5($db_passwd)) {
echo($login_screen);
echo("<script>alert('Invalid login, please check your admin username and password.');</script>");
session_destroy();
mysql_close;
exit;

JPnyc

A regular expression would work. For example, I put this into one forum to keep <> out of thread titles. They were being parsed on the front page and messing up the display.

this.value.replace (/<|>/g, '');

Now that's javascript and not suited for keeping hackers out, but you can pass regex through pretty much any language out there.

joshuamd3

See I dont understand that ^ JPnyc, I am a realllll newb. 🙂

I googled this somewhere... Would I be able to use it easily?

just use mysql_real_escape_string() function before mysql_query rather than unnecessary work in filter every user input variable.