Textarea box injection

focus310

Hello:

I have a form which contains a lot of textarea boxes. I know that people can maliciously put things into these textarea boxes which will cause problems.

Can someone point me in the right direction as to what I can do to properly validate the information entered into these textarea boxes?

Thanks.

jmack159

you should at least run the data through mysql_real_escape_string() if its going to go into a database. you should also check the data to make sure its of the type you expect. if you only expect to get text, and no numbers, but someone types in numbers, you have to check for that. regular expressions can be you friend here. hope this is helpful

roscor

you can validate the data going into a checkbox, this is what i use


if(!isset($_POST['whatever'][0])) {
   $error1.="<font face='Verdana' size='1'>Required!<br />";

    }
if ($errcount !=0) {
     //displays errors in form boxes
}
    else {

   $whatever = $_POST['whatever'];

    include("databaseconn.php");
$conn = mysql_connect($host, $username, $password) or die(mysql_error());
mysql_select_db($database,$conn) or die(mysql_error());

$query = "INSERT INTO namedtable VALUES ('','$whatever')";
 mysql_query($query) or die(mysql_error());

// then do something redirect whatever

<input name="whatever" type="checkbox" id="whatever" value="y" <?php if (!empty($_POST['whatever'])) echo 'checked="checked"'; ?>>

the if(!isset($_POST['whatever'][0])) { checks if the checkbox is just checked.

If you are using a Text box you could use validation like

 if(preg_match('/^[0-9_-]{11,}$/i', $_POST['whatever'])){

if you are using numbers , the {11,} is the number of characters req, i use this for valid telephone numbers with no space or

if(preg_match('/^[a-zA-Z0-9_-]{4,}$/i', $_POST['whatever'])){

if you are using numerals and letters upper and lowercase, remove a-z or A-Z accordingly

[a-zA-Z0-9-]this does not alow spaces, but [a-zA-Z0-9 -] does.

see preg_match in the manual for further guidance if needed.

hope this helps a little, keep trying to get the code that works with security for you.

focus310

I'm actually using a textarea box for comments/messages. I heard that some people inject URL's into the comments/messages. I want to eliminate that kind of stuff.

NogDog

Note that a hacker can inject data into any of your form elements, not just textareas. You must therefore validate and sanitize all user-supplied data used in your scripts.

focus310

I'm aware of that. I'm just not sure how to tackle the textarea.

jmack159

you can use this to strip html and php tags from the data strip_tags()

NogDog

focus310 wrote:
I'm aware of that. I'm just not sure how to tackle the textarea.

The same way you would tackle every other type of input:

If the data is to be stored in a database, you need to sanitize it as appropriate for your DBMS. (With MySQL, you can use the mysql_real_escape_string() function to make it safe for use in an SQL query.)

If the data is to be output as part of an [X]HTML page, then you can use [man]strip_tags/man and/or [man]htmlentities/man, either prior to storing the data, or at the actual time that it is output to the client.

If the data should be of a particular type, less than a specific number of characters, within a particular range of values, etc., then you need to validate it or force it to be within those limits (again, regardless of the form element type involved, since it is simple for a hacker to send any value for any form element, regardless of whether it's a textarea, a checkbox, select drop-down, or whatever).

focus310

I will look into all of these options. I'll even attempt to throw in some regular expression.