Sanitizing Problem Help me.

bohra_sankalp

I am newbie and trying to apply sanitizing function on "title" named particular variable in my form. but its not working. Even I am not getting any syntax problem. Please help me.

<?php 
session_start();
include("config.php");
if(!isset($_SESSION["code"]))
{	$_SESSION["code"]=rand(1000,9999);
}


  if(isset($_POST["submit"]));
{
$title=$_POST['title'];
$roman=$_POST['roman'];
$hindi=$_POST['hindi'];
$poet=$_POST['poet'];
$category=$_POST['category'];
//$title=trim($title);

     $title = filter_var($title, FILTER_SANITIZE_STRING);  



if($_SESSION["code"]==$code)
{	$sql= "INSERT into tbl_songlist_info(song_title,lyrics_roman,lyrics_hindi,poet_name,song_type) values('$title','$roman','$hindi','$poet','$category') ";
mysql_query($sql);
unset($_SESSION["code"]);
}
else{
$msg='Your Input code is not valid';
 mysql_error();}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>

<body>


<form action="<?=$_SERVER['PHP_SELF'];?> " method="post" name="ghazal" id="ghazal">

  <table width="461" border="0" align="center" cellpadding="1" cellspacing="2">
    <tr>
      <td width="86">Title :</td>
      <td><input name="title" type="text" id="title" size="57" value=<?=$title?> /></td>
    </tr>
    <tr>
      <td valign="top">Roman :</td>
      <td><textarea name="roman" id="roman" cols="55" rows="5"></textarea></td>
    </tr>
    <tr>
      <td valign="top">Hindi :</td>
      <td><textarea name="hindi" id="hindi" cols="55" rows="5"></textarea></td>
    </tr>
    <tr>
      <td>Poet :</td>
      <td width="365"><input name="poet" type="text" id="poet" size="57" /></td>
    </tr>
    <tr>
      <td>Category:</td>
      <td><select name="category" id="category">
        <option value="Ghazal or Nazm">Ghazal or Nazm</option>
        <option value="Other">Other</option>
            </select></td>
    </tr>
    <tr>
      <td>
        <div align="left">Code:</div></td>
      <td><input name="code" type="text" id="code" size="4" maxlength="4" /><?=$msg?> 
        <iframe src="captcha.php" width="75" height="25" scrolling="No" frameborder="0"></iframe>   

      </td>
    </tr>
    <tr>
      <td>
        <div align="right"></div></td>
      <td><input type="submit" name="submit" id="submit" value="Submit" /> <input type="submit" name="reset" id="reset" value="Clear" /></td>
    </tr>
  </table>
</form>
</body>
</html>

dagon

what is "not working" ?

bohra_sankalp

My title variable is not sanitizing using this function..

$title = filter_var($title, FILTER_SANITIZE_STRING);

dagon

can you provide an example

bohra_sankalp

as I put "afsinaoifnao#$%@@($)(%a" this in variable "$title" I want to remove all special character before putting it in database. Thats what I want using sanitizing function. Sanitizing function removers special character. Rest all code and information is provided above in code.

NogDog

I don't know if this is the problem, but note that using filter_var() in this way is not for escaping SQL special characters to "sanitize" it for use in a DB query. For that you should be using mysql_real_escape_string() in this case (since you are using the basic MySQL extension). That does not mean you cannot also use filter_var(), but just be aware of what it does and does not do:

FILTER_SANITIZE_STRING:

Strip tags, optionally strip or encode special characters.

So without any of the optional flags, it's probably the same as doing a strip_tags().

bohra_sankalp

I am newbie can you please give me basic code to sanitize $title variable before putting it in DB. I just want to remove special character.

NogDog

You will probably want to use a regular expression with [man]preg_replace/man, but then you need to carefully consider which characters you want to allow/disallow. (For instance, will you allow non-English letters such as "é" or "Ñ"?)

dagon

do you want safe to put in to db query? or something else, I'm not clear.

bohra_sankalp

Mr. Dagon please read all post carefully. I am sure you will get what I want. I need to remove "Special Characters"

dagon

i will if you read the manually carefully, you need to specify the flag you want to use, options are:

FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP