easiest filter

[alexgeek]

what is the quickest way to filter user input so that malicious code can not be saved?
thanks

[alexgeek]

also how do you check if a certain character or phrase is in a variable.
e.g. check if the following has "123" in it.

PHP: Select all

$v "hello 123"; 

thanks

[c010depunkk]

You could use strpos or strstr or the regex functions.

[alexgeek]

Thanks for the link
anything on automatic filter?
and how do I get this to work :

PHP: Select all

 <?php
$string = "<script>";
$list = array("<",">","lol");
$check = ereg($list, $string);
if ($check == true) {
echo "true";
} else {
echo "false";
}    
?>

i need it to check everything in the array $list,
and I don't want to do it manually ($list[0], $list[1])

[Kropotkin]

Alex

Code: Select all

$list = array("<",">","lol");
$check = ereg($list, $string);

Ok. good try. ereg takes a pattern and a string. The pattern is expressed as a string so $list should be a string but you have it here as an array. (That is your mistake).

If you want to check if <, > or 'lol' are in a string you could try:

$check = ereg("(<|>|lol)", $string, $res);

The first param is a regular expression: these are difficult. Here I am trying to search for < > or lol - the | indicates or. Basically you have to build a regular expression for your match. if you just wanted to match 'lol' it would be "lol" . To match all digits it would be "\d". It gets complicated.

You can still check for $check is true to see if you had a match - but using the third param puts the actual match into an array. (If you need to use this you could perhaps look up ereg() on php.net to see some examples).

i haven't been able to test my solution but let me know if you still have a problem

re. filters: in fact you need to use regular expressions and substitution preg_replace() does the trick. Works much as ereg() but with replacing.

Justin

[alexgeek]

okay.
for filtering user input,
would htmlentities be okay?

[Kropotkin]

no. I think that is something to do with encoding certain characters such as < in the html entity ref form. not to do with filtering

what exactly do you want to do -can you explain a bit more? or give me an example? I was assuming you meant filtering input from a form to check it has no malicious code it? if so then something like this does it:

$safedata = preg_replace("eval","",$userInput);

This would replace any word 'eval' in $userInput with an empty string i.e get rid of it. The tricky bit is what to use as the expression to match. What characters do you want to test for?

Justin

[alexgeek]

say it's a registration form.
i'd only want numbers, letters, hyphens, underscores, full-stops and @s
how would i do that

[Kropotkin]

ok

Code: Select all

 
$test = preg_match("/^([a-zA-Z0-9\-\.\_\@]+)$/", $userInput, $matches);
 
if ($test) {
$matches[0] ; // this now contains the user data which matched the pattern and is safe to use
}
else
{
//there was invalid data.
}

The pattern should match your list. It would be worth looking at a regular expression tutorial. The () says remember what is matched and put in into the first element of the array $matches. So if it matches (e.g. a-z says match any letter) it will be in the $matches[0] variable and safe to use.

I can look at this again later if you like

Justin

[alexgeek]

okay so how would i go about getting a variable 'username' using post and inserting it into mysql via that filter
I don't know how to piece it together.
thanks so far though

[Kropotkin]

ok. Alex. I'll look at this tonight

Justin

[Kropotkin]

(if no one else tells you by then)

[alexgeek]

Okay
thanks for the help so far
*reps you*

[c010depunkk]

PHP: Select all

if (preg_match("/^([a-zA-Z0-9\-\.\_\@]+)$/", $userInput, $matches)) {
 $matches[0] ; // this string now contains the user data which matched the pattern and is safe to use so you can insert this into your db
  mysql_query("INSERT INTO user_table (username) VALUES('".$matches[0]."'");
} else {
 //there was invalid data and you can't insert
} 

[Kropotkin]

Hi Alex

This is it:

Code: Select all

<html>
<head>
<style type="text/css">
body {font-family:arial,sans-serif;}
</style>
</head>
<body>
<?php
 
ini_set("display_errors","1"); //take out before production. does not work if script has fatal errors
 
if ($_SERVER['REQUEST_METHOD'] == 'GET' ) {
showPage();
}
else
{
processForm();
}
 
function showPage()
{
print "Please enter your  data";
print "<form action=\"example.php\" method=\"POST\" >";
print "<textarea cols=\"10\" rows=\"10\" name=\"userInput\" > </textarea>";
print "<br /><input type=\"submit\" >";
print "</form>";
}
 
 
function processForm()
{
$userInput = $_POST['userInput'];
 
 
$res = preg_match_all("/([a-zA-Z0-9\_\-\.\@]+)/",$userInput,$matches);//$res is number of matches
$safeUserData="";
//preg_match_all puts matches into a multidimensional array
//print $res;
//print_r($matches);
//matches[0] is iteself an array with each element being one full match
foreach ($matches[0] as $val) {
$safeUserData = $safeUserData . $val[0];
}
 
if ($res>=1) {//there was at least one  match
 
 
//do database stuff - in fact better to put in a separate function
//and connection string outside root as well
$link = mysql_connect('localhost', 'root', 'secret');
mysql_select_db ('test');
$result = mysql_query("INSERT  test values ('$safeUserData')") or die(mysql_error());
print "Your data was put into the database";
//nb - we may have stripped out tainted data
}
else
{
print "Your input did not contain any valid data";
}
 
}
?>
</body>
</html>

I made some changes so please take care.

Codepunk was wrong. If the regular expression did not match it doesn't mean that it contained invalid data it means it just didn't make any matches. If it contained some valid characters and some invalid you will still get matches . The basic idea is we are matching the characters you want and keeping them. This is different from checking for characters we don't want.

The two hard bits are the regular expression itself:

Code: Select all

/([a-zA-Z0-9\_\-\.\@]+)/

and the way using preg_match_all we get an array of arrays.

The regular expression uses a character class [] to test for a-z lower and upper case, 0-9 and the other chars you wanted (note the escape \ before them).

I''ll leave you to figure out the multi-dimensional array

ok. that's it on this one i think.

Good luck

Justin

[c010depunkk]

ok, what he said.

[alexgeek]

thanks guys I'll look over that tonight
-reps both-