SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Enthusiast Roj2002's Avatar
    Join Date
    Jan 2002
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    What special chracters to filter

    I'm having a html form and pass input from text fields via php to a sql database server. I want to filter all special characters that could be a problem like "?" or "!" etc, and also all special characters that might be a security problem for the sql server like ";", without restricting the user too much. So I wonder what special character I have to filter out? Any comments/ideas?

    Michael

  2. #2
    SitePoint Zealot prashidi's Avatar
    Join Date
    Mar 2001
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $text htmlspecialchars($text);
    $text trim($text); 
    Should fix most controversial stuff.

  3. #3
    SitePoint Enthusiast Roj2002's Avatar
    Join Date
    Jan 2002
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by prashidi
    PHP Code:
    $text htmlspecialchars($text);
    $text trim($text); 
    Should fix most controversial stuff.
    Correct me if I'm wrong, but if you do so, the data that you enter into the database would contain "HTML characters" like ä etc, right? This is not a good idea, the data should be stored in it's original form. Only if the user makes some input mistakes they should get filtered out.

    Michael

  4. #4
    SitePoint Zealot prashidi's Avatar
    Join Date
    Mar 2001
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well then simply insert the original text in the database and send the text through those two when you are about to display them on the screen. Maybe I am not understanding what the problem is.

  5. #5
    SitePoint Enthusiast Roj2002's Avatar
    Join Date
    Jan 2002
    Posts
    81
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by prashidi
    well then simply insert the original text in the database and send the text through those two when you are about to display them on the screen. Maybe I am not understanding what the problem is.
    Sorry, but it seems to me, that you don't understand the problem:

    If a user enters special characters like !?; etc. in a textbox it can lead to problems. Depending on what you do with the data PHP e.g. could interpred a ? as the beginning of a new variable. Characters like ; could lead to security risks.

    I didn't want a diskussion who to filter out these characters, but I wanted to know, what characters might be a security risk or could make problems if you pass them on with PHP...

    Michael

  6. #6
    SitePoint Zealot prashidi's Avatar
    Join Date
    Mar 2001
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  7. #7
    SitePoint Zealot Egghead's Avatar
    Join Date
    Feb 2002
    Posts
    197
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Roj2002
    I wanted to know, what characters might be a security risk or could make problems if you pass them on with PHP...
    Hi Michael

    The translations htmlspecialchars() makes are "those most useful for everyday web programming" or they "have special significance in HTML" (according to php.net)
    The translations performed are:
    • '&' (ampersand) becomes '&'
    • '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
    • ''' (single quote) becomes ''' only when ENT_QUOTES is set.
    • '<' (less than) becomes '&lt;'
    • '>' (greater than) becomes '&gt;'
    To ensure every possible problematic character is converted, then use htmlentities() - I can not find out which characters are actually changed using this function, but a couple such as % and $ seem to be left untouched.
    You can escape (put a backslash before certain characters) strings usings addslashes() and the characters you should escape are much the same as those escaped in htmlspecialchars(). You must remember that some other characters when escaped have a special meaning (e.g. \n \r and \t)

    stript_tags() will pull out any HTML and PHP tags from a string - although it is not infallible.

    When you are sending data to a database (presumably MySQL) then you it may be better to use the more specific database functions: mysql_escape_string() or mysql_real_escape_string()

    I'm not sure if it is possible but if you start to feed a script some input which is already in entity format or maybe even pre-escaped, then perhaps you could sneek some tags or code in? I'm sure the example would not work but just imagine...
    Code:
    &lt;input name=&quot;password_ok&quot; value=&quot;true&quot; &frasl;&gt;

  8. #8
    "Of" != "Have" bronze trophy Jeff Lange's Avatar
    Join Date
    Jan 2003
    Location
    Calgary, Canada
    Posts
    2,063
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I think you are referring to a problem which does not exist unless in special cercumstances. Characters like ? or ; will only affect your code if you eval() it, or use it in a regular-expression.
    Who walks the stairs without a care
    It shoots so high in the sky.
    Bounce up and down just like a clown.
    Everyone knows its Slinky.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •