Results 1 to 8 of 8
Thread: What special chracters to filter
Apr 13, 2003, 07:02 #1
What special chracters to filter
I'm having a html form and pass input from text fields via php to a sql database server. I want to filter all special characters that could be a problem like "?" or "!" etc, and also all special characters that might be a security problem for the sql server like ";", without restricting the user too much. So I wonder what special character I have to filter out? Any comments/ideas?
Apr 13, 2003, 12:32 #2PHP Code:
$text = htmlspecialchars($text);
$text = trim($text);
Apr 13, 2003, 12:39 #3Originally Posted by prashidi
Apr 13, 2003, 12:59 #4
well then simply insert the original text in the database and send the text through those two when you are about to display them on the screen. Maybe I am not understanding what the problem is.
Apr 13, 2003, 13:06 #5Originally Posted by prashidi
If a user enters special characters like !?; etc. in a textbox it can lead to problems. Depending on what you do with the data PHP e.g. could interpred a ? as the beginning of a new variable. Characters like ; could lead to security risks.
I didn't want a diskussion who to filter out these characters, but I wanted to know, what characters might be a security risk or could make problems if you pass them on with PHP...
Apr 13, 2003, 20:07 #6
Apr 14, 2003, 13:07 #7Originally Posted by Roj2002
The translations htmlspecialchars() makes are "those most useful for everyday web programming" or they "have special significance in HTML" (according to php.net)
The translations performed are:
- '&' (ampersand) becomes '&'
- '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
- ''' (single quote) becomes ''' only when ENT_QUOTES is set.
- '<' (less than) becomes '<'
- '>' (greater than) becomes '>'
You can escape (put a backslash before certain characters) strings usings addslashes() and the characters you should escape are much the same as those escaped in htmlspecialchars(). You must remember that some other characters when escaped have a special meaning (e.g. \n \r and \t)
stript_tags() will pull out any HTML and PHP tags from a string - although it is not infallible.
When you are sending data to a database (presumably MySQL) then you it may be better to use the more specific database functions: mysql_escape_string() or mysql_real_escape_string()
I'm not sure if it is possible but if you start to feed a script some input which is already in entity format or maybe even pre-escaped, then perhaps you could sneek some tags or code in? I'm sure the example would not work but just imagine...
<input name="password_ok" value="true" ⁄>
Apr 14, 2003, 15:14 #8
- Join Date
- Jan 2003
- Calgary, Canada
- 0 Post(s)
- 0 Thread(s)
I think you are referring to a problem which does not exist unless in special cercumstances. Characters like ? or ; will only affect your code if you eval() it, or use it in a regular-expression.Who walks the stairs without a care
It shoots so high in the sky.
Bounce up and down just like a clown.
Everyone knows its Slinky.