What special chracters to filter

[Roj2002]

I'm having a html form and pass input from text fields via php to a sql database server. I want to filter all special characters that could be a problem like "?" or "!" etc, and also all special characters that might be a security problem for the sql server like ";", without restricting the user too much. So I wonder what special character I have to filter out? Any comments/ideas?

Michael

[prashidi]

PHP Code:

$text = htmlspecialchars($text);
$text = trim($text); 


Should fix most controversial stuff.

[Roj2002]

PHP Code:

$text = htmlspecialchars($text);
$text = trim($text); 


Should fix most controversial stuff.

Correct me if I'm wrong, but if you do so, the data that you enter into the database would contain "HTML characters" like ä etc, right? This is not a good idea, the data should be stored in it's original form. Only if the user makes some input mistakes they should get filtered out.

Michael

[prashidi]

well then simply insert the original text in the database and send the text through those two when you are about to display them on the screen. Maybe I am not understanding what the problem is.

[Roj2002]

well then simply insert the original text in the database and send the text through those two when you are about to display them on the screen. Maybe I am not understanding what the problem is.

Sorry, but it seems to me, that you don't understand the problem:

If a user enters special characters like !?; etc. in a textbox it can lead to problems. Depending on what you do with the data PHP e.g. could interpred a ? as the beginning of a new variable. Characters like ; could lead to security risks.

I didn't want a diskussion who to filter out these characters, but I wanted to know, what characters might be a security risk or could make problems if you pass them on with PHP...

Michael

[prashidi]

will this help?

http://www.sitepointforums.com/showt...hreadid=100055

[Egghead]

I wanted to know, what characters might be a security risk or could make problems if you pass them on with PHP...

Hi Michael

The translations htmlspecialchars() makes are "those most useful for everyday web programming" or they "have special significance in HTML" (according to php.net)
The translations performed are:

• '&' (ampersand) becomes '&'
• '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
• ''' (single quote) becomes ''' only when ENT_QUOTES is set.
• '<' (less than) becomes '&lt;'
• '>' (greater than) becomes '&gt;'

To ensure every possible problematic character is converted, then use htmlentities() - I can not find out which characters are actually changed using this function, but a couple such as % and $ seem to be left untouched.
You can escape (put a backslash before certain characters) strings usings addslashes() and the characters you should escape are much the same as those escaped in htmlspecialchars(). You must remember that some other characters when escaped have a special meaning (e.g. \n \r and \t)

stript_tags() will pull out any HTML and PHP tags from a string - although it is not infallible.

When you are sending data to a database (presumably MySQL) then you it may be better to use the more specific database functions: mysql_escape_string() or mysql_real_escape_string()

I'm not sure if it is possible but if you start to feed a script some input which is already in entity format or maybe even pre-escaped, then perhaps you could sneek some tags or code in? I'm sure the example would not work but just imagine...

Code:

<input name="password_ok" value="true" ⁄>

[Jeff Lange]

I think you are referring to a problem which does not exist unless in special cercumstances. Characters like ? or ; will only affect your code if you eval() it, or use it in a regular-expression.