Advertisement Jump to content
Sign in to follow this  
RLS0812

[HTML] How To Strip Characters Before $_Post

This topic is 1873 days old which is more than the 365 day threshold we allow for new replies. Please post a new topic.

If you intended to correct an error in the post then please contact us.

Recommended Posts

 I am in the middle of designing my own message system and have ran into an issue. Users are able to inject code into their messages, which is executed next time the page is loaded.

 Is there a way to strip all non alpha-numeric characters from a form before it gets sent to $_POST using ether JavaScript or PHP ?

 

 The server I am on does NOT have jquery , node.js or AJAX support.

Edited by Shippou

Share this post


Link to post
Share on other sites
Advertisement

When rendering untrusted (i.e. user-specified) data, always escape it. Do not rely on the client to escape the data - so do not perform the escaping in Javascript when submitting. Validating data is nice too, but do both.

Share this post


Link to post
Share on other sites

As of right now I haven't found a way to validate a form until after it's in $_POST.

 

 My attempt at scrubbing the input after post wacko.png

<html>
<?php
 if( isset($_POST["name"]) || isset($_POST["age"]) )
  {
     $x1 = preg_replace('/[^A-Za-z0-9]/', "", $_POST['name'] );
     $x2 = preg_replace('/[^A-Za-z0-9]/', "", $_POST['age'] );
     $_POST['name'] = $x1;
     $_POST['age'] = $x2;
     echo "Welcome ". $_POST['name']. "<br />";
     echo "You are ". $_POST['age']. " years old.";
     }
  else{
  $_POST['name'] = 'null';
  $_POST['age'] = 'null';
  }
?>
<body>
  <form action="<?php $_PHP_SELF ?>" method="POST" onsubmit=" ">
<br>
  Name: <input type="text" name="name" />
  Age: <input type="text" name="age" />
  <input type="submit" />
  </form>
</body>
</html>
Edited by Shippou

Share this post


Link to post
Share on other sites

Note: You can validate form values in javascript, but only as a convenience for the user. Always (!) validate on the server side too. Javascript can be disabled or altered very easily by the user. 

 

Something like this:

$errors = array();
if (!preg_match('/^\w+$/', $_POST['name]) $errors[] = 'name';
if (!preg_match('/^[1-9]+[0-9]*$/', $_POST['age]) $errors[] = 'age';

if (count($errors) > 0) {
    // display errors to user
}
else {
    // everything ok
}

Share this post


Link to post
Share on other sites

This is just for validating user input however. If you have something like a free text field and you basically want the user to be able to enter whatever they want you must make sure to sanitize the input before storing it in the database or outputting. There are various functions for this task. mysql_real_escape_string, addslashes, htmlspecialchars, etc. I suggest you become familiar with these concepts. that is validation and sanitization.

Share this post


Link to post
Share on other sites
Sign in to follow this  

  • Advertisement
×

Important Information

By using GameDev.net, you agree to our community Guidelines, Terms of Use, and Privacy Policy.

GameDev.net is your game development community. Create an account for your GameDev Portfolio and participate in the largest developer community in the games industry.

Sign me up!