Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Keeping users from breaking the code

Status
Not open for further replies.
southbeach

southbeach

Programmer
Jan 22, 2008
879
0
0
US
I know, nearly impossible but I know I have a huge whole and I want to close it (not patch it) before it is too late.

I am afraid that my code will start breaking apart once users start using characters like
Code: 
' , ` # " % \ / {} [ ] & * @
within fields. It already happened when I tried to pass (via URL) a field that had # in it. Ironically, the user himself reported the problem and the cause.

I cannot ask them not to use these characters so, what is my solution to

1. Write to MySQL, read from MySQL and display on screen
2. Pass them via URL
3. When passing via URL, what must I use on the other end if not our normal $_GET/REQUEST

Thank you all in advance for your assistance.
 
Sort by date Sort by votes
You may want to run your field inputs through functions such as
htmlentities() or htmlspecialchars()

These will transform characters like the ones your posted into their html code equivalents.

If this does not help, perhaps you can tell us how your code breaks when one of those characters is used.

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.
 
Upvote 0 Downvote
You don't "just glue them" to the URL, do you? If you do, escape them first by using the urlencode function AND find a good book on web security.

+++ Despite being wrong in every important aspect, that is a very good analogy +++
Hex (in Darwin's Watch)
 
Upvote 0 Downvote
browsers will encode these characters for the journey from the browser to the server. the method of encoding depends on what you have specified for the form. if you are constructing the query string manually, remember to use encodeURI or similar from javascript.

for the processing of the input in php: no.1 rule is never to trust user input. you should have a suite of cleansing code to protect your database from misuse and your code from breaking. vacunita's pointers are a great place for you to start that process.
 
Upvote 0 Downvote
Thank you guys!

I also found that using mysql_real_escape_string() is a good practice.

Regards
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rmak78
  • Locked
  • Helpful tip
LIMIT USERS ACCESS PER DAY BY IP
Replies
0
Views
45
rmak78
rmak78
lflynnlrf
  • Locked
  • Question
wordpress/ shortcode/ PHP duplicating code
Replies
1
Views
66
spamjim
spamjim
ersatz
  • Locked
  • Question
How to send 2 select from mysql database in email like tables
Replies
5
Views
146
ersatz
ersatz
PeDa
  • Locked
  • Question
POST Content-lLength of ... bytes exceeds the limit of 8388608 bytes in Unknown on line 0
Replies
4
Views
106
feherke
feherke
kaeserea
  • Locked
  • Question
Connect to ODBC without pw in Code 1
Replies
2
Views
89
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top