Check data before insert database

edhan · #1 (**permalink**) 11-07-2007, 10:34 AM

Hi

I hope I am asking this question in the right forum.

I am having a text description input by user to insert into database but I want to avoid symbol like </>. So how do I check using php to reject when the user input these in the text description?

Appreciate any help or advice.

Thanks!

imvain2 · #2 (**permalink**) 11-07-2007, 04:26 PM

Depending on what you really want to do, you have a few options.

You could always use strip_tags to remove those tags.

You could simply do a string replace and replace < with the &ltX and the > with &gtX (I didn't know if the forum would show my character entities correctly or not so replace the X with a semi colon.

Or if you really want to reject, simply use the strpos to detect the exact symbols, if they are found, redirect the user with a message telling them they entered bad characters or if the text is clean then add to the database.

niggles · #3 (**permalink**) 11-07-2007, 04:57 PM

If you're doing it for security reasons then it gets a lot harder as there's numerous ways of encoding those characters which will bypass most filtering techniques - check out some XSS tutorials to see just how many there are *sigh*.

I agree with imvain2 that strip_tags is probably the easiest way of stripping the tags out.

To be really safe though you could do a regex which only allows Alpha and Numeric characters to remain.

Cheers,
Niggles

edhan · #4 (**permalink**) 11-07-2007, 09:54 PM

Quote:

Originally Posted by imvain2

Depending on what you really want to do, you have a few options.

You could always use strip_tags to remove those tags.

You could simply do a string replace and replace < with the &ltX and the > with &gtX (I didn't know if the forum would show my character entities correctly or not so replace the X with a semi colon.

Or if you really want to reject, simply use the strpos to detect the exact symbols, if they are found, redirect the user with a message telling them they entered bad characters or if the text is clean then add to the database.

Yes, I am interested in knowing how to use the strpos to detect the exact symbols and redirect user to a message that they have entered bad characters and to re-enter them again. As I am not very familiar of how to write this, appreciate if you can give me the sample code where I can use to implement this checking. Sorry if I am asking too much as I am totally blurred on this.

Thanks!

imvain2 · #5 (**permalink**) 11-07-2007, 10:07 PM

I agree with niggles, you may want remove the tags, or if you need to detect then I would do a mix of solutions due to the XSS.

Please note that I haven't tested this code out, I just changed around the info from PHP: strpos - Manual.

Code:

$haystack = $_POST["textinput"];
$haystack = str_replace("<", "&lt;", $haystack);
$haystack = str_replace(">", "&gt;", $haystack);

$needle   = '&lt;/&gt;';
$pos = strpos($haystack, $needle);

if ($pos === false) {
    //add to db
} else {
   echo "Please remove those tags and try again";
}

edhan · #6 (**permalink**) 11-07-2007, 10:18 PM

Hi imvain2

Thanks for the code, I will try it to see if it works and let you know.

edhan · #7 (**permalink**) 11-07-2007, 10:43 PM

Hi imvain2

The code works! I need to add a slash for for haystack to make it works.

Thanks a million!

Code:

$haystack = $_POST["textinput"];
$haystack = str_replace("</", "&lt;/", $haystack);
$haystack = str_replace(">", "&gt;", $haystack);

$needle   = '&lt;/&gt;';
$pos = strpos($haystack, $needle);

if ($pos === false) {
    //add to db
} else {
   echo "Please remove those tags and try again";
}