Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Drizzah]

I am extremely new to this, so any help is appreciated.

1.) I want to polish off the player's username as much as I can. Basically try my best to remove everything besides numbers and letters. I heard of the other ways, but I want to use the sanitize options instead. My question is: By using the below code, is one line that's removing characters I want it to. Actually be removing them only to be replaced by one of the other lines?

I have tried over and over to notice anything strange and have not found it doing anything wrong. I would like some opinions on this question, because even know I think it's working. It may have some flaws.

Code: [Select]

$_POST['newname'] = strip_tags(mysql_real_escape_string($_POST['newname']));
$_POST['newname'] = filter_input(INPUT_POST, 'newname', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_LOW);
$_POST['newname'] = filter_input(INPUT_POST, 'newname', FILTER_SANITIZE_SPECIAL_CHARS, FILTER_FLAG_STRIP_HIGH);
$_POST['newname'] = filter_input(INPUT_POST, 'newname', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
$_POST['newname'] = filter_input(INPUT_POST, 'newname', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
$_POST['newname'] = str_ireplace(array("&lt;", "&gt;", "&amp;", "&", "!", "@", "#", "$", "%", "^", "*", "(", ")", "-", "+", "=", "[", "]", ":", ";", ".", "?", "{", "}", "|", "~", "<", ">", "/", "&copy;", "&trade;", "staff", "administrator", "programmer", "moderator", "owner", "'", "`", "39"), '', $_POST['newname']);
2.) I would really like to be able to use these sanitize strings in the globals file to control all $_POST and $_GET vars, but only have to use it once instead of over and over for each field name in the forms.

Example:
$_POST['text'] = filter_input(INPUT_POST, 'text', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
The above only works for the above $_POST var and fieldname.
I would like it to work for all $_POST vars and fieldname's.

Something of the below to give you an idea of what I mean. It does not work, but you get the idea.
$_POST = filter_input(INPUT_POST, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);


Thanks for your help, if any.

[Cronus]

Code: [Select]

$res = preg_replace("/[^a-zA-Z0-9]/", "", $string);This is what I found online, should allow only letters and numbers.
If you choose this route, it automatically cuts out any special chars so you may want to print the name to the user and have them "confirm" their name. Otherwise it may strip things from their name, they won't know, and will be locked out of the game.

I just took a few moments to look this up but from what I've read it should work. Not tested.

[Danny696]

Your doing this the lazy way, i suggest sucuring every page.

[Cronus]

Your doing this the lazy way, i suggest sucuring every page.

All he asked for help with was filtering the name?
Perhaps we should do something relevant to what he wanted?

[Danny696]

I would really like to be able to use these sanitize strings in the globals file to control all $_POST and $_GET vars, but only have to use it once instead of over and over for each field name in the forms.

Read it. then come back to me -.-

[Cronus]

Hmm using the same function for both is a bad idea either way.

In regular mails/profilesigs/forumposts/etc you would not only want letters and numbers. You would need periods, commas, etc etc. You cannot have both in one function if you only want letters and numbers in the name. I'm simply giving a solution for the name filtering.

[Drizzah]

Thanks so far for the replies. I also should have made it more clearly so I didn't receive replies not needed as much, lol. I do want this for the global file, but I will still be trying to secure the queries as best I can with mysql_real_escape_string and strip_tags for the input stuff and abs(@intval for numbers (if that works best). Then of course using the other stuff to display the output correctly.

My main post is being used for the user's name only, but I still want to use it for all other posts, but taking certain chars out of it like the periods and such. I want this line of code to be basically my back-up in defense using it just in the global file and not on every file.

It is just that I don't want to have all the extra code not needed if it could be pulled from one file. Or I would go with it on each file if I was able to use it for all the posts and then one line for all the gets. Right now, I can only get it to work by adding the code for every single form field over and over again.

I used it on my prefs file to secure the field names and by the time they were secured, I had about 25 lines of code that I hope could be knocked down to about 2 or 3. I hope this made more sense, lol thanks.