Hi Dotan, Why not use mysql_escape_string()?
On 4/20/07, Dotan Cohen <[EMAIL PROTECTED]> wrote:
I've got a comments form that I'd like to harden against SQL Injection / XSS attacks. The data is stored in UTF-8 in a mysql database. I currently parse the data as such: $_POST["commentform"]=str_replace ("'", "''", $_POST["commentform"]); // q->qq $_POST["commentform"]=str_replace ("--", "", $_POST["commentform"]); // -- -> x $_POST["commentform"]=str_replace (";", "", $_POST["commentform"]); // ; -> x $_POST["commentform"]=str_replace ("=", "''", $_POST["commentform"]); // = -> x $_POST["commentform"]=preg_replace ("/java/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/script/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/src=/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/src =/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/iframe/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/rel=/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/rel =/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/href=/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("/href =/i", "''", $_POST["commentform"]); $_POST["commentform"]=preg_replace ("//i", "''", $_POST["commentform"]); $_POST["commentform"]=htmlspecialchars( mysql_real_escape_string ($_POST["commentform"]) ); The first statement doubles up quotes, it's a bit difficult to see in the code. After seeing this: http://ha.ckers.org/xss.html and another similar one for SQL injection, I'm worried that my filters are not enough. What do the pro php programers out there use? Thanks in advance. Dotan Cohen http://lyricslist.com/ http://what-is-what.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
-- Leonard Burton, N9URK http://www.jiffyslides.com [EMAIL PROTECTED] [EMAIL PROTECTED] "The prolonged evacuation would have dramatically affected the survivability of the occupants." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php