[RESOLVED] Filtering & sanitizing user comments
Hi guys :wave:
I'm creating a comment system, where users could post their comments about particular titles.
I'll collecting:
- Name
- Email
- Comment
- IP address (via $_SERVER['REMOTE_ADDR'])
I'll be storing this comments in the database and will be displaying later.
What I wanna do:
- remove any sql injection possibilies (presently, I'm not using PDO or mySQLi)
- remove any possible HTML code or any scripts being entered by the user
- display only plain-text
I have tried gathering some info from Google.
strip_tags()
PHP Filter Functions
htmlentities
But I'm a bit confused as some people used depreciated functions.
If you are supposed to create something like this, what all things will you use/include ?
Thanks :wave:
Re: Filtering & sanitizing user comments
you should read this: http://php.net/manual/en/security.da...-injection.php
i always use strip_tags(), and mysql_real_escape_string()
if you wanna use the tags to make BB codes later on, you should use this function instead of strip_tags: http://php.net/manual/en/function.htmlspecialchars.php
list of html special characters: http://www.utexas.edu/learn/html/spchar.html
also one function i use to check if the name is alphanumeric:
PHP Code:
function namecheck($str){
$str_length = strlen($str);
for($i=0;$i<$str_length;++$i){
$character = substr($str,$i,1);
if ((ord($character) < 65) & (!(ord($character) > 47) && (ord($character) < 58)) && (!(ord($character) == 32))) {
return false;
}
if ((ord($character) > 90) && (ord($character) < 97)) {
return false;
}
}
return true;
}
Re: Filtering & sanitizing user comments
Thanks :wave:
I found a couple of methods that could check whether the string is alpha or alphanumeric:
Seems like a bit faster than using regular expression (via, preg_match()).
:wave:
Re: Filtering & sanitizing user comments
Use PDO and htmlspecialchars.
Re: Filtering & sanitizing user comments
Quote:
Originally Posted by
penagate
Use PDO and htmlspecialchars.
Thanks :wave: