Spoofed Form Security

Question

davy_yg 2 Posting Whiz

12 Years Ago

I basically trying to capture the input information then print the on the screen. Noted, that I must implement filter input and escape output. Please checked whether this result is correct:

receive.php

<html>

<?php

$nama = isset($_POST['nama']) ? $_POST ['nama'] : '';
$color =  isset($_POST['color']) ? $_POST ['color'] : '';


$newnama = htmlspecialchars($nama, ENT_QUOTES);
$newcolor =  htmlspecialchars($color, ENT_QUOTES);


RemoveBad($newnama);
RemoveBad($newcolor);

// filter input

function RemoveBad($strTemp) { 
    $strTemp = $strTemp.replace("/<|>|||%|;|(|)|&|+|-/g","");
    return $strTemp;
} 

?>

<h1> Print Output </h1>
Nama  :  <?php echo $newnama ?>
Color   :  <?php echo $newcolor ?>

</html>




Fatal error: Call to undefined function replace() in C:xampphtdocsphp_exercisereceive.php on line 19
line 19:     $strTemp = $strTemp.replace("/<|>|||%|;|(|)|&|+|-/g","");

php

Edited 12 Years Ago by davy_yg because: add new information

4 Contributors
10 Replies
198 Views
2 Days Discussion Span
Latest Post 12 Years Ago Latest Post by pritaeas

diafol

12 Years Ago

use preg_replace. .replace is js. Also I think you need to do this:

$newnama = RemoveBad($newnama);
$newcolor = RemoveBad($newcolor);

Otherwise you're just returning the operation to nothing.

Philippe.Lahaie 42 Posting Whiz in Training

12 Years Ago

preg_replace

pritaeas 2,194 ¯\_(ツ)_/¯

12 Years Ago

( and ) are special characters, you need to escape them with a backslash.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

davy_yg 2 Posting Whiz · Answer 1 · 2012-05-08T06:49:55+00:00

Warning: preg_replace() expects at least 3 parameters, 2 given in C:\xampp\htdocs\php_exercise\receive.php on line 19

davy_yg 2 Posting Whiz · Answer 2 · 2012-05-08T14:42:53+00:00

davy_yg 2 Posting Whiz

12 Years Ago

why is it ?

davy_yg 2 Posting Whiz · Answer 3 · 2012-05-09T07:18:30+00:00

Hi, I have modified line 19 to:

$strTemp = $strTemp.preg_replace("/\<|>|\|\|\%|\;|(|)|\&|+|-/","", $strTemp);

I tested the program :

<html>
Spoofed Form Security
<form action="receive.php" method="POST">
Nama:
<input type="textbox" name="nama"></br>
Warna Favorit: <select name="color">
<option value="red">red</option>
<option value="green">green</option>
<option value="blue">blue</option>
</select>
<input type="submit">
</form>

Nama: fasfasd(
Warna: red

Output: Nama : sdfsdfsd(sdfsdfsdColor : redred

It suppose to delete the ( sign and all others strange sign. How ?

davy_yg 2 Posting Whiz · Answer 4 · 2012-05-10T14:13:17+00:00

where to place the backslash ? before which codes ?

pritaeas 2,194 ¯\_(ツ)_/¯ Moderator Featured Poster · Answer 5 · 2012-05-10T14:14:59+00:00

pritaeas 2,194 ¯\_(ツ)_/¯

12 Years Ago

Before the parenthesis.

davy_yg 2 Posting Whiz · Answer 6 · 2012-05-10T14:21:06+00:00

I still do not understand. can you copy my codes and show me where exactly to place the backslash? you mean like this:

$strTemp = $strTemp.replace
/ ("/<|>|||%|;|(|)|&|+|-/g","");

pritaeas 2,194 ¯\_(ツ)_/¯ Moderator Featured Poster · Answer 7 · 2012-05-10T14:44:05+00:00

$strTemp = preg_replace('/<|>|\||%|;|\(|\)|&|\+|-/i', '', $strTemp);