hi, i want to know how i need to change forum script that noone could enter some php or other code to damage my site. (as example !error strings)
My script:


<?php

//connect to the database
$connect = mysql_connect("nnn","nnn","nnn") or die("Error connecting to db");
//select table
mysql_select_db("nnn") or die("Error selecting db");

//use query to get ALL data
$queryget = mysql_query("SELECT * FROM guestbook ORDER BY `date` DESC, `time` DESC") or die("Error with query");
while ($row = mysql_fetch_array($queryget))
{
// get row data and store in variables
$id = $row['id'];
$name = $row['name'];
$message = $row['message'];
$date = $row['date'];
$time = $row['time'];

// show data to user
echo "
<table>
<tr>
<td width='500px'>
<font size='2' face='Showcard Gothic'>
<hr>Autorius: <b>$name</b> <br> $date
</b></font>
</td>
</tr>
<tr>
<td width='500px' bgcolor='#5CB3FF'>
<font size='2' face='Showcard Gothic'><b>
$message<br><hr>
</b></font>
</td>
</tr>
</table>
";
}

echo "<hr>";

if ($_POST['submit'])
{

$name = $_SESSION['nick'];
$message = $_POST['message'];
$date = date("Y-m-d");
$time = date("H:i:s");

if ($message)
{

$tag = $_POST['message']; // this is the posted message field, from the form

$tag = str_replace(':|', '<img src="images/emoticons/blank.gif" alt="">', $tag);


echo $tag; // echo the output, with emoticons showing.

// all else is self-explanatory.

mysql_query("INSERT INTO guestbook (Name, Message, time, date)
VALUES('$name', '$tag', '$time', '$date')") or die(mysql_error());
echo "Please wait...<meta http-equiv='refresh' content='2'>";

}
else
echo "Please fill out all fields!";


}
?>


i use tag to convert pictures, i also could use it to solve this problem, but i need better idea, because i cant write all the error variables, etc... There always will be new code to broke my webpage.

If you need more info ASK. THANKS :)

Is there a strip tag thing to remove tags??

you could use mysql_real_escape_string() (http://www.php.net/mysql_real_escape_string), strip_tags() (http://www.php.net/strip_tags), htmlspecialchars() (http://www.php.net/htmlspecialchars), and htmlentities() (http://www.php.net/htmlentities) to take care of this.

Hope this helps.

Remember to use the functions before the data is inserted into any database, especially mysql_real_escape_string, or your database is vulnerable to sql injection.

ok. Thanks you guys :)

Ur welcome. ;)

hey, when i want to check variable is it is only number i write:

if (!is_numeric($password)) { } else {
exit("only numbers!");
what i have to write to check if there are characters like .,/\|#$%^&!@)(_+? ?

for that you would want to use preg_match (http://www.php.net/preg_match) and regular expressions.

Hope this helps.

When learning regular expressions, keep in mind it can get frustrating, and they are hard to learn (atleast for me).

What then will happen? "frustrating" what thet means?

:D this code is too hard for me :D ;D understood is_nimeric, but this is hard

Frustrating means annoying and hard.

can you write me an example with $msg variable??

frustrating?
frus·trate (frstrt)
tr.v. frus·trat·ed, frus·trat·ing, frus·trates
1.
a. To prevent from accomplishing a purpose or fulfilling a desire; thwart: A persistent wind frustrated my attempt to rake the lawn.
b. To cause feelings of discouragement or bafflement in.
2. To make ineffectual or invalid; nullify.
[Middle English frustraten, from Latin frstrr, frstrt-, from frstr, in vain.]
frustrater n.
frustrating·ly adv.

please people, help me with this....

I have two variables $user and $pass
What php script will not let users to insert characters like .?/,|\][)(-+ into my login and pass inputs. Thanks

The following will say that there are strange characters if there is anything other than a capital or lower case letter. Spaces are also counted as a strange character in this snippet of code.

<?php
$test='thisissometext';
if(preg_match('/[^a-zA-Z]/', $test)) {
echo "YES, odd characters were found";
}
else {echo "NO odd characters were found";}
?> This is an example of PCRE (Perl Compatible Regular Expressions).

I have a tutorial on it here http://www.animeviews.com/article.php?ID=66&category=programming
and here http://www.animeviews.com/article.php?ID=86&category=programming
and have a page of examples here http://www.animeviews.com/article.php?ID=59&category=programming

if(preg_match('/\W/', $password, $nick, $name, $telephone)) {
$value = '1';
}

What is wrong with this command? I got : Warning: preg_match() expects parameter 4 to be long, string given in /home//domains/l//register.php
I want to check these 4 strings if is symbols into them, how i have to change it?

You are trying to preg_match an array. I am pretty sure you can't do that. At least I can't read anywhere in the documentation where you can and I have not been able to do so. You can use arrays with preg_replace, but that is a different function and as you can probably guess it is a regular expression function designed to find matches and replace the matches found, but doesn't tell you IF a match was found.

What you are asking for can best be done with a loop like


<?php
$num=0;
$all=array("th%is","that","& the next thing");
foreach($all as $t){$num++;
if(preg_match('/\W/', $t)) {
echo "value $num MATCHES<br>";
}
else echo"value $num DOES NOT MATCH<br>";}
?>

Remember, though, \W will match letters numbers and the underscore _

What about this?


if(preg_match('/\W/', $password)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected!!!</b></font></center>";
$string = '1';
} else {
if(preg_match('/\W/', $nick)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected !!!</b></font></center>";
$string = '1';
} else {
$string = '0';

...
if ($string == 1) {die} else {work}


it is working for me...

else should be the last else listed. Previous else statements should be elseif.


if (preg_match('/\W/', $password)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected!!!</b></font></center>";
$string = '1';
}
elseif (preg_match('/\W/', $nick)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected !!!</b></font></center>";
$string = '1';
}
else $string = '0';
if ($string == 1) die;
else work;

curly brackets are not necessary if there is only on statement to execute. If there are two or more you will need to use the curly brackets, but you can use them if you want. I am just mentioning it in case you didn't know.

I am amending my previous statement. You cannot use multiple "else" in an "elseif" statement.

If someone else knows better, please correct me if I am wrong

How to do then?

Just read my post and you will see the answer as well as a sample script. You can also read more about it at http://php.net/manual/en/control-structures.elseif.php

what if I have more than 3 statements and if's?

<?php
if (preg_match('/\W/', $password)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected!!!</b></font></center>";
$string = '1';
}
elseif (preg_match('/\W/', $nick)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected !!!</b></font></center>";
$string = '1';
}
elseif (preg_match('/\W/', $occupation)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected !!!</b></font></center>";
$string = '1';
}
elseif (preg_match('/\W/', $name)) {
echo "<center><font size='1' face='Verdana' color='blue'><b>!!! Symbols detected !!!</b></font></center>";
$string = '1';
}
else $string = '0';
if ($string == 1) die;
else work;
?>

ok, i'll try... Thanks.

preg_mach doesnt work for me... it isnt detecting symbols... idk why, but in other page it works

what i have to write in here:
(preg_match('/\W/', $password)
if I want to detect 'word characters', 'numbers', 'underscores', '@' , '.' , and ',' ??

I suspect that you are racing into this a bit too fast. regular expressions is one of the most complex aspects of php and takes a little time to understand.

\w is the opposite of \W.
\w will match word characters. Word characters is defined as all letters, numbers, and the underscore.

The following will detect whether any letters, numbers, underscores, periods, commas, or 'at' symbols are found in your string.


<?php
$test='.,@';
if(preg_match('/[\w,.@]/', $test))
{echo "YES, there was at least one word character ',', '.' or '@' symbol detected.";}
else
{echo "NO there was not one word character ',', '.' or '@' symbol detected.";}
?>

The square brackets says that the things we want to find between them can be in any order.

maybe, because i used this a lot:
$tag = str_replace('*', '/*', $tag);

and i dont know how to change ' symbol to /'
if i write like that:
$tag = str_replace('' '/'', $tag); it will be bad :)

I suspect that at some point this thread should have been split.

I am not sure what problem you are referring to with this statement:

maybe, because i used this a lot:
$tag = str_replace('*', '/*', $tag);

but the following is valid.

$tag = str_replace('*', '/*', $tag);

There are two ways to go about what you are trying to do.

Notice in this example here I am using double quotes to encase a single quote. This works, but is not a good idea.

<?php
$tag=".,'*@";
$tag = str_replace("'", "/'", $tag);
echo"$tag";
?>

The following is better. Here I am "escaping" the quote. This means I am using a backslash "\" right before the quote so that it will be recognized as a quote as opposed to an end of a string.


<?php
$tag=".,'*@";
$tag = str_replace('\'', '/\'', $tag);
echo"$tag";
?>

Just for fun

<?php
echo "pp &quot; pp";
?>

For a list of some other charcters and symbols you can create try this link http://www.nouilles.info/keyboard_shortcuts.html These are just html character code shortcuts. There are a potential 65536 different characters that can be created, mostly by using numerical notation as opposed to html character codes, but maybe you get the idea. There is some small variation as opposed to which ones are recognized and which are not depending on the browser used.