PunkPuke
02-26-2005, 12:45 AM
I'm making a website that needs or preferably should give users the ability to add any character to their usernames or a number of things. For many parts of the site I want this. Except I have a few problems.
For starters, I'm not sure if there is any bad FOREIGN characters to look for when accepting user strings. I mean. Single quotes of course and SQL injection. But, with modern text on the internet changing, I want to list the only characters that the site will accept in something like the ereg() function. What I want to do the most is store the special characters as HTML characters to avoid problems. Like convert them to these for instance...
http://www.webenalysis.com/special-characters.asp
ß or ß for ß
Basically, I want the user on there end to put, for example an "A Ring" into a text input field...
Å
Then I want the Å to be converted into Å or Å where it will reside in the database.
Now I have looked up this function and a few others like htmlentities(), but do these just convert HTML characters like "<" and how can I know they will convert every special character?
Basically I want it to convert everything because I will have an eregi() statement like this...
eregi("^[0-9A-Z&#;]{1,}$",$input)
That can only take 0-9 A-Z a-z or &#; that way characters that were converted into something like ò can slide into the database. Also, how can I specify it not to convert a few things? Such as the Amperstand & and the semi-colin or pound (if it tries, I'm not sure though).
If I do so, will something like ( ' ' Apostraphe ) still be able to SQL inject my site or other misc things like an %020 or utfencoded deal?
Currently I am planning on taking user input from where it came like this...
<?php
function SmartRemoveSlashes($value)
{
if(get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
return $value;
}
function SmartMySQLEscapeString($value,$db_conn_link)
{
if(version_compare(phpversion(),"4.3.0")=="-1")
{
$value = mysql_escape_string($value);
}
else
{
if($db_conn_link)
{
$value = mysql_real_escape_string($value,$db_conn_link);
}
else
{
$value = false;
die('Invalid SQL Connection Link');
}//End If Database Connection
}//End If > 4.3.0
return $value;
}
$UserName = SmartRemoveSlashes(utf8_decode(trim($_REQUEST['Username'])));
//THEN DO A BUNCH OF STUFF WITH THE CONVERTING THE SPECIAL CHARACTERS TO HTML
if(eregi("^[0-9A-Z&#;]{1,}$",$UserName))
{
$UserName = SmartMySQLEscapeString(addslashes($UserName),$db_conn_link);//Then escape it for use into the database
//Put UserName into Database down here
}
?>
So, after all these probably pointless paragraphs and my rambling.
How do I convert all special characters inputted by the user into their HTML form?
How do I convert back only the ones I choose such as < > " in the cases that I want to let the user use HTML?
Is that utfdecode() stuff safe? Cause of heard you should use it because of hackers that encode their stuff. Along with URL "%" attacks such as these that were attempted on my PHPbb forum v2.0.10 (which I put a makeshift patch on).
?p=81&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%2 52Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116) %252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119) %252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527
Finally is this all Generally Safe for my website?
For starters, I'm not sure if there is any bad FOREIGN characters to look for when accepting user strings. I mean. Single quotes of course and SQL injection. But, with modern text on the internet changing, I want to list the only characters that the site will accept in something like the ereg() function. What I want to do the most is store the special characters as HTML characters to avoid problems. Like convert them to these for instance...
http://www.webenalysis.com/special-characters.asp
ß or ß for ß
Basically, I want the user on there end to put, for example an "A Ring" into a text input field...
Å
Then I want the Å to be converted into Å or Å where it will reside in the database.
Now I have looked up this function and a few others like htmlentities(), but do these just convert HTML characters like "<" and how can I know they will convert every special character?
Basically I want it to convert everything because I will have an eregi() statement like this...
eregi("^[0-9A-Z&#;]{1,}$",$input)
That can only take 0-9 A-Z a-z or &#; that way characters that were converted into something like ò can slide into the database. Also, how can I specify it not to convert a few things? Such as the Amperstand & and the semi-colin or pound (if it tries, I'm not sure though).
If I do so, will something like ( ' ' Apostraphe ) still be able to SQL inject my site or other misc things like an %020 or utfencoded deal?
Currently I am planning on taking user input from where it came like this...
<?php
function SmartRemoveSlashes($value)
{
if(get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
return $value;
}
function SmartMySQLEscapeString($value,$db_conn_link)
{
if(version_compare(phpversion(),"4.3.0")=="-1")
{
$value = mysql_escape_string($value);
}
else
{
if($db_conn_link)
{
$value = mysql_real_escape_string($value,$db_conn_link);
}
else
{
$value = false;
die('Invalid SQL Connection Link');
}//End If Database Connection
}//End If > 4.3.0
return $value;
}
$UserName = SmartRemoveSlashes(utf8_decode(trim($_REQUEST['Username'])));
//THEN DO A BUNCH OF STUFF WITH THE CONVERTING THE SPECIAL CHARACTERS TO HTML
if(eregi("^[0-9A-Z&#;]{1,}$",$UserName))
{
$UserName = SmartMySQLEscapeString(addslashes($UserName),$db_conn_link);//Then escape it for use into the database
//Put UserName into Database down here
}
?>
So, after all these probably pointless paragraphs and my rambling.
How do I convert all special characters inputted by the user into their HTML form?
How do I convert back only the ones I choose such as < > " in the cases that I want to let the user use HTML?
Is that utfdecode() stuff safe? Cause of heard you should use it because of hackers that encode their stuff. Along with URL "%" attacks such as these that were attempted on my PHPbb forum v2.0.10 (which I put a makeshift patch on).
?p=81&highlight=%2527%252Esystem(chr(112)%252Echr(101)%252Echr(114)%252Echr(108)%252Echr(32)%252Echr(45)%2 52Echr(101)%252Echr(32)%252Echr(34)%252Echr(112)%252Echr(114)%252Echr(105)%252Echr(110)%252Echr(116) %252Echr(32)%252Echr(113)%252Echr(40)%252Echr(106)%252Echr(83)%252Echr(86)%252Echr(111)%252Echr(119) %252Echr(77)%252Echr(115)%252Echr(100)%252Echr(41)%252Echr(34))%252E%2527
Finally is this all Generally Safe for my website?