[thelist] Form Security

[Jack Timmons]

On Tue, Jul 20, 2010 at 8:27 AM, DAVOUD TOHIDY <dtohidy at hotmail.com> wrote:
> I appreciate you and everybody who contributed to this. However I believe I would go with my original code that I posted. What I am interested in is receiving only the Alphabetical text without anything extra from the user.

The problem with that is the code you originally posted doesn't do that.

Take a look, for just a moment, and we'll find out why:

mysql_real_escape_string(strip_tags(stripslashes(htmlentities(trim($_POST['name'])))));

Ignoring the trim:

First, you're doing htmlentities, which turns < into &lt; and > into
&gt; (Or vice versa if I'm not on my game this morning).

Then, you're running stripslashes, which...well, if you read the
documentation on stripslashes in PHP, you'd understand what you need
to do to see if you should run stripslashes.

Second, you're doing strip_tags which...won't do anything, I'm
betting. If you're converting all the thinks that make a tag a tag
into HTML entities, how will strip_tags find them?

Finally, you're doing mysql_real_escape_string. Which is fine for most
people, although I'm willing to bet that for the sake of keystrokes
you could just as well do mysql_escape_string.

So, following your code, if I do:

<?php echo(mysql_real_escape_string(strip_tags(stripslashes(htmlentities(trim("LOL!
I'm gunna hax ur script! \\<script
type='text/javascript'\\>alert('Bunghole!')</script>"))))));?>

I get:

LOL! I\'m gunna hax ur script! &lt;script
type=\'text/javascript\'&gt;alert(\'Bunghole!\')&lt;/script&gt;

Which, as you can see, contains far more than just "Alphabetical text".

-- 
Jack Timmons
@_Codeacula