0

How do I prevent symbols like /, \, ;, etc. being stored in the database? I am already using mysql_real_escape_string(), but if in an input field in my form I put \mymail@mydomain.com, I find the email stored in the database with the "\". How can I prevent this?

TRiG
  • 10,148
  • 7
  • 57
  • 107
Mohammad99
  • 47
  • 2
  • 2
  • 11
  • 2
    would you consider `@` a symbol? – Jonathan Kuhn Sep 30 '13 at 17:11
  • Use a regex to sanitize your fields before saving to the database. – EmmyS Sep 30 '13 at 17:15
  • 1
    When you use mysql_real_escape_string you database stored the orignal value, the word Escape mean somthing for you? if the value is was stored with the `\/` you are doing something wrong, also mysql_* functions are deprecated – Emilio Gort Sep 30 '13 at 17:15
  • Emilio Gort, now i get you but, is there any security issues with letting slashes be stored in the database? – Mohammad99 Sep 30 '13 at 17:17
  • 1
    @EmmyS I dont think that regex is the best way to sanitze, there is PDO using Prepare statement – Emilio Gort Sep 30 '13 at 17:18
  • In the right side in `Question Related` you can see the first link [How can I prevent SQL injection in PHP?](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) – Emilio Gort Sep 30 '13 at 17:19
  • I am watching it thank you – Mohammad99 Sep 30 '13 at 17:21
  • If you actually put `\m` in the query why wouldn't you want the backslash to be stored? – Explosion Pills Sep 30 '13 at 17:32
  • So is your question about how to validate that the input matches a certain criteria (i.e. valid email address) or how to properly escape inserts into MySQL? For me, if I was expecting a valid email address and somebody entered and invalid value, I would prompt the user that the value is invalid and not insert it at all rather than trying to clean up the value for him. If you are interested in data validation, I would suggest looking at PHP's `filter_var()` function, which gives you a convenient means of validating email addresses, URL's, etc. – Mike Brant Sep 30 '13 at 17:40
  • Is this question about preventing SQL injection or is this question about how to remove special chars? – Daniel W. Oct 01 '13 at 12:45
  • the question is how to prevent special characters like slashes from being stored in the database! can u help me ? – Mohammad99 Oct 01 '13 at 13:31
  • @Mohammad99. At what point does the problem exist? If someone enters some weird characters, and those weird characters are stored to the database exactly as entered, then *the problem is not with the database connection*. The database connection is working fine. You should be validating input *before* connecting to the database. – TRiG Oct 01 '13 at 14:16
  • It looks like [your real question](http://meta.stackexchange.com/q/66377/147191) is about how to validate e-mail addresses. Please think about this, and edit your question to clarify exactly what you're asking. (Tip: You don't want to simply strip weird characters: if you're given an invalid address, you should send it back to the user for correction.) – TRiG Oct 01 '13 at 14:18

2 Answers2

2

u need to use regular expression to avoid /, \, ;, etc in data base. use this regular expression. write this javascript.

regExpNum = /^[\w]+(\.[\w]+)*@([\w-]+\.)+[a-zA-Z]{2,7}$/
if(!regExpNum.test(EmailID))
{
alert("Invalid email address.");
return false;
}
Ankur Dhanuka
  • 1,217
  • 2
  • 11
  • 22
1

Maybe you need some kind of input validator like the filter_input (PHP >= 5.2.0)

filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL);

If the result is null, then, you should send an error.

You could read the documentation at http://www.php.net/manual/en/book.filter.php

KikoV
  • 899
  • 6
  • 13