0

I tried to add extra security by removing special characters. I want to allow letters, numbers and ? = & only.

I tried:

if (strpos($_SERVER['REQUEST_URI'],'\'')) {  echo 'true';   }

I cannot just simply put ' in between the '' as it breaks it so I tried adding the \ but it didn't work. Is there a way to detect all the symbols in the url string or input field?

EDIT:

tried adding < simply into the list

if (preg_match('#[@*,!$\'\-;:<>~`^|\(\\)\\{\\}\\[\\]]#i', $_SERVER['REQUEST_URI']) || strpos($_SERVER['REQUEST_URI'],'script')) { 
    echo 'Cannot do that';
}

I tried adding ([\<])([^\>]{1,})*([\>]) into there but it didn't work. I also tried adding a condition if strcmp($_SERVER['REQUEST_URI'], strip_tags($_SERVER['REQUEST_URI'])) != 0

and when i added into the url, it didn't do anything

OGcode
  • 31
  • 6
  • 3
    Why not just handle strings properly? – Niet the Dark Absol Sep 12 '14 at 21:24
  • 1
    extra security for what? What is your script supposed to be used for? – Mike 'Pomax' Kamermans Sep 12 '14 at 21:25
  • `str_replace()` if you _really_ need to use it – Class Sep 12 '14 at 21:25
  • @NiettheDarkAbsol I am using pdo prepared statements everywher but for one specific area I have a lot of dynamic values for a search filter so it was hard to use pdo prepared statements so i am trying to somehow do a work around – OGcode Sep 12 '14 at 21:27
  • @Mike'Pomax'Kamermans I have a search filter that takes input from words, radio buttons, and checkboxes. The query length changes constantly so I am not sure how to dynamically make prepared statements to satisfy both the query and the prepared statement – OGcode Sep 12 '14 at 21:34

3 Answers3

1

Use preg_match to test for anything but the characters you want:

if (preg_match('#[^a-z0-9?=&]#i', $str)) { echo 'true'; }

Use preg_replace to remove them:

$str = preg_replace('#[^a-z0-9?=&]#i', '', $str);

If you just want to prohibit certain characters, use a regular expression that just matches those characters:

if (preg_match('#[\'\-;:~`]#i', $str)) { echo 'true'; }
Barmar
  • 741,623
  • 53
  • 500
  • 612
  • that will replace, how can I check and return true/false? – OGcode Sep 12 '14 at 21:28
  • BTW, doesn't the URL also include `/` characters? – Barmar Sep 12 '14 at 21:28
  • Meant to use `i` flag, just forgot it. – Barmar Sep 12 '14 at 21:30
  • Yes you are right, how can I add /, %, and _? It might be just easier to somehow disable ' - ; : ~ `, is that possible? – OGcode Sep 12 '14 at 21:31
  • Just add them to the character set in the regular expression. If you're not familiar with regular expressions, read the tutorial at regular-expression.info. – Barmar Sep 12 '14 at 21:33
  • quick thing, how can I add the symbols < > into the list? I tried \< \<\ <, nothing works.. – OGcode Sep 13 '14 at 18:30
  • There's nothing special about `<` and `>` in regular expressions, you should be able just put them inside the square brackets. – Barmar Sep 13 '14 at 19:08
  • I did but it didn't work. when I tried adding < to the url nothing happened. – OGcode Sep 13 '14 at 19:11
  • You'll have to post what you tried. Add it to the end of your question. – Barmar Sep 13 '14 at 19:20
  • I don't know why it's not working for you. I just copied your regexp, and tested it against `foo – Barmar Sep 13 '14 at 19:30
  • hmm weird.. maybe it's because it's getting the url string not sure why – OGcode Sep 13 '14 at 19:39
  • Maybe it has to do with the way special characters are encoded in URLs, but I thought that these would have been decoded before filling in `$_SERVER`. – Barmar Sep 13 '14 at 19:44
  • I just tested, and that's it. Special characters in the URL are %-encoded in REQUEST_URI. Use `urldecode()` to decode it first. – Barmar Sep 13 '14 at 19:47
0

You can fix that using double quotes as strings delimiter, try this

if (strpos($_SERVER['REQUEST_URI'],"'")) {  echo 'true';   }
math
  • 167
  • 2
  • 13
0

One thing that none of the posts addressed is why strpos didn't work for you. strpos can return two types. It can return an integer that is greater than or equal to zero. 0 being the first character. It can also return a boolean type false. To check if if strpos found a match it would have to have been written like this:

if (strpos($_SERVER['REQUEST_URI'],'\'') !== false) {  echo 'true';   }

From the PHP Documentation The comparison $a !== $b operator works this way:

return TRUE if $a is not equal to $b, or they are not of the same type.

Information on strpos returning two types (boolean false or an integer) can be found in this PHP strpos Documentation. In particular:

Returns the position of where the needle exists relative to the beginning of the haystack string (independent of offset). Also note that string positions start at 0, and not 1.

Returns FALSE if the needle was not found.

So as you can see 0 and false are not the same thing which is why your test failed.

As for security and strings in PHP I recommend you look at this StackOverflow article for some opinions on the matter.

Community
  • 1
  • 1
Michael Petch
  • 46,082
  • 8
  • 107
  • 198