Ad

Ban Character From All Textareas On The Page

- 1 answer

I've got a problem. As soon as I enter this little f****r --> ' <-- in my textarea which are sent to a database via AJAX, it stops working. So if I for example enter:

I am a little gnome and I'm glad to meet you. Hug me!

The database will only receive:

I am a little gnome and I

So.. Can I limit all textareas on the page to like A-Z + ÅÄÖ + . , + other regularly used characters which don't ruin my stuff? I am using onchange for the AJAX request, and another eventlistener for keyup to make it work on Safari, if that's of any importance to anyone!

SQL-injection vulnerability, got it. I'm scared, and have stuff to do. Thanks for all answers thus far.

Ad

Answer

Note

I can see you're starting out, and it's great! You've always gotta find a bug to learn new stuff, and you're learning about SQL Injections now. If I could suggest something, you'd be best to start at PHP The Right Way, it'll help you a truckload.


You're PHP script (that inserts this data into a database) is not sanitized correctly.

We can't do much without seeing your associated code. But I take it you're using mysql_*/mysqli_* functions? We'll the former one is deprecated and removed as of PHP7!

You should start learning either of the following two prepared statement types:

From what I assume, you want to escape the string:

$data = mysql_real_escape_string($_POST['data']);

Although, there are still ways around the above escape; your database can still be hacked via SQL Injection, which is not what you want.

As noted by Armadan, to back up my statement above, mysql_real_escape_string() is still by-passable in certain cases, read these:

Ad
source: stackoverflow.com
Ad