Prevent Specific character from the URL
Results 1 to 8 of 8

Thread: Prevent Specific character from the URL

  1. #1
    Banned
    Join Date
    Nov 2003
    Posts
    68

    Prevent Specific character from the URL

    hello..
    i wanted to ask about if i can prevent some characters from being opend in my website like the SQL injections prefixs : ; , / and SQL and Html tags !
    can that be Done by htaccess or
    a php script
    thx in advance guyz

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    I'm not a php expert but it can be done using php. Look over www.php.net or maybe someone will tell you the command here.
    -Simon \"SDK\"

  3. #3
    Banned
    Join Date
    Nov 2003
    Posts
    68
    ok thx anyway

  4. #4
    Banned
    Join Date
    Nov 2003
    Posts
    68
    any comments !

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I cannot help you with the website problem...................too advanced for me

    However, please be a little bit patient, a lot of us have had a public holiday (because January 1 was on a Saturday, which is a holiday anyway) I guess the corporate professional websie guys won't be back at work until tomorrow.

    cheers

  6. #6
    Senior Member
    Join Date
    Dec 2003
    Location
    LA, CA
    Posts
    292
    addslashes() in php is prob. what your looking for
    http://us4.php.net/manual/en/function.addcslashes.php

    A mind full of questions has no room for answers

  7. #7
    Senior Member
    Join Date
    Oct 2001
    Posts
    786
    In .htaccess, you could use mod_rewrite to rewrite URL's that contain combinations of bad characters. Or you could use it to simply redirect them to a static error page (.html) that doesn't accept input or do anything on the server. The problem is that you'd have to understand regular expressions, and AO only has one tutorial on it that you're likely to get lost on since it isn't directly applicable to .htaccess regular expressions. (I was working on one, but other things took my time away) Also, this does nothing except manage the URL being accessed, and doesn't really do anything about the data being passed around (which could attack unsafe code to display bad HTML, XSS (Cross Site Scripting), etc)

    If you're trying to filter out SQL injection/etc., that is about checking input and is done in the language you use (ie, PHP). Unless you have a website that takes input from users and processes it on the server (PHP, PERL, other CGI languages, etc.), this injection stuff doesn't directly apply to you. If you do take and use userinput though, learn to never trust user input and how to write secure code.

    Here are a couple of good looking tutorials on AO on secure PHP programming (might consider looking elsewhere also):
    http://www.antionline.com/showthread...hreadid=231315
    http://www.antionline.com/showthread...hreadid=245670 (Incomplete Series - er0k apparently wanted part 2 to show that part 1 had insecure, unchecked input - not really recommended since it is incomplete)

  8. #8
    Check my tuts, the owasp one.


    edit:

    http://www.antionline.com/showthread...hreadid=264685

    It requires that file from owasp, but it's very simple to make one yourself, similar to it for your own needs.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •