Prevent Specific character from the URL

**rOCk-MaStEr** · December 30th, 2004, 11:37 PM

hello..
i wanted to ask about if i can prevent some characters from being opend in my website like the SQL injections prefixs : ; , / and SQL and Html tags !
can that be Done by htaccess or
a php script
thx in advance guyz

***SDK*** · December 31st, 2004, 12:06 AM

I'm not a php expert but it can be done using php. Look over www.php.net or maybe someone will tell you the command here.

**rOCk-MaStEr** · December 31st, 2004, 12:09 AM

ok thx anyway

**rOCk-MaStEr** · January 3rd, 2005, 10:57 PM

any comments !

**nihil** · January 4th, 2005, 12:34 AM

I cannot help you with the website problem...................too advanced for me

However, please be a little bit patient, a lot of us have had a public holiday (because January 1 was on a Saturday, which is a holiday anyway) I guess the corporate professional websie guys won't be back at work until tomorrow.

cheers

**hiddeninclouds** · January 4th, 2005, 05:54 AM

addslashes() in php is prob. what your looking for
http://us4.php.net/manual/en/function.addcslashes.php

***Tim_axe*** · January 4th, 2005, 06:00 AM

In .htaccess, you could use mod_rewrite to rewrite URL's that contain combinations of bad characters. Or you could use it to simply redirect them to a static error page (.html) that doesn't accept input or do anything on the server. The problem is that you'd have to understand regular expressions, and AO only has one tutorial on it that you're likely to get lost on since it isn't directly applicable to .htaccess regular expressions. (I was working on one, but other things took my time away) Also, this does nothing except manage the URL being accessed, and doesn't really do anything about the data being passed around (which could attack unsafe code to display bad HTML, XSS (Cross Site Scripting), etc)

If you're trying to filter out SQL injection/etc., that is about checking input and is done in the language you use (ie, PHP). Unless you have a website that takes input from users and processes it on the server (PHP, PERL, other CGI languages, etc.), this injection stuff doesn't directly apply to you. If you do take and use userinput though, learn to never trust user input and how to write secure code.

Here are a couple of good looking tutorials on AO on secure PHP programming (might consider looking elsewhere also):
http://www.antionline.com/showthread...hreadid=231315
http://www.antionline.com/showthread...hreadid=245670 (Incomplete Series - er0k apparently wanted part 2 to show that part 1 had insecure, unchecked input - not really recommended since it is incomplete)

***Soda_Popinsky*** · January 4th, 2005, 06:44 AM

Check my tuts, the owasp one.

edit:

http://www.antionline.com/showthread...hreadid=264685

It requires that file from owasp, but it's very simple to make one yourself, similar to it for your own needs.

Thread: Prevent Specific character from the URL

Thread Tools

Display

Prevent Specific character from the URL

Posting Permissions