PHP Security - I need your opinion regarding 3 functions

Networking/Security Forums -> Programming and More

Author: hexadeximal PostPosted: Sun Jan 24, 2010 7:56 pm    Post subject: PHP Security - I need your opinion regarding 3 functions
    ----
Hello, i just signed in and i would apreciate your sophisticated help...

lots of my custom dynamic websites where injected...and i tried to create three funtions in order to call them for input validation so as to avoid injections.

1. prot_txt() = protect string inputs such as username, first name etc...(usuallu post values)
2. numer() = protect numerical data usualy id's used in urls
3. prot_email() = protect email inputs (contact forms) to avoid header injections....

please tell me if any of this is vulnerable....

thank you in advance...

function prot_txt($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("--", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);

$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);
if(substr_count($str, 'alert') > 0 OR substr_count($str, '</') > 0 OR substr_count($str, '<') > 0 OR substr_count($str, '>') > 0 OR substr_count($str, '\"') > 0 OR substr_count($str, '\'') > 0 OR substr_count($str, '\\') > 0 OR substr_count($str, 'mouseover') > 0 OR substr_count($str, '%') > 0 OR substr_count($str, '(') > 0 OR substr_count($str, ')') > 0)
{
die("No access");
}
else
{
return $str;
}
}


function numer($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
$str = str_replace("\"", " ", $str);
$str = str_replace("\'", " ", $str);
$str = str_replace("alert", " ", $str);
$str = str_replace("(", " ", $str);
$str = str_replace(")", " ", $str);
$str = str_replace("/", " ", $str);
$str = str_replace(".", " ", $str);
$str = str_replace("<", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(">", " ", $str);
$str = str_replace(";", " ", $str);
$str = str_replace("\\", " ", $str);
$str = str_replace("-", " ", $str);
$str = str_replace("+", " ", $str);
$str = str_replace("=", " ", $str);
$str = str_replace("on", " ", $str);
$str = str_replace("script", " ", $str);
$str = str_replace("java", " ", $str);


$str = htmlspecialchars($str);
$str = addslashes($str);
$str = mysql_real_escape_string($str);
$str = htmlentities($str);

if($str <> "")
{
if(is_numeric($str))
{
return $str;
}
else
{
die("No access");
}
}
}


function prot_email($str)
{
$str = utf8_encode($str);
$str = utf8_decode($str);
//return iconv("ISO-8859-1", "utf-8", $str);
if(strpos($str, "<") === false &&
strpos($str, ">") === false &&
strpos($str, "'") === false &&
strpos($str, '"') === false)
{
$str = htmlspecialchars(addslashes(mysql_real_escape_string($str)));
return $str;
}
else
{
die("No access");
}
}



Networking/Security Forums -> Programming and More


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group