I am having an issue with special characters with a web script that I have that executes a command to send a username to my game server to reward them for voting.
<form action="index.php" method="GET">
<input type="submit" value="Submit" />
</form>
It submits to the database with the correct information special characters and all – but when executed to my gameserver it negates the special characters and they can abuse it by using the name Testusername/ or Testusername// and receive multiple rewards daily.
I have tried using hidden types but my system cannot work with POST.
Any ideas? I’m helpless.
EDIT *
Any 0-9 _ a-z characters are allowed special characters being !@#$%^&*()_+[}{} etc. I am using escape strings and I am not worried about sql injection I tried multiple ways of sanitizing and they all failed. I am using mySQL but not for the sending of the reward it is there as a log and to verify users that haven’t voted in the last 24 hours and prevent them from doing it again. Basically putting it plain they vote with the username Test and get their reward and vote with the username Test/ and it says Test voted again ingame and the receive x2 the rewards
Simple
preg_replaceshould do it:This strips everything but:
If uppercase is OK, then add
A-Zto the regex, or perhapsstrtolower()the input beforehand. Do this before you save the input or send it to the other server.I’m a little unsure of your exact dilemma with the game server, but ideally, you should get a response from the other server to see what username was actually entered before you save it, and you wouldn’t have to filter it at all because you would have the filtered value from the other server.