Reputation: 1
How do I block a specific word from being entered in my HTML form
I am trying to set up a simple account creation form for a game. I'm going to post my HTML and PHP that is being used below.
What I want to do is block the following words from being entered into a characters name:
Mod, Owner, Mawd, M0d, 0wner
Also, I need to block special characters such as these:
!@#$%^&*()_+|\`~
Once those get blocked, my form will be 100% finished, unless I decide to change the template for it.
Here is the PHP code that checks the text entered into the form.
<?php //data.php
require_once 'login.php';
// Get values from form
$NAME = $_POST['char_name'];
$PASS = $_POST['char_pass'];
$FORUM = $_POST['forum_name'];
$TESTER ="0";
$BANNED ="0";
$RANK ="1";
// Check if form is empty
if(trim($NAME) == '' || trim($PASS) == '' || trim($FORUM) == ''){
header('Location: http://www.runerecovery.us/ingame/notfilled.html');
}
// Check for duplicates
$query = mysql_query("SELECT * FROM accounts WHERE username='$NAME'");
if(mysql_num_rows($query) > 0){
header('Location: http://www.runerecovery.us/ingame/characterexists.html');
}else{
// Insert data into mysql
$sql="INSERT INTO accounts (username,password,forumname,tester,banned,rank)
VALUES ('$NAME','$PASS','$FORUM','$TESTER','$BANNED','$RANK')";
$result = mysql_query($sql);
// if successfully insert data into database, displays message "Successful".
if($result){
header('Location: http://runerecovery.us/ingame/registered.html');
}
else {
echo "ERROR";
}
}
Upvotes: 0
Views: 2715
Answers (2)
Reputation: 26034
Easy. Just create an array containing a list of banned items—such as names—and then use in_array to compare the value of trim($NAME) against it. I would recommend placing after the check to see if the form is empty like this:
// Check if form is empty
if(trim($NAME) == '' || trim($PASS) == '' || trim($FORUM) == ''){
header('Location: http://www.runerecovery.us/ingame/notfilled.html');
}
// Set an array of banned names.
$banned_names = array('Mod', 'Owner', 'Mawd', 'M0d', '0wner');
// Check if the name is banned.
if(in_array(trim($NAME), $banned_names)) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
For these characters:
!@#$%^&*()_+|\`~
You can use preg_match to see if those characters are in the name as well and act on them as well. I will see if I can put something together.
EDIT: Okay, I have a nice preg_match that will work well for the characters above:
preg_match("/(!|@|#|$|%|\^|\&|\(|\)| _|\+|\|\\|`|~)/is", trim($NAME));
Now create a conditional that can use that like so:
// Check if the name has banned characters.
if(preg_match("/(!|@|#|$|%|\^|\&|\(|\)| _|\+|\|\\|`|~)/is", trim($NAME))) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
And bring it all together like this:
// Check if form is empty
if(trim($NAME) == '' || trim($PASS) == '' || trim($FORUM) == ''){
header('Location: http://www.runerecovery.us/ingame/notfilled.html');
}
// Check if the name has banned characters.
if(preg_match("/(!|@|#|$|%|\^|\&|\(|\)| _|\+|\|\\|`|~)/is", trim($NAME))) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
// Set an array of banned names.
$banned_names = array('Mod', 'Owner', 'Mawd', 'M0d', '0wner');
// Check if the name is banned.
if(in_array(trim($NAME), $banned_names)) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
Also, instead of in_array you could also use preg_grep to do a case insensitive match like so:
// Check if the name is banned.
if(preg_grep("/" . trim($NAME) . "/i" , $banned_names)) {
header('Location: http://www.runerecovery.us/ingame/banned.html');
}
Upvotes: 1
Reputation: 7200
You could the following code below. I would add it after you check if any of the fields are empty. The code below will work for all upper and lower cases.
$invalidCharacterNames = array('Mod', 'Owner', 'Mawd', 'M0d', '0wner');
foreach($invalidCharacterNames as $invalidCharacterName){
if(strtolower($invalidCharacterName) == trim(strtolower($NAME))){
//redirect to error page
header('Location: http://www.runerecovery.us/ingame/invalid_character_name.html')
}
}
Most importantly, your form is vulnerable to sql injection - read about it here: http://php.net/manual/en/security.database.sql-injection.php
Also, I suggest you use mysqli and prepared statements http://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php
Update: use preg_match or strpos to check for the specific characters in the string.
Upvotes: 2
Related Questions
- How to disable an input in HTML/PHP
- How to blacklist words in a HTML form? (I was wondering how I am able to blacklist certain words from being entered in my form)
- how to stop user putting HTML code in text inputs
- how to remove certain words in inputbox
- Don't allow user to enter HTML tags in input
- Create a Blacklist filter in a form to avoid some words
- How to: Text field only accept certain words
- Detecting specific words in a textarea submission
- How do I block HTML in my form input?
- Prevent users from submitting a form with a certain string