How do I remove special characters from GET submit

Question

I am having an issue with special characters with a web script that I have that executes a command to send a username to my game server to reward them for voting.

<form action="index.php" method="GET"> <input type="submit" value="Submit" /> </form>

It submits to the database with the correct information special characters and all - but when executed to my gameserver it negates the special characters and they can abuse it by using the name Testusername/ or Testusername// and receive multiple rewards daily.

I have tried using hidden types but my system cannot work with POST.

Any ideas? I'm helpless.

EDIT *

Any 0-9 _ a-z characters are allowed special characters being !@#$%^&*()_+[}{} etc. I am using escape strings and I am not worried about sql injection I tried multiple ways of sanitizing and they all failed. I am using mySQL but not for the sending of the reward it is there as a log and to verify users that haven't voted in the last 24 hours and prevent them from doing it again. Basically putting it plain they vote with the username Test and get their reward and vote with the username Test/ and it says Test voted again ingame and the receive x2 the rewards

Answer 1

Simple preg_replace should do it:

$username = preg_replace('#[^a-z0-9_]#', '', $username);

This strips everything but:

• Lowercase alpha characters
• Digits 0 through 9
• underscore

If uppercase is OK, then add A-Z to the regex, or perhaps strtolower() the input beforehand. Do this before you save the input or send it to the other server.

I'm a little unsure of your exact dilemma with the game server, but ideally, you should get a response from the other server to see what username was actually entered before you save it, and you wouldn't have to filter it at all because you would have the filtered value from the other server.

Answer 2

Something like this should work.. Just populate the bad_chars array with all the bad chars...

array $bad_chars = array('@', '!', '#'); // setup your chars to filter out

for($i = 0; $i < size_of($bad_chars); $i++) // iterate through them all
{
     str_replace($bad_chars[i], '', $_GET['string_to_be_filtered']); // replace all
}

Answer 3

As you only want to replace the slash, you could use this.

<?php 
$user = $_GET["user"];
$user = str_replace("/", "", $user);
?>

This is a more efficient version of an other post, before me:

<?php 
$user = $_GET["user"];
$special = array('@', '!', '#'); 
$user = str_replace($special, "", $user);
?>

Answer 4

You can replace following to covert special characters

$formdesc = htmlentities($_POST['formdesc'], ENT_QUOTES, 'UTF-8');

Hope this will helpful to you