0

I have tried everything. I use my own php function sanitizeString() to get rid of characters and sanitize input strings to our liking. It has mysqli_real_escape_string, preg_replace, str_replace and htmlspecialcharacters. I call this function around the $_POST variable

$string = sanitizeString( $_POST["user input that could include legit url's"] );

function sanitizeString ($dirtystring)
{
    cleaning code
    return $cleanstring
}

The problem is that I seem to get an inconsistent mod_security on submit when I try to save multiple URL's that are in various variables.

$website_url1 = sanitizeString ( $_POST["website1"] );
$website_url2 = sanitizeString ( $_POST["website2"] );
$website_url3 = sanitizeString ( $_POST["website3"] );

Or when there are too many ' , [ ] > etc. I am using enctype="application/x-www-form-urlencoded" charset=UTF-8

When I put some real dirty info, laced with apostrophes, dashes, greater than signs colons, exclamation points, commas, and other things people normally type I get mixed results. sometimes the form evaluates and removes characters, sometimes I get a mod_security before evaluation.

Here is sample data that throws modsecurity:

=== beginning data example === Yes! That's even better. I would definitely like to work with you. Let me know when you're ready, and we can talk about next steps.

Thank you, t.

On 22/22/22, 2:22AM, customer x wrote:

Hi - thank you for being great. I am working with several former Company employees, so I know that it is very uncertain there right now. I am really sorry to hear that. I am glad to recommend some good blah blah coaches/resume writers to you. Also, I am just getting ready to launch my own service if you might want to work with me directly. Just let me know your preference and I can point you in the right direction. Take good care! customer

On 22/22/22, 2:22 AM,:

Hi client, There's quite a bit of change going on at my job right now and I want to be prepared for new opportunities that might arise. I'm looking for both a really good resume writer and a career coach to help me get clarity on my next career move. Do you have anyone that you've used and/or highly recommend? http://website1.com ... http://website3.com

=== end of data example ===

I want to parse the information and convert the URL's. It SOMETIMES works but this simple sample data throws a modsecurity on submit before I can sanitize it.

HonorMan
  • 1
  • 1
  • What's the problem you are trying to fix? Do you have details of the ModSecurity rule that is firing? – Barry Pollard Sep 27 '15 at 12:42
  • I fixed through escaping multiple strings using the .replace in Javascript. My problem was I was trying to escape in php which runs on the server. I needed to escape the string in JS then pass it to php. – HonorMan Dec 12 '15 at 03:05

0 Answers0