[eluser]skunkbad[/eluser]
I'm new to CI, so I'm certainly no expert, but on my website I use both javascript and php to search for the presence of > or < characters in all form fields, and disable the submit button (javascript), or send the user back to the form with an error message. Other sub-strings are searched for to determine if a link is trying to be made. The javascript is quite simple, and you might go to my site and view the javascript for an example. I use a callback function during regular CI form validation to look for the special symbols or words I want to ban.
Code:
public function _validateEmail($email) {
# Check email syntax with regex
$emailClean = 1;
if (preg_match('/^([a-zA-Z0-9\._\+-]+)\@((\[?)[a-zA-Z0-9\-\.]+\.([a-zA-Z]{2,7}|[0-9]{1,3})(\]?))$/', $email, $matches)) {
$user = $matches[1];
$domain = $matches[2];
# Check availability of DNS MX records
if (function_exists('getmxrr')) {
# Construct array of available mailservers
if(getmxrr($domain, $mxhosts, $mxweight)) {
for($i=0;$i<count($mxhosts);$i++){
$mxs[$mxhosts[$i]] = $mxweight[$i];
}
asort($mxs);
$mailers = array_keys($mxs);
} elseif(checkdnsrr($domain, 'A')) {
$mailers[0] = gethostbyname($domain);
} else {
$mailers=array();
}
$total = count($mailers);
if($total <= 0) {
$emailClean = 0;
}
}else{
//debug only for localhost (wampserver)
$emailClean = 0;
}
} else {
$emailClean = 0;
}
if($emailClean == 0){
$this->form_validation->set_message('_validateEmail', 'Supplied %s was rejected, and has been deleted.');
return FALSE;
}else{
return $email;
}
}
public function _cleanField($string) {
$stringClean = 1;
$badWord = array(
'cytoreticulum',
'viagra',
'ringtones',
'http:',
'href=',
'[url]'
);
foreach ($badWord as $unwanted){
$testedString = strpos($string,$unwanted);
if ($testedString !== FALSE){
$stringClean = 0;
}
}
// The following checks and makes sure that each field has no Russian, Hebrew, Chinese, or odd characters of any kind that aren't on MY keyboard
if($stringClean == 1){
if (preg_match('/[^-\s A-Z0-9~!@#$%^&*()_+=;:\'",.?|}{[\]\/\\\\]/i', $string)) {
$stringClean = 0;
}
}
if($stringClean == 0){
$this->form_validation->set_message('_cleanField', 'The %s field contains links, words, foreign characters, or other data that was rejected, and has been deleted.');
return FALSE;
}else{
return $string;
}
}