View Full Version : Securing php forum

11-07-2006, 12:24 AM
I'm setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I'd like to prevent people from posting Javascript and other malicious html. Basically, I'd like the comments to be bbcode and text only, using this bbcode parser:

How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I'd rather not risk a security breach by trying to reinvent it myself.

Dotan Cohen

11-07-2006, 02:05 AM
To strip the languages you can use code similar to this:

$string = str_replace("<","&lt;",$string);
$string = str_replace(">","&gt;",$string);

This will replace "<", and ">" so they dont get interpreted as code.

That won't stop everything though, they can encode it and do a number of other things. I would google "xss", you'll find good info there.

11-08-2006, 02:21 AM
Thanks. I was worried specifically about this.

11-08-2006, 02:29 AM
htmlentities() (www.php.net/htmlentities) would also do this for you.

11-08-2006, 09:36 AM
strip_tags() works as well..though it will swallow all the tags