...

View Full Version : Securing php forum



dotancohen
11-07-2006, 12:24 AM
I'm setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I'd like to prevent people from posting Javascript and other malicious html. Basically, I'd like the comments to be bbcode and text only, using this bbcode parser:
http://il.php.net/manual/en/function.preg-replace.php#69398

How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I'd rather not risk a security breach by trying to reinvent it myself.

Dotan Cohen
http://what-is-what.com

bubbles19518
11-07-2006, 02:05 AM
To strip the languages you can use code similar to this:



<?
$string = str_replace("<","&lt;",$string);
$string = str_replace(">","&gt;",$string);
?>

This will replace "<", and ">" so they dont get interpreted as code.

That won't stop everything though, they can encode it and do a number of other things. I would google "xss", you'll find good info there.

dotancohen
11-08-2006, 02:21 AM
Thanks. I was worried specifically about this.

firepages
11-08-2006, 02:29 AM
htmlentities() (www.php.net/htmlentities) would also do this for you.

kehers
11-08-2006, 09:36 AM
strip_tags() works as well..though it will swallow all the tags



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum