Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    New Coder
    Join Date
    Aug 2005
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Securing php forum

    I'm setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I'd like to prevent people from posting Javascript and other malicious html. Basically, I'd like the comments to be bbcode and text only, using this bbcode parser:
    http://il.php.net/manual/en/function...lace.php#69398

    How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I'd rather not risk a security breach by trying to reinvent it myself.

    Dotan Cohen
    http://what-is-what.com

  • #2
    Regular Coder
    Join Date
    Sep 2006
    Location
    Colorado
    Posts
    132
    Thanks
    7
    Thanked 1 Time in 1 Post
    To strip the languages you can use code similar to this:

    PHP Code:
    <?
    $string 
    str_replace("<","&lt;",$string);
    $string str_replace(">","&gt;",$string);
    ?>
    This will replace "<", and ">" so they dont get interpreted as code.

    That won't stop everything though, they can encode it and do a number of other things. I would google "xss", you'll find good info there.
    -bubbles

  • #3
    New Coder
    Join Date
    Aug 2005
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Thanks. I was worried specifically about this.

  • #4
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,051
    Thanks
    10
    Thanked 94 Times in 92 Posts
    htmlentities() would also do this for you.
    Last edited by firepages; 11-08-2006 at 01:33 AM.
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #5
    Regular Coder
    Join Date
    Mar 2006
    Location
    Nigeria
    Posts
    192
    Thanks
    0
    Thanked 0 Times in 0 Posts
    strip_tags() works as well..though it will swallow all the tags


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •