Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Oct 2006
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Network site, safely block bad code.

    w.o blocking everything, i need a better fin and replace system than this, what would be the best, and what all do i need to block out.. what all does myspace block? and how do they do it?


    PHP Code:
     //about
                
    if (!strstr($about"[code]")) {
                    include(
    $phpbb_root_path 'includes/file.'.$phpEx);
                    foreach (
    $word as $key => $file) {
                        
    $about eregi_replace ( (sql_regcase("$key")), "$file"$about);
                    }
                }
                
    $about str_replace("[code]"""$about); 



    that is what i do right now, and it pulls from "file.php" and replaces things.

    but is there a better way?
    and again, what all should be blocked. <javascript> has sooo many ways to get around. but myspace has it down pact for the most part, so what all do they block?

  • #2
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,042
    Thanks
    19
    Thanked 42 Times in 42 Posts
    you tried

    PHP Code:
    $code POST_['code'];
    $str "<";
    $str1 ">";
    str_replace("$str""&lt;" "$code");
    str_replace($str1"&gt;""$code"); 
    i think this is right, although not that familiar with using str_replace

  • #3
    New Coder
    Join Date
    Oct 2006
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts

    lol

    yea that would block all html out of my site
    and that would piss users off, and they would just go back to myspace.

    but all i want to do is block malicious code. and i got most of it down.

    but how would i go about blocking invalid img tags, see myspace does it somhow.

    <img src="image.jpg"> <img src="image.png"> <img src="image.bmp> ect ect all work, but if you attmept to enter one w.o a valid file extension it turns into ..

    <img turns into ..

    <img src turns into ..

    and so on, no matter how you type it, if it is not valid it wont allow it.
    so how do they do that?

  • #4
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,042
    Thanks
    19
    Thanked 42 Times in 42 Posts
    what code you trying to change/block?
    PHP Code:

    $str 
    '<img scr="*.PNG">'//* is a wildcard
    str_replace('$str''WARNING PNG Files Not Allowed''$str'); 
    something like this?

  • #5
    New Coder
    Join Date
    Oct 2006
    Posts
    23
    Thanks
    0
    Thanked 0 Times in 0 Posts

    hmmm

    no, i think that would block the image png right?
    i dont want to block images, here is a overview of what myspace does when you try to use the image tag.

    Code:
    <img src="blah.jpg"> Image would work
    
    <img src="blah.png"> Image would work
    
    <img src="blah.bmp"> Image would work
    
    <img src="blah.gif"> Image would work
    
    <img src="blah.tif"> Image would work
    
    <img would be filtered
    
    <img src would be filtered
    
    <img src="blah.fake"> would be filtered
    
    <img src="blah"> would be filtered
    
    <IMG SRC="javascript:alert('XSS');"> would be filtered

    i wanna do the same thing, it only allows img tags to bypass the filter if they have a valid file extension

  • #6
    Senior Coder rafiki's Avatar
    Join Date
    Aug 2006
    Location
    Floating around somewhere...
    Posts
    2,042
    Thanks
    19
    Thanked 42 Times in 42 Posts
    so you would want to create a script like

    PHP Code:
    $filetype //get the filetype of the image
    $array = array(PNGpngJPGjpgBMPbmpotherext);
    if (
    $imgtype != $array)
    {
    Echo 
    "file type not supported!";
    }
    else
    {
    //you code here if image allowed



  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •