Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New to the CF scene
    Join Date
    May 2007
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Online community

    Hello,

    I'm making an online communtiy and i'm right now securing it..
    I'm using php and mysql..
    When inserting data in the database i use mysql_real_escape_string for security reasons..
    My question is the following..

    I would like to give the members the possibility to embed a media player in their profile. But by giving them this option how do i secure it???

    When i use mysql_real_escape_string the player won't play when their profile is visited because it gets the slashes infront of the ".
    I could use stripslashes when their profile is visited but will this be safe???

    Thanks a million for your help
    Last edited by Philip; 05-28-2007 at 08:09 PM.

  • #2
    New Coder
    Join Date
    May 2007
    Posts
    34
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Hello there!

    I recentlly had slashes issues with mysql and solved it with stripslashes but you could be more specific by using str_replace to replace \" with " using regular expression, I see no reason why this should not be safe, since it basically does what mysql_real_escape_string does, which is removing a special caracter!

    My two cents

    GCharb

  • #3
    New to the CF scene
    Join Date
    May 2007
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So it's dangerous to have code injected in the database...
    But when this piece of input is displayed on the webpage isn't it dangerous if i strip the slashes??

  • #4
    Regular Coder GSimpson's Avatar
    Join Date
    Aug 2006
    Location
    New Zealand
    Posts
    268
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Sorry I can't answer your question, however you could use youTube... theres a code on every page with the video so maybe that's a solution.

  • #5
    New Coder cheat's Avatar
    Join Date
    Nov 2006
    Location
    England, Britain
    Posts
    74
    Thanks
    0
    Thanked 0 Times in 0 Posts
    ok heres a tip. i wont post the code but heres what i do on one of my games profiles.

    the members are able to create their very own profiles using the PHPBB.
    now thats very simple to set up and many will tell you it is not secure but heres what you can do.

    bear in mind that this is just a example.


    So if I tried enter [ img ] Hello! [ /img ] as an image it would show the following errors one by one until I changed it to be compatible:

    "Invalid characters in the image with url: hello! "

    *I remove the ! and the

    "http:// is needed in the image with url: hello"

    *I add the http://

    "Please include a format in the image with url: http://hello "

    *I include a image format (.jpg|.jpeg|.gif|.tiff|.tif are allowed)

    Then I'd end up with http://hello.jpg with everything correct!


    get it? good,

  • #6
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    When inserting data in the database i use mysql_real_escape_string for security reasons..
    Or you could use prepared statements.

    The reason the HTML comes up with slashes in them is because mysql_real_escape_string() is making it safer by ensuring the quotes are not considered real.

    If you used addslashes() and prepared statements you wouldn't have to worry about the problem as the slashes are lost when the query is used. So your database contains the actual HTML. And when you echo it, it would work.

    Securing this is a lot harder however, unless you literally "read" the HTML and check that it only contains certain tags.

    The YouTube idea might be a better solution. Although I don't know how it works.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •