Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Regular Coder
    Join Date
    Dec 2007
    Posts
    145
    Thanks
    5
    Thanked 5 Times in 5 Posts

    The safest way to block harmful code in strings.

    Hi all. Im making a profile code. My code, is very much vulnerable for someone to enter harmful code into the textarea which then is inserted in a mysql database. Most of the code I want to block is all php and most javascript, and anything else harmful. There's still a lot of coding lanuages out there and I don't know all the hacks that can be done with those. Can someone come up with the best code to block most harmful code using htmlspecialvars(), strip_tags(), and htmlentities?

  • #2
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    That depends. What will the input be? A zip code? A name? Phone number? Email address? Telephone number? Date? Time? Letter? Number? Paragraph?

    Read this full topic, not just the first two or three quick and dirty solutions... it may help:
    mysql_real_escape_string quick question
    Last edited by kbluhm; 01-16-2008 at 03:33 AM.

  • #3
    Regular Coder
    Join Date
    Dec 2007
    Posts
    145
    Thanks
    5
    Thanked 5 Times in 5 Posts
    ????

    A profile code. Just simple coding and stuff about the user.

  • #4
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,979
    Thanks
    4
    Thanked 2,659 Times in 2,628 Posts
    He means each field. You need to ensure error checking is present on ANY input given by the user (I didn't read the link at all, but I can guess).
    Safest way?
    1. Control your own addslashes / escaping. Disable magic_quotes_gpc runtime
    2. Datatype checks. Want a number? Typecast the given input into an (int) and check to see if the new value is == the original (not === as that will check datatypes as well).
    3. Regexp. Hands down an excellent error checking tool. Downside: slow. Still worth the time and nowadays its completely negligible.
    4. Remove ability for ANY code. Javascript, php, asp, html, anything that is parsable. If your lazy (like me ) just change the values into their html entities to remove the parsing capabilities.
    If you want to use markup, code your own markup that you will allow.

    And I cannot stress this enough: database insertion escaping. Never, NEVER put unclean values into a database. You will love it when a user injects your data and dumps your entire site.
    Hope that helps!
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •