Embed Help

[GameAnger]

Hey everyone, well I want my users to be able to embed something on their profile. But, i heard that someone can do a mysql injection, if the embed the right thing. How would i prevent that. I want my users to be able to embed this music player, in sort of a form. Then, after they submit it, that form displays the player. But, apparently, users can put a php code in it and ruin the site. Any ideas on how to prevent it?

[mlseim]

What music player?

You embed the music player yourself.
They either provide the MP3, or the links to them.


.

[GameAnger]

No, i want the user to be able to embed their own music player, with their own music. There is a website that I am going to iframe, then they fill all the things out, with their favorite music, they take the embed code, past it into there, and there it is. Only thing is, i think people can hack my website from that, by putting in there own code

[mlseim]

I still don't understand ...

Why isn't it like this ...
You provide the music player itself ... they provide the music.

Why would you let someone embed their own music player on your website?
Is this something you are providing for their website?

And how do all the MP3 files get handled?


.

[GameAnger]

No i provide the music player, they fill out a form with their favorite music, their music player skin, ect. Then it spits out an embed code, and they embed that.

[mlseim]

The term "embed", to me, means you are giving them code to embed into their own website.

If you're just giving them a web page to display in their own <iframe>, there's no
security issues with that.


.

[GameAnger]

They embed that code that it spits out, into this other form on the edit profile options. They put the embed code into the form, and boom, its on their profile. The only problem is, I dont want them to put stuff php code or mysql strings that can hack my website, into this embed form

[GameAnger]

Ok so picture this. There is an edit profile page, with an iframe to a custom music player website, and above that is this form. They use the iframe, like they are on the website, fill out all the information, like the songs they wanna put on their playlist, ect. Well after they fill out that form, it gives them an embed code, that they can paste into the form they have above the iframe.

[mlseim]

So, you have a website that provides the users with sort of their own web page
that they can customize? Is that what is happening?

[GameAnger]

With sort of their own music player, not web page

[mlseim]

Is their music player like a Flash player?
So they can install any sort of player they want, even one they create themselves?


.

[GameAnger]

Whateever has an embed code, i guess. But i wanna limit it to only this one embed code, which is this music player. Also with security

[mlseim]

I apologize that I just don't understand your project.
Maybe someone else might be able to figure this out.
I really hate to give you any wrong answers or misleading information.

I would never let anyone upload a script, or Flash Player into my website.
If that's what is going to happen, then I guess I would say "don't do it".


.

[GameAnger]

k let me explain this simpler. Like would u allow someone to embed a video onto ur users profile? Thats basically what im doing, but its not a video, its a widget. Basically a profile widget

[mlseim]

You need to provide the widget they are inserting into their profile page.
You can't let them upload scripts to your site. Not even a Flash script.

You create a widget that plays MP3 music files (a playlist).
That widget might be a Flash player, or whatever you use.
They insert THAT widget ... from your site.

When they edit their profile, they should not see any scripting for that widget.
You can't let them edit any PHP scripting, or have any visible scripting.

They then can upload MP3 files to a directory ... which becomes the playlist.

Why can't they use YOUR music player?
It's your website.



.