View Full Version : Online community

05-28-2007, 08:48 PM

I'm making an online communtiy and i'm right now securing it..
I'm using php and mysql..
When inserting data in the database i use mysql_real_escape_string for security reasons..
My question is the following..

I would like to give the members the possibility to embed a media player in their profile. But by giving them this option how do i secure it???

When i use mysql_real_escape_string the player won't play when their profile is visited because it gets the slashes infront of the ".
I could use stripslashes when their profile is visited but will this be safe???

Thanks a million for your help:thumbsup: :)

05-28-2007, 10:41 PM
Hello there!

I recentlly had slashes issues with mysql and solved it with stripslashes but you could be more specific by using str_replace to replace \" with " using regular expression, I see no reason why this should not be safe, since it basically does what mysql_real_escape_string does, which is removing a special caracter!

My two cents


05-29-2007, 02:18 AM
So it's dangerous to have code injected in the database...
But when this piece of input is displayed on the webpage isn't it dangerous if i strip the slashes??

05-31-2007, 12:11 AM
Sorry I can't answer your question, however you could use youTube... theres a code on every page with the video so maybe that's a solution.

05-31-2007, 01:22 AM
ok heres a tip. i wont post the code but heres what i do on one of my games profiles.

the members are able to create their very own profiles using the PHPBB.
now thats very simple to set up and many will tell you it is not secure but heres what you can do.

bear in mind that this is just a example.

So if I tried enter [ img ] Hello! [ /img ] as an image it would show the following errors one by one until I changed it to be compatible:

"Invalid characters in the image with url: hello! :D "

*I remove the ! and the

"http:// is needed in the image with url: hello"

*I add the http://

"Please include a format in the image with url: http://hello :D"

*I include a image format (.jpg|.jpeg|.gif|.tiff|.tif are allowed)

Then I'd end up with http://hello.jpg with everything correct!

get it? good,

05-31-2007, 06:44 PM
When inserting data in the database i use mysql_real_escape_string for security reasons..

Or you could use prepared statements.

The reason the HTML comes up with slashes in them is because mysql_real_escape_string() is making it safer by ensuring the quotes are not considered real.

If you used addslashes() and prepared statements you wouldn't have to worry about the problem as the slashes are lost when the query is used. So your database contains the actual HTML. And when you echo it, it would work.

Securing this is a lot harder however, unless you literally "read" the HTML and check that it only contains certain tags.

The YouTube idea might be a better solution. Although I don't know how it works.