FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » BB type posting - is this secure?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: BB type posting - is this secure? [message #176385 is a reply to message #176383] Thu, 29 December 2011 23:29 Go to previous messageGo to previous message
Curtis Dyer is currently offline  Curtis Dyer
Messages: 34
Registered: January 2011
Karma:
Member
Michael Joel <no(at)please(dot)com> wrote:

> I am allowing posts to the page and wanted to see if this is
> secure.
>
> data from sql is placed in an array (say $MyArray):
>
> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
>
> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");

Alternatively, you might call nl2br() last.

> I notice with this text like <script>alert("hi");</script> is
> rendered as literal so no script is actually recognised.
>
> So is this gooed enough or is there something else I need to do?
>
> Mike

After calling strip_tags(), you'll want to call htmlspecialchars()
to ensure ensure remaining HTML characters are escaped.

--
Curtis Dyer
<?$x='<?$x=%c%s%c;printf($x,39,$x,39);?>';printf($x,39,$x,39);?>
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Help with script that retrieve remote files
Next Topic: Give me the names of some CRM php projects
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 15:16:16 GMT 2024

Total time taken to generate the page: 0.04086 seconds