FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » BB type posting - is this secure?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: BB type posting - is this secure? [message #176387 is a reply to message #176385] Fri, 30 December 2011 04:27 Go to previous messageGo to previous message
Michael Joel is currently offline  Michael Joel
Messages: 42
Registered: October 2011
Karma:
Member
On Thu, 29 Dec 2011 23:29:23 +0000 (UTC), Curtis Dyer
<dyer85(at)gmail(dot)com> wrote:

> Michael Joel <no(at)please(dot)com> wrote:
>
>> I am allowing posts to the page and wanted to see if this is
>> secure.
>>
>> data from sql is placed in an array (say $MyArray):
>>
>> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
>>
>> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
>
> Alternatively, you might call nl2br() last.
>
>> I notice with this text like <script>alert("hi");</script> is
>> rendered as literal so no script is actually recognised.
>>
>> So is this gooed enough or is there something else I need to do?
>>
>> Mike
>
> After calling strip_tags(), you'll want to call htmlspecialchars()
> to ensure ensure remaining HTML characters are escaped.


strip_tages(STRING, TAGS TO LEAVE) - second parameter is a string
containing tags to be left alone.

I used the htmlspecialchars and it replaced with html but the html was
rendered literally (" became &quot; - but was render &quot; not ") and
such.

Mike
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Help with script that retrieve remote files
Next Topic: Give me the names of some CRM php projects
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 01:57:42 GMT 2024

Total time taken to generate the page: 0.04744 seconds