FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » BB type posting - is this secure?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: BB type posting - is this secure? [message #176392 is a reply to message #176389] Fri, 30 December 2011 10:59 Go to previous messageGo to previous message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
Senior Member
On 12/30/2011 12:29 AM, Michael Joel wrote:
> On Thu, 29 Dec 2011 23:27:30 -0500, Michael Joel<no(at)please(dot)com>
> wrote:
>
>> On Thu, 29 Dec 2011 23:29:23 +0000 (UTC), Curtis Dyer
>> <dyer85(at)gmail(dot)com> wrote:
>>
>>> Michael Joel<no(at)please(dot)com> wrote:
>>>
>>>> I am allowing posts to the page and wanted to see if this is
>>>> secure.
>>>>
>>>> data from sql is placed in an array (say $MyArray):
>>>>
>>>> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
>>>>
>>>> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
>>>
>>> Alternatively, you might call nl2br() last.
>>>
>>>> I notice with this text like<script>alert("hi");</script> is
>>>> rendered as literal so no script is actually recognised.
>>>>
>>>> So is this gooed enough or is there something else I need to do?
>>>>
>>>> Mike
>>>
>>> After calling strip_tags(), you'll want to call htmlspecialchars()
>>> to ensure ensure remaining HTML characters are escaped.
>>
>>
>> strip_tages(STRING, TAGS TO LEAVE) - second parameter is a string
>> containing tags to be left alone.
>>
>> I used the htmlspecialchars and it replaced with html but the html was
>> rendered literally (" became&quot; - but was render&quot; not ") and
>> such.
>>
>> Mike
>
> Strike that last part about htmlspecialchars. I forgot I had put that
> in on the display side of the script. I put it on the database insert
> area and removed it from the display area and it now renders
> everything fine. All scripts/html/php ect. is rendered "plain text".
>
> Mike

htmlspecialchars() is a display-related function and should be used on
the display side, not before inserting into the database. Otherwise
your database will be harder to search and won't be usable for non-html
uses like sending plain text email.

Also, where are you using addslashes()/stripslashes()? Before/after
database inserts, maybe? Bad idea - use mysql_real_escape_string() instead.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Help with script that retrieve remote files
Next Topic: Give me the names of some CRM php projects
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Sat Nov 23 01:52:33 GMT 2024

Total time taken to generate the page: 0.05077 seconds