| Re: BB type posting - is this secure? [message #176385 is a reply to message #176383] |
Thu, 29 December 2011 23:29   |
Curtis Dyer
Messages: 34
Registered: January 2011
Karma:
|
Member |
|
|
Michael Joel <no(at)please(dot)com> wrote:
> I am allowing posts to the page and wanted to see if this is
> secure.
>
> data from sql is placed in an array (say $MyArray):
>
> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
>
> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
Alternatively, you might call nl2br() last.
> I notice with this text like <script>alert("hi");</script> is
> rendered as literal so no script is actually recognised.
>
> So is this gooed enough or is there something else I need to do?
>
> Mike
After calling strip_tags(), you'll want to call htmlspecialchars()
to ensure ensure remaining HTML characters are escaped.
--
Curtis Dyer
<?$x='<?$x=%c%s%c;printf($x,39,$x,39);?>';printf($x,39,$x,39);?>
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]