| Re: BB type posting - is this secure? [message #176387 is a reply to message #176385] |
Fri, 30 December 2011 04:27   |
Michael Joel
Messages: 42
Registered: October 2011
Karma:
|
Member |
|
|
On Thu, 29 Dec 2011 23:29:23 +0000 (UTC), Curtis Dyer
<dyer85(at)gmail(dot)com> wrote:
> Michael Joel <no(at)please(dot)com> wrote:
>
>> I am allowing posts to the page and wanted to see if this is
>> secure.
>>
>> data from sql is placed in an array (say $MyArray):
>>
>> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
>>
>> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
>
> Alternatively, you might call nl2br() last.
>
>> I notice with this text like <script>alert("hi");</script> is
>> rendered as literal so no script is actually recognised.
>>
>> So is this gooed enough or is there something else I need to do?
>>
>> Mike
>
> After calling strip_tags(), you'll want to call htmlspecialchars()
> to ensure ensure remaining HTML characters are escaped.
strip_tages(STRING, TAGS TO LEAVE) - second parameter is a string
containing tags to be left alone.
I used the htmlspecialchars and it replaced with html but the html was
rendered literally (" became " - but was render " not ") and
such.
Mike
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]