| Re: BB type posting - is this secure? [message #176389 is a reply to message #176387] |
Fri, 30 December 2011 05:29   |
Michael Joel
Messages: 42
Registered: October 2011
Karma:
|
Member |
|
|
On Thu, 29 Dec 2011 23:27:30 -0500, Michael Joel <no(at)please(dot)com>
wrote:
> On Thu, 29 Dec 2011 23:29:23 +0000 (UTC), Curtis Dyer
> <dyer85(at)gmail(dot)com> wrote:
>
>> Michael Joel <no(at)please(dot)com> wrote:
>>
>>> I am allowing posts to the page and wanted to see if this is
>>> secure.
>>>
>>> data from sql is placed in an array (say $MyArray):
>>>
>>> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
>>>
>>> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
>>
>> Alternatively, you might call nl2br() last.
>>
>>> I notice with this text like <script>alert("hi");</script> is
>>> rendered as literal so no script is actually recognised.
>>>
>>> So is this gooed enough or is there something else I need to do?
>>>
>>> Mike
>>
>> After calling strip_tags(), you'll want to call htmlspecialchars()
>> to ensure ensure remaining HTML characters are escaped.
>
>
> strip_tages(STRING, TAGS TO LEAVE) - second parameter is a string
> containing tags to be left alone.
>
> I used the htmlspecialchars and it replaced with html but the html was
> rendered literally (" became " - but was render " not ") and
> such.
>
> Mike
Strike that last part about htmlspecialchars. I forgot I had put that
in on the display side of the script. I put it on the database insert
area and removed it from the display area and it now renders
everything fine. All scripts/html/php ect. is rendered "plain text".
Mike
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]