FUDforum: comp.lang.php » BB type posting

Home » Imported messages » comp.lang.php » BB type posting - is this secure?

Show: Today's Messages :: Polls :: Message Navigator

Re: BB type posting - is this secure? [message #176392 is a reply to message #176389]

Fri, 30 December 2011 10:59

Jerry Stuckle
Messages: 2598
Registered: September 2010

Karma:

Senior Member

On 12/30/2011 12:29 AM, Michael Joel wrote:
> On Thu, 29 Dec 2011 23:27:30 -0500, Michael Joel<no(at)please(dot)com>
> wrote:
>
>> On Thu, 29 Dec 2011 23:29:23 +0000 (UTC), Curtis Dyer
>> <dyer85(at)gmail(dot)com> wrote:
>>
>>> Michael Joel<no(at)please(dot)com> wrote:
>>>
>>>> I am allowing posts to the page and wanted to see if this is
>>>> secure.
>>>>
>>>> data from sql is placed in an array (say $MyArray):
>>>>
>>>> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
>>>>
>>>> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
>>>
>>> Alternatively, you might call nl2br() last.
>>>
>>>> I notice with this text like<script>alert("hi");</script> is
>>>> rendered as literal so no script is actually recognised.
>>>>
>>>> So is this gooed enough or is there something else I need to do?
>>>>
>>>> Mike
>>>
>>> After calling strip_tags(), you'll want to call htmlspecialchars()
>>> to ensure ensure remaining HTML characters are escaped.
>>
>>
>> strip_tages(STRING, TAGS TO LEAVE) - second parameter is a string
>> containing tags to be left alone.
>>
>> I used the htmlspecialchars and it replaced with html but the html was
>> rendered literally (" became" - but was render" not ") and
>> such.
>>
>> Mike
>
> Strike that last part about htmlspecialchars. I forgot I had put that
> in on the display side of the script. I put it on the database insert
> area and removed it from the display area and it now renders
> everything fine. All scripts/html/php ect. is rendered "plain text".
>
> Mike

htmlspecialchars() is a display-related function and should be used on
the display side, not before inserting into the database. Otherwise
your database will be harder to search and won't be usable for non-html
uses like sending plain text email.

Also, where are you using addslashes()/stripslashes()? Before/after
database inserts, maybe? Bad idea - use mysql_real_escape_string() instead.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================

Report message to a moderator

[Message index]

		BB type posting - is this secure? By: Michael Joel on Thu, 29 December 2011 22:45
		Re: BB type posting - is this secure? By: A on Thu, 29 December 2011 23:14
		Re: BB type posting - is this secure? By: Curtis Dyer on Thu, 29 December 2011 23:29
		Re: BB type posting - is this secure? By: Michael Joel on Fri, 30 December 2011 04:27
		Re: BB type posting - is this secure? By: Michael Joel on Fri, 30 December 2011 05:29
		Re: BB type posting - is this secure? By: Jerry Stuckle on Fri, 30 December 2011 10:59
		Re: BB type posting - is this secure? By: alvaro.NOSPAMTHANX on Fri, 30 December 2011 09:59
		Re: BB type posting - is this secure? By: Michael Joel on Fri, 30 December 2011 15:01
		Re: BB type posting - is this secure? By: Michael Fesser on Fri, 30 December 2011 18:14
		Re: BB type posting - is this secure? By: A on Fri, 30 December 2011 20:39
		Re: BB type posting - is this secure? By: M. Strobel on Sun, 01 January 2012 18:20
		Re: BB type posting - is this secure? By: Curtis Dyer on Wed, 04 January 2012 07:24

Previous Topic:	Help with script that retrieve remote files
Next Topic:	Give me the names of some CRM php projects

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

]

Current Time: Fri Nov 22 21:41:11 GMT 2024

Total time taken to generate the page: 0.07240 seconds