Search the Community
Showing results for tags 'sanitize'.
-
I have a Google Adsense code that I am saving to the wp_options table. I can successfully save and retrieve the variable containing the google adsense code but it doesn't do anything except display it as plain text on screen. How can I make this html/javascript in the variable actually load in page as HTML/JS instead of as plain text??? this is the example of the code that I'm saving to the database and retrieving.... <script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> <!-- EggSquat main banner ad --> <ins class="adsbygoogle" style="display:inline-block;width:728px;height:90px" data-ad-client="ca-pub-XXXXXXXXXXXXXXXX" data-ad-slot="XXXXXXXX"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script> ....... may I should make a custom post type and just display a post, and use that instead of a single field saving to database
-
I am writing a script that will parse my PHP classes and check for things like coupling, visualize my objects and connections, dependencies, check for convention usage, etc. So, I have a simple file upload. I'm never saving the files, just get contents and dump the file and work with the string version. I'm writing it for me, but I figure I might want to open it for others to use in the future, so I may as well write it that way to begin with -- so I need to validate user input. Problem is, the user input is supposed to be valid PHP code. I'm thinking that, as long as I'm careful, I shouldn't be executing any code contained in strings, but I'm no security expert and I want a warm fuzzy that my thought on this is correct. What kinds of things do I need to look out for? Is it possible to inject when working with strings? My initial thought is to regex the entire file and replace key portions with known replacements. So ( and ) would become !* and !^ or $ would become @~ (combinations that -- I think -- don't make sense to php?) But that may be completely unnecessary processing time if I'm not in any danger, here. Thanks ahead of time for any help. PS - as a side question -- what's the best way to verify a file is a php file? I know of getimagesize for images, but should I just check for <? to verify it's php? That seems like it would be too easy to fool -- then again, it might not matter much. -Adam
-
Hello Guys/Gals, Can someone please tell me how safe this sanitation is? $username = filter_var($_POST['user_name'], FILTER_SANITIZE_STRING); Thanks, Halben
-
I have a form where external input by users will be fed into a MySQL database and I obviously need to sanitize this input. I don't quite understand the differences between the htmlspecialchars and FILTER_SANITIZE_SPECIAL_CHARS fuctions. Which is better to use in this scenario. For FILTER_SANITIZE_SPECIAL_CHARS, I have also used FILTER_FLAG_STRIP_HIGH. Thanks.
-
I'm attempting to sanatise a form input. At the moment I can type in <h1> and for it to effect my webpage. Can you tell me where I am going wrong? At the moment I'm trying to sanitize the location, but plan to use the function on all of the fields <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Untitled Document</title> <style type="text/css"> input[type=text] {width: 40px;} p {font-family: sans-serif; font-size:14px;} #Score {color:#CCCCCC;} #ParScore {color:#CCCCCC;} </style> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push( ["phpf._setAccount", "UA-33447233-1"], ["phpf._setDomainName", "phpfreaks.com"], ["phpf._trackPageview"] ); _gaq.push( ["orig._setAccount", "UA-1625146-1"], ["orig._setDomainName", "phpfreaks.com"], ["orig._trackPageview"] ); (function() { var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true; ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s); })(); </script> <script type="text/javascript"> var _gaq = _gaq || []; _gaq.push( ["phpf._setAccount", "UA-33447233-1"], ["phpf._setDomainName", "phpfreaks.com"], ["phpf._trackPageview"] ); _gaq.push( ["orig._setAccount", "UA-1625146-1"], ["orig._setDomainName", "phpfreaks.com"], ["orig._trackPageview"] ); (function() { var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true; ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js"; var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s); })(); </script></head> <body> <?php // Sanitize input function sanitize($in) { return addslashes(htmlspecialchars(strip_tags(trim($in)))); } if(isset($_POST['processForm'])) { $location = sanitize($_POST['location']); $par1 = $_POST['par1']; $par1 = trim($par1); $par2 = $_POST['par2']; $par2 = trim($par2); $par3 = $_POST['par3']; $par3 = trim($par3); $par4 = $_POST['par4']; $par4 = trim($par4); $par5 = $_POST['par5']; $par5 = trim($par5); $par6 = $_POST['par6']; $par6 = trim($par6); $par7 = $_POST['par7']; $par7 = trim($par7); $par8 = $_POST['par8']; $par8 = trim($par8); $par9 = $_POST['par9']; $par9 = trim($par9); if (empty($location)) {echo "You haven't entered a location"; exit();} else if (empty($par1)) {echo "You haven't entered a score for Hole 1"; exit();} else if (empty($par2)) {echo "You haven't entered a score for Hole 2"; exit();} else if (empty($par3)) {echo "You haven't entered a score for Hole 3"; exit();} else if (empty($par4)) {echo "You haven't entered a score for Hole 4"; exit();} else if (empty($par5)) {echo "You haven't entered a score for Hole 5"; exit();} else if (empty($par6)) {echo "You haven't entered a score for Hole 6"; exit();} else if (empty($par7)) {echo "You haven't entered a score for Hole 7"; exit();} else if (empty($par8)) {echo "You haven't entered a score for Hole 8"; exit();} else if (empty($par9)) {echo "You haven't entered a score for Hole 9"; exit();} $user_id = 7; PASSWORDS HERE $connect_solning = mysql_connect($hostname_connect, $username_connect, $password_connect) or trigger_error(mysql_error(),E_USER_ERROR); @mysql_select_db($database_connect) or die (mysql_error()); $sql = "INSERT INTO snag_score_cards (user_id, location, par1, par2, par3, par4, par5, par6, par7, par8, par9) VALUES ('$user_id', '$_POST[location]', '$_POST[par1]', '$_POST[par2]', '$_POST[par3]', '$_POST[par4]', '$_POST[par5]', '$_POST[par6]', '$_POST[par7]', '$_POST[par8]', '$_POST[par9]')"; mysql_query($sql); echo "<br/> A scorecard for $location, has now been added <br/> You can use the form again to enter a new card."; }; ?> <p>Enter your location</p> <form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post"> <input type="hidden" name="processForm" value="1" /> <input autocomplete="off" name="location" id="location" size="18" value=""/><br /><br /> <input type="text" autocomplete="off" name="Scores" id="Score" value="Score" readonly style="border:0px" /> <input type="text" autocomplete="off" name="Par1" id="Par" value=" Par" readonly style="border:0px" /> <input name="Par Score" id="ParScore" value=" Par Score" readonly style="border:0px" /><br> <input type="text" autocomplete="off" name="sum1" id="hole1A" readonly value="" /> <input type="text" autocomplete="off" name="par1" value="" id="hole1B" /> <input type="text" name="sum" value="" id="hole1result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole2A" readonly value="" /> <input type="text" autocomplete="off" name="par2" value="" id="hole2B" /> <input type="text" name="sum2T" value="" id="hole2result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole3A" readonly value="" /> <input type="text" autocomplete="off" name="par3" value="" id="hole3B" /> <input type="text" name="sum3" value="" id="hole3result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole4A" readonly value="" /> <input type="text" autocomplete="off" name="par4" value="" id="hole4B" /> <input type="text" name="sum4" value="" id="hole4result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole5A" readonly value="" /> <input type="text" autocomplete="off" name="par5" value="" id="hole5B" /> <input type="text" name="sum5" value="" id="hole5result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole6A" readonly value="" /> <input type="text" autocomplete="off" name="par6" value="" id="hole6B" /> <input type="text" name="sum6" value="" id="hole6result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole7A" readonly value="" /> <input type="text" autocomplete="off" name="par7" value="" id="hole7B" /> <input type="text" name="sum7" value="" id="hole7result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole8A" readonly value="" /> <input type="text" autocomplete="off" name="par8" value="" id="hole8B" /> <input type="text" name="sum8" value="" id="hole8result" readonly style=""> <br> <input type="text" autocomplete="off" name="sum1" id="hole9A" readonly value="" /> <input type="text" autocomplete="off" name="par9" value="" id="hole9B" /> <input type="text" name="sum9" value="" id="hole9result" readonly style=""> <br> <input type="text" name="" id="" value="" readonly style="border:0px" /> <input type="text" name="" id="" value="" readonly style="border:0px" /> <input type="submit" name="submit" value="Create"/> </form> </body> </html> [/Code]
-
What would be the best way to sanitize the simple form below? FILTER_SANITIZE_EMAIL FILTER_VALIDATE_EMAIL (isset($_REQUEST['email'])) Ive seen the above, but to be quite honest im not sure where or how they would go. Ive had a play around but im not getting very far! Any help would be really great! <div id="box"> <?php $con = mysql_connect("userdb,pw"); if (!$con) { die('Could not connect: ' . mysql_error()); } mysql_select_db("database", $con); $sql="INSERT INTO tablename (name, email) VALUES ('$_POST[name]','$_POST[email]')"; if (!mysql_query($sql,$con)) { die('Error: ' . mysql_error()); } echo "Thankyou! We will be in touch soon."; mysql_close($con); ?> </div>