building a forum as a hobby project,

[blueman378]

hi guys, well im building a small forum jsut because i can, and i was wondering how on phpfreaks can you have it so that people can use html tags, and yet still have the forum secure?

 

how do you stop sql injections, people including frame breakout pages through iframes ect

[Daniel0]

We didn't create the forum, so this is just guesses. There is probably a whitelist of HTML tags which are allowed while the remaining are being converted to HTML entities. SQL injections are probably taken care of with a function like mysql_real_escape_string(). The iframes thing would be the same solution as the HTML tags.

[blueman378]

ok thanks for that

[dptr1988]

On the forum source codes that I've seen, they will have a white list of tags, and then strip out all of the attributes out of the tag, especially the JavaScript events attributes ( like onmouseover, onmouseout, etc ) and then rebuild the tag with only the allowed attributes and data.

 

PunBB is a lightweight forum program that fast, clean, correct and easy to read/modify the source. If you have questions on how things are usally done in forum software, I would highly reccommend studying the PunBB source code.

 

http://punbb.org/

 

[blueman378]

time for another question

 

are you able to tell me what the forum uses for its syntax highlighting?

[neylitalo]

highlight_string, most likely.

[blueman378]

i was looking that up but correct me if im wrong but doesnt that only highlight php?

 

 

oh right i jsut realized that this forum only highlights php

my bad thanks

[steelmanronald06]

You can get it to highlight html as well. I forgot how, atm, but it is possible. Google it

[trq]

I've had some success using Geshi in the past.