turkman Posted June 30, 2008 Share Posted June 30, 2008 I've used trim and stripslashes but it dosent stop the javascript attacks, i.e putting an alert box into the subject field. How do i stop this Quote Link to comment Share on other sites More sharing options...
kenrbnsn Posted June 30, 2008 Share Posted June 30, 2008 The trim() and stripslashes() functions have nothing to do with preventing anything. You will have to show us how you are using the information that comes in to your script. Ken Quote Link to comment Share on other sites More sharing options...
Jabop Posted June 30, 2008 Share Posted June 30, 2008 a simple way could be... <?php $string="<script type='text/javascript'>alert('blah');</script>"; $string=str_replace("script", "", $string); ?> Quote Link to comment Share on other sites More sharing options...
br0ken Posted June 30, 2008 Share Posted June 30, 2008 a simple way could be... <?php $string="<script type='text/javascript'>alert('blah');</script>"; $string=str_replace("script", "", $string); ?> Simple yes, but also easy to circumvent, I think. Try using strip_tags(), addslashes(), and a few str_replace() to remove key words usually associated with script code. I think you should probably use the function (I forget it's name) that converts all ascii character representations into their actual characters before doing the above steps. Quote Link to comment Share on other sites More sharing options...
.josh Posted June 30, 2008 Share Posted June 30, 2008 use htmlentities() Quote Link to comment Share on other sites More sharing options...
turkman Posted July 1, 2008 Author Share Posted July 1, 2008 Its basically a basic forum and i was just doing some debuging and if i enter that javascript script into the text area and submit it, when i open the thread it opens an alert box. I figured php would have a function, is there anything that parses html in php or do i need to write one myself? basically just get it to ignore everything between the <> before i add it to a database. Quote Link to comment Share on other sites More sharing options...
TheBigRedStapler Posted July 1, 2008 Share Posted July 1, 2008 As has been said here, strip_tags() to remove the tags completely and htmlentities to replace dangerous characters with special html entities (E.g. &, etc)... HTH Quote Link to comment Share on other sites More sharing options...
dannyb785 Posted July 1, 2008 Share Posted July 1, 2008 Its basically a basic forum and i was just doing some debuging and if i enter that javascript script into the text area and submit it, when i open the thread it opens an alert box. I figured php would have a function, is there anything that parses html in php or do i need to write one myself? basically just get it to ignore everything between the <> before i add it to a database. strip_tags("< b>< i >< hr>..etc", $string); will do that for ya(without the spaces within the tags). But I read somewhere that there are ways around it... not sure what those ways are though Quote Link to comment Share on other sites More sharing options...
br0ken Posted July 1, 2008 Share Posted July 1, 2008 Yeah, if you include the tags in strip_tags() I believe it will remove the tags, however if a user add a parameter to the tag, this will not be recognised and therefore not removed. If you want actual security I would recommend not adding that extra parameter. Anyway, you're probably better off using htmlentities() or htmlspecialchars() as this was you will be able to see what HTML people are trying to enter without just removing it totally and never knowing if people are trying to inject you. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.