[SOLVED] Someone running php on my site...

[blufish]

Okay so a couple of weeks ago someone ran a php script on my site, which messed up the homepage.  The ran the script through the page creator (allows people to make webpages), I wasn't stripping tags because I wanted to allow html and javascript to be able to get through without any trouble.  So the question I wish to ask is if I told my code to delete everything between the "<?php" and "?>" tags what if they just wrote code like:

echo "Hello World";

would that code be executed by my program or when someone tried to view the page would it still have the "echo".  Essentially what I'm asking is if I display whatever someone writes on my site except for anything they write between the "<?php" and "?>" tags would they still be able to write php code and get it executed?

 

Thanks, Blufish

[Andy-H]

Just tested it,

 

<?php

 

$var = htmlspecialchars($_POST['var']);

 

if ($_POST['submit']){

 

echo ''.$var.'';

 

}

 

?>

<html>

<head>

</head>

<body>

<form method="post">

<textarea name="var" rows="5" cols="30"></textarea><br />

<input type="submit" name="submit" />

</form>

</body>

</html>

 

That works fine for me.

[Andy-H]

So basically use htmlspecialchars and annotate the variable before displaying it.

[Andy-H]

You would also need to use stripslashes(), sorry about the 3 replies for one answer I'm just testing it on my db lol

[blufish]

Thank you! 

[Andy-H]

Check your messages please.