cordoprod Posted February 7, 2009 Share Posted February 7, 2009 Hi.. I have a wysiwyg editor (tinymce) and use mysql database. What i want to do is: when the user submits the form i want to kind of clean the $_POST. I do not want following: - javascript (of any kind) - flash (but, from allowed pages) I am trying but can't really figure out what to do Quote Link to comment Share on other sites More sharing options...
gaza165 Posted February 7, 2009 Share Posted February 7, 2009 you need to use htmlentities or mysql_real_escape_string to filter out javascript and html and sql injection etc. Quote Link to comment Share on other sites More sharing options...
printf Posted February 7, 2009 Share Posted February 7, 2009 Setup a pre-parser that defines your rules, (CAST BY TYPE), clean by the (TYPE) the variable is (CAST) too! You can use the PHP filter_ extension or design your own. Quote Link to comment Share on other sites More sharing options...
cordoprod Posted February 7, 2009 Author Share Posted February 7, 2009 Can you guys please be a more specific? Maybe show some code? Anyways, i found out how to remove javascript: $profil = preg_replace('#<script[^>]*>.*?</script>#is','',$profil); But, for the flash part.. any ideas? Quote Link to comment Share on other sites More sharing options...
gaza165 Posted February 7, 2009 Share Posted February 7, 2009 for my blog i created my own filter... i allowed links, videos and images to be included into the database and was able to filter. i would look into BBCode Parser to allow users to enter their own content Quote Link to comment Share on other sites More sharing options...
cordoprod Posted February 7, 2009 Author Share Posted February 7, 2009 Hmm... But i want to be able to allow the most but js and flash (with exceptions e.g youtube) Quote Link to comment Share on other sites More sharing options...
gaza165 Posted February 7, 2009 Share Posted February 7, 2009 so do you want to allow youtube videos or not allow youtube videos?? Quote Link to comment Share on other sites More sharing options...
cordoprod Posted February 7, 2009 Author Share Posted February 7, 2009 I want to allow youtube videos, but anything else, take away. Quote Link to comment Share on other sites More sharing options...
gaza165 Posted February 7, 2009 Share Posted February 7, 2009 so what if i provided you with a preg_replace to filter swf files e.g. www.domain.com/flash.swf Quote Link to comment Share on other sites More sharing options...
cordoprod Posted February 7, 2009 Author Share Posted February 7, 2009 yes that is what i am looking for Quote Link to comment Share on other sites More sharing options...
printf Posted February 7, 2009 Share Posted February 7, 2009 Let say you have these form inputs... $_POST['input_one']; $_POST['input_two']; $_POST['input_three']; We all know the SUPER GLOBALS are saturated with all incoming variables that are set by the METHOD they are coming in as "GET, POST". So we create a filter to handle those variables. We do not handle all the "GET, POST" variables, only the ones we are expecting because we do not want to open the door for XXS actions that can incur if we process all incoming variables. So the logical approach is to perform a cleaning action on only the variables that are expected, which keeps your application safe and the SUPER GLOBALS will only be filled with variables that are expected, and they will be CAST & CLEANED by their TYPE. Now I understand you only want to get something done, but why not spend a little time and write something that does this for all your scripts, because it should always be done at script initialization! If you want a basic example, tell me I and I give you one. Quote Link to comment Share on other sites More sharing options...
cordoprod Posted February 7, 2009 Author Share Posted February 7, 2009 Yes i can see that, but i have figured out the javascript but i am struggling with the flash part. I you could show me some code i would be happy. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.