URL bbcode safe?

[phpmo]

Here is what I'm doing.

 

The enter link.com that gets placed into $message

 

So I do:

 

Before it is added the the DB.

$_POST[message] = htmlspecialchars($_POST[message]);

 

Then when showing the DB field I run it through this to get my link and html.

$message = preg_replace ('/\[url\](.*?)\[\/url\]/is','<a href="$1">$1</a>', $message);

 

Any problems with this method?

[cags]

Seems about right to me. On a side note most bbcode systems also accept the following format. You may wish to add that ability.

 

 [url=http://somelink.com]link text[/url]

[phpmo]

Are there any exploits to be concerned with as long as I"m htmlspecialchars on the data before it's saved to the DB?

[cags]

Personally I tend to use htmlentities as opposed to htmlspecialchars, I also sometimes call strip_tags first, but that's just to get rid of it rather than having the XSS strings appear in posts as sanitised code. To my knowledge that should be good enough to prevent any XSS. Preventing SQL injection is a seperate issue which should also be addressed. While I'm at it I'll point out your code isn't really correct, you are using constants rather than strings for key values. This will actually be throwing notices, it's just PHP is clever enough to work out what you meant. You should access associative arrays using string values for the key like so....

 

$_POST['message'] = htmlspecialchars($_POST['message']);