Jump to content

PRotect my POST DATA... FROM HTML ATTACKS

Gayner

By Gayner
in PHP Coding Help

 Share

Recommended Posts

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

htmlentities() doesn't convert commas..

 

Ok but i want to ban the user if he trys to post html character so this is how i would right?

 

if $_POST['prayer'] = htmlentities($_POST['prayer'])

mysql_query(BAN USER BLA BLA);

 

 

that's how i would do it tho right ?

 

Alex Advanced Member

Alex

Posted
Posted

Well, no that's not how you would do it. It doesn't matter though, it would extremely unfair to ban a user for posting something that would be converted to an htmlentity by htmlentities().. If someone posts &, <, >, ', ", (or anything else from this list) you would ban them? Doesn't seem very fair to me.

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

Well, no that's not how you would do it. It doesn't matter though, it would extremely unfair to ban a user for posting something that would be converted to an htmlentity by htmlentities().. If someone posts &, <, >, ', ", (or anything else from this list) you would ban them? Doesn't seem very fair to me.

 

Well were I come from, it means there going to spam my site. with kitty porn or whatnot

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

If someone tries to post "Hope you feel better & get well soon" you'd take that as an attack on your website?

 

 

 

It's a Prayer Request form, yes good idea, how do I get & To be unconverted? Can i add a Paremiter to the function htmlentities to not convert the & cause ur right :P

 

so far i got

 

 '". mysql_real_escape_string(htmlentities($text, ENT_NOQUOTES)) ."',

 

bcz i want people to use " and ' but i want people to use & too good idea

Alex Advanced Member

Alex

Posted
Posted

The point of escaping data isn't really to find out who's trying to hack your website and ban them. It's to protect just in case, someone might typo a < or something, that's no reason to ban them. You could create a black-list of things to ban people based on (like <meta..) that would give a better indication that they were trying to post something malicious, but I don't even think that's necessary. As long as you're correctly escaping user input someone trying to post a meta refresh is no more harmful than someone spamming, which some moderation will solve.

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

The point of escaping data isn't really to find out who's trying to hack your website and ban them. It's to protect just in case, someone might typo a < or something, that's no reason to ban them. You could create a black-list of things to ban people based on (like <meta..) that would give a better indication that they were trying to post something malicious, but I don't even think that's necessary. As long as you're correctly escaping user input someone trying to post a meta refresh is no more harmful than someone spamming, which some moderation will solve.

 

Yea ur right, I think I just want to replace malicious coding.. but i have no idea how, that's why i am here!

 

 

I wonder fi there a free script on internet just has all those in a function i can just pop in my coding so i don't have to go thru each malicious coding

I <meta and some javascript i don't want to be posted... but iuno how to check if people are posting those

 

KevinM1 Advanced Member

KevinM1

Posted
Posted

That's what regular expressions are for.  Test the input for whatever you're afraid of first with the proper expression.  If the input contains a bad thing, deny/ban as necessary.  Otherwise display it, being sure to pass the text through htmlentities just in case.

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

That's what regular expressions are for.  Test the input for whatever you're afraid of first with the proper expression.  If the input contains a bad thing, deny/ban as necessary.  Otherwise display it, being sure to pass the text through htmlentities just in case.

 

huh?

Gayner Advanced Member

Gayner

Posted
  • Author
Posted

 

 

I am using

 

function removeUnsafeAttributesAndGivenTags($input, $validTags = '')
{
    $regex = '#\s*<(/?\w+)\s+(?:on\w+\s*=\s*(["\'\s])?.+?
\(\1?.+?\1?\);?\1?|style=["\'].+?["\'])\s*>#is';
    return preg_replace($regex, '<${1}>',strip_tags($input, $validTags));
}

 

Works fine :D

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.