arbitter Posted February 27, 2010 Share Posted February 27, 2010 So I'm making a guestbook for my site. It's the first time I'm doing this, so i don't know what precautions to take. Does the whole page get messed up if someone types a quote? Or other things? I've read about htmlentities(), but is that all I must do, or should I do more? And what about the striptags() and trim()? Probably it's a simple solution, but I want to make sure nothing goes wrong... Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/ Share on other sites More sharing options...
jskywalker Posted February 27, 2010 Share Posted February 27, 2010 i would start here: http://tinyurl.com/yjcq2vz Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1019029 Share on other sites More sharing options...
arbitter Posted February 28, 2010 Author Share Posted February 28, 2010 Then all I get is these free scripts made out of dozens of files. That's not what I want. I already have mine, I just don't know what to do with the text that's given. So I asked someone else if htmlentities itself is good, he said that'd be fine for me. But when for example I type: '<font color='green'>blabla</font>' my script doesn't do anything. And no, I don't want to make the text green, I want it to save and display '<font color='green'>blabla</font>'. Any help? Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1019297 Share on other sites More sharing options...
wildteen88 Posted February 28, 2010 Share Posted February 28, 2010 At the moment it sounds like you're not sanitizing your users input. Failing to to do this will make your script prone to SQL Injection attacks. To help prevent this you should use mysql_real_escape_string at minimum. Allowing users to post HTML in your guestbook doesn't sound like a good idea either. If you're going to allow HTML to be posted you should limit them to certain HTML tags such as <b>, <i>, <u> etc. You can implement this using strip_tags. The alternative is to use BBCode tags such as [, , and etc. There are many tutorials on the net making your own BBCode Parser. Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1019326 Share on other sites More sharing options...
arbitter Posted February 28, 2010 Author Share Posted February 28, 2010 It was not my intention of letting users use html, seen they won't know that and it'll open up attacks. I was just trying some things to see if htmlentities worked fully. BBCode sounds really interesting too, thanks a lot! Didn't know how that was called. Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1019404 Share on other sites More sharing options...
arbitter Posted March 1, 2010 Author Share Posted March 1, 2010 So for the BBCode parser; I took this function of a website: function bbcode_format($postje){ // Convert all special HTML characters into entities to display literally $postje = htmlentities($postje); // The array of regex patterns to look for $format_search = array( '#\[b\](.*?)\[/b\]#is', // Bold ([b]text[/b] '#\[i\](.*?)\[/i\]#is', // Italics ([i]text[/i] '#\[u\](.*?)\[/u\]#is', // Underline ([u]text[/u]) '#\[s\](.*?)\[/s\]#is', // Strikethrough ([s]text[/s]) '#\[quote\](.*?)\[/quote\]#is', // Quote ([quote]text[/quote]) '#\[code\](.*?)\[/code\]#is', // Monospaced code [code]text ) '#\|1[0-9]|20)\](.*?)\[/size\]#is', // Font size 1-20px text) '#\{3}|[A-F0-9]{6})\](.*?)\[/color\]#is', // Font color (text) '#\(.*?)\[/url\]#i', // Hyperlink with descriptive text () '#\[url\]((?:ftp|https?)://.*?)\[/url\]#i', // Hyperlink () '#\[img\]))\[/img\]#i' // Image () ); // The matching array of strings to replace matches with $format_replace = array( '<strong>$1</strong>', '<em>$1</em>', '<span style="text-decoration: underline;">$1</span>', '<span style="text-decoration: line-through;">$1</span>', '<blockquote>$1</blockquote>', '<pre>$1</'.'pre>', '<span style="font-size: $1px;">$2</span>', '<span style="color: #$1;">$2</span>', '<a href="$1">$2</a>', '<a href="$1">$1</a>', '<img src="$1" alt="" />' ); // Perform the actual conversion $postje = preg_replace($format_search, $format_replace, $postje); // Convert line breaks in the <br /> tag $postje = nl2br($postje); return $postje; }[/code] It doesn't work for some reason. When I have a mysql database with "example" I do: while($rows=mysql_fetch_array($result)){ $postje = $rows['post']; bbcode_format($postje); $gbpost = " <table width='400' border='0' align='center' cellpadding='0' cellspacing='1' bgcolor='#d7d7d7'> <tr> <td> <table width='400' border='0' cellpadding='3' cellspacing='1' bgcolor='#ffffff'> <tr><td width='*' bgcolor='#e2e2e2' align='left'><b>" . $rows['naam'] . "</b></td><td bgcolor='#e2e2e2' align='right'width='80'>" . $rows['datum'] . "</td></tr> <tr> <td> " . $postje . "</td> </tr> </table> </td> </tr> </table> <BR>"; echo $gbpost; } but for the post itself, the BBCode still gets shown between brackets, so it doesn't show in bold... Also another mysql question; how can I order my guestbook by date? Because if I move away a guestbook post, say I have guestbook ID's from 1 to 10 and I erase the 5th, the guestbook post with ID will come in place 5 with number 11, instead of just adding to the list. (And actually, it'd be best if all came to the top of the list, that the latest gets shown first) Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1019892 Share on other sites More sharing options...
wildteen88 Posted March 1, 2010 Share Posted March 1, 2010 You're not calling the function correctly $postje = $rows['post']; bbcode_format($postje); . It needs to be $postje = bbcode_format($rows['post']); Please read the document on the use of functions here http://php.net/manual/en/language.functions.php Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1020020 Share on other sites More sharing options...
arbitter Posted March 1, 2010 Author Share Posted March 1, 2010 Oh indeed, my sincere apologies. Thanks for the help! Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1020024 Share on other sites More sharing options...
jskywalker Posted March 4, 2010 Share Posted March 4, 2010 Also another mysql question; how can I order my guestbook by date? Because if I move away a guestbook post, say I have guestbook ID's from 1 to 10 and I erase the 5th, the guestbook post with ID will come in place 5 with number 11, instead of just adding to the list. (And actually, it'd be best if all came to the top of the list, that the latest gets shown first) you can order your guestbook using the MySQL 'ORDER BY' see: http://dev.mysql.com/doc/refman/5.1/en/select.html and.... i think you should try to keep 1 subject in 1 thread, ... (i hope its in the forum rules somewhere.... Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1021295 Share on other sites More sharing options...
arbitter Posted March 6, 2010 Author Share Posted March 6, 2010 Thank you, jskywalker. Quote Link to comment https://forums.phpfreaks.com/topic/193575-things-to-do-before-submitting-guestbook/#findComment-1022252 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.