YOUTUBE - security

[mforan]

I want people to be able to paste the embedded youtube code into a form on mysite. Obviously this is a secuirty threat do to mysql injections. how would the best way to proceed be?

 

"<object width="480" height="385"><param name="movie" value="

name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="

type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object>"

[aeroswat]

Why not just make a code for it since I doubt that its different except for the link.

 

and it will create the string on your end and fill in the necessary info

[Mchl]

1. It's same SQL injection risk, as with any other data that comes from user, so act in a same way.

2. It is an XSS risk however. Ask them to just paste a url (which you can validate using regex), and let your script generate all the embedding code.

[mforan]

but the video url is differnt from the embedded url

- url

&hl=en_GB&fs=1& - embedded url

[ignace]

<object width="480" height="385">
  <param name="movie" value="http://www.youtube.com/v/xFYQQPAOz7Y"></param>
  <param name="allowFullScreen" value="true"></param>
  <param name="allowScriptAccess" value="always"></param>
  <embed src="http://www.youtube.com/v/xFYQQPAOz7Y"
    type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true"
    width="480" height="385">
  </embed>
</object>

 

All you need to ask from the user is xFYQQPAOz7Y through the YouTube API you can ask if it's a valid YouTube Video.

 

http://code.google.com/intl/nl/apis/youtube/overview.html

[mforan]

ok im confused lol  :-\

[aeroswat]

ok im confused lol  :-\

 

ignace's way is the best way to go. Read up on the link he provided. In other words you only need to store the information that that the youtube video requires.

 

We would be able to assist you further if we understood what you were trying to do with this? What are they submitting the video into? What are you doing with the video once its submitted? etc etc

[ignace]

You ask the user to input the Video ID (xFYQQPAOz7Y) afterwards when you want to display the video you do:

 

<object width="480" height="385">
  <param name="movie" value="http://www.youtube.com/v/<?php echo $vid; ?>"></param>
  <param name="allowFullScreen" value="true"></param>
  <param name="allowScriptAccess" value="always"></param>
  <embed src="http://www.youtube.com/v/<?php echo $vid; ?>"
    type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true"
    width="480" height="385">
  </embed>
</object>

 

Personally I would extend this further so I could control which video had fullScreen and scriptAccess, the width and height of the video.

[mforan]

Ahh this works. i just wanted to uncomplicate things for the user. entering "

into a form box makes more practical sense for the user.

[aeroswat]

Ahh this works. i just wanted to uncomplicate things for the user. entering "

into a form box makes more practical sense for the user.

 

well if you want to do that all you have to do is remove the http://www.youtube.com/watch?v= with some string manipulation functions. I'm sure you can figure that part out