Jump to content


Photo

Filtering question...


  • Please log in to reply
5 replies to this topic

#1 yungbloodreborn

yungbloodreborn
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts
  • LocationCalifornia

Posted 12 September 2006 - 08:38 PM

First, I'd like to thank the ones that have helped me on myother 2 questions. I am very impressed with this site.

My basic problem is this, I need a way of filtering out html and scripting languages. It's for a message board script, and I don't want anyone to be able to cause problems with the site. I don't want people to be able to insert javascript, or the like. So how do I filter that out?

(More detail below)

Ok, with the project I'm working on, I have it technically working, it just has a security flaw I need help eliminating. I'm working on writing a simple message board. It doesn't sort by thread, or anything fancy like that. I have the messages stored as php files with 3 vars: $username $subject and $message. They are named like "1.php" - "1000.php", or however many there are. So the files look like this:

<?php
$username = "yungbloodreborn";
$subject = "Test";
$message = "Hi,
this is a test message...
I hope it works...";
?>

then I have one file "count.php" that has the number of the last message entered in it.

<?php $count = 5; ?>

That way my message index page simply starts at $count and counts down, and includes each message file to get it's $username & $subject. I have another page that just includes the one message file that you want to read, and displays all 3 vars.

I already wrote the script that writes the message files & updates the count file. It's all working as it should. The piece that needs to be secured is the part that takes the info from the forms, and writes it to the file.  If I try to put in a quote mark, it think's it's closing the string. Also, I need to make sure that users can't enter any php (or other script) code. I don't care if users can enter actual html for links/images or other formating. I just don't want them to be able to hack my site with malicous code in a message. I've skimmed over the bbPHP code, and saw how to turn custom tags into html, I can make that work. But I haven't found anything that will strip out any scripting, or deal with qoutes.

#2 yungbloodreborn

yungbloodreborn
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts
  • LocationCalifornia

Posted 12 September 2006 - 09:23 PM

Don't worry about the quote issue I was having. I fixed that with a combination of addslashes & stripslashes. addslashes in the file that writes the messagefile, and stripslashes in the files that read the messages.

-YB

#3 yungbloodreborn

yungbloodreborn
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts
  • LocationCalifornia

Posted 13 September 2006 - 08:17 PM

*bump* *nudge* *tap*

#4 redarrow

redarrow
  • Members
  • PipPipPip
  • Advanced Member
  • 7,308 posts
  • Locationlondon

Posted 13 September 2006 - 08:21 PM

Use sessions so the user can go back and alter the information and also use eregi to give an error on the things you dont wont entred.
Wish i new all about php DAM i will have to learn
((EMAIL CODE THAT WORKS))
http://simpleforum.ath.cx/mail2.inc
((PAYPAL INTEGRATION THAT WORKS))
http://simpleforum.a...aypal1_info.inc

#5 yungbloodreborn

yungbloodreborn
  • Members
  • PipPipPip
  • Advanced Member
  • 45 posts
  • LocationCalifornia

Posted 13 September 2006 - 08:45 PM

I'm already using sessions. This is in a members only section. I understand how to add stuff like editing. I simply don't want to allow raw html code being entered in from the user. I don't want the possibility of users adding malicous code, i.e. scripts and the like.

#6 roopurt18

roopurt18
  • Staff Alumni
  • Advanced Member
  • 3,749 posts
  • LocationCalifornia, southern

Posted 13 September 2006 - 09:34 PM

You can use a combination of regular expressions or built in PHP functions to achieve this.

htmlentities and strip_tags are the built in functions that could get you started.

I find using htmlentities but allowing common bulletin board codes to be a simple way of giving formatting options and still preventing the insertion of unwanted scripts.
PHP Forms : Part I | Part II

JavaScript: Singleton

http://www.rbredlau.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users