Jump to content

Filtering question...


yungbloodreborn

Recommended Posts

First, I'd like to thank the ones that have helped me on myother 2 questions. I am very impressed with this site.

My basic problem is this, I need a way of filtering out html and scripting languages. It's for a message board script, and I don't want anyone to be able to cause problems with the site. I don't want people to be able to insert javascript, or the like. So how do I filter that out?

(More detail below)

Ok, with the project I'm working on, I have it technically working, it just has a security flaw I need help eliminating. I'm working on writing a simple message board. It doesn't sort by thread, or anything fancy like that. I have the messages stored as php files with 3 vars: $username $subject and $message. They are named like "1.php" - "1000.php", or however many there are. So the files look like this:

[code]
<?php
$username = "yungbloodreborn";
$subject = "Test";
$message = "Hi,
this is a test message...
I hope it works...";
?>
[/code]

then I have one file "count.php" that has the number of the last message entered in it.

[code]
<?php $count = 5; ?>
[/code]

That way my message index page simply starts at $count and counts down, and includes each message file to get it's $username & $subject. I have another page that just includes the one message file that you want to read, and displays all 3 vars.

I already wrote the script that writes the message files & updates the count file. It's all working as it should. The piece that needs to be secured is the part that takes the info from the forms, and writes it to the file.  If I try to put in a quote mark, it think's it's closing the string. Also, I need to make sure that users can't enter any php (or other script) code. I don't care if users can enter actual html for links/images or other formating. I just don't want them to be able to hack my site with malicous code in a message. I've skimmed over the bbPHP code, and saw how to turn custom tags into html, I can make that work. But I haven't found anything that will strip out any scripting, or deal with qoutes.
Link to comment
Share on other sites

You can use a combination of regular expressions or built in PHP functions to achieve this.

htmlentities and strip_tags are the built in functions that could get you started.

I find using htmlentities but allowing common bulletin board codes to be a simple way of giving formatting options and still preventing the insertion of unwanted scripts.
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.