yungbloodreborn Posted September 12, 2006 Share Posted September 12, 2006 First, I'd like to thank the ones that have helped me on myother 2 questions. I am very impressed with this site.My basic problem is this, I need a way of filtering out html and scripting languages. It's for a message board script, and I don't want anyone to be able to cause problems with the site. I don't want people to be able to insert javascript, or the like. So how do I filter that out?(More detail below)Ok, with the project I'm working on, I have it technically working, it just has a security flaw I need help eliminating. I'm working on writing a simple message board. It doesn't sort by thread, or anything fancy like that. I have the messages stored as php files with 3 vars: $username $subject and $message. They are named like "1.php" - "1000.php", or however many there are. So the files look like this:[code]<?php$username = "yungbloodreborn";$subject = "Test";$message = "Hi,this is a test message...I hope it works...";?>[/code]then I have one file "count.php" that has the number of the last message entered in it.[code]<?php $count = 5; ?>[/code]That way my message index page simply starts at $count and counts down, and includes each message file to get it's $username & $subject. I have another page that just includes the one message file that you want to read, and displays all 3 vars.I already wrote the script that writes the message files & updates the count file. It's all working as it should. The piece that needs to be secured is the part that takes the info from the forms, and writes it to the file. If I try to put in a quote mark, it think's it's closing the string. Also, I need to make sure that users can't enter any php (or other script) code. I don't care if users can enter actual html for links/images or other formating. I just don't want them to be able to hack my site with malicous code in a message. I've skimmed over the bbPHP code, and saw how to turn custom tags into html, I can make that work. But I haven't found anything that will strip out any scripting, or deal with qoutes. Quote Link to comment Share on other sites More sharing options...
yungbloodreborn Posted September 12, 2006 Author Share Posted September 12, 2006 Don't worry about the quote issue I was having. I fixed that with a combination of addslashes & stripslashes. addslashes in the file that writes the messagefile, and stripslashes in the files that read the messages.-YB Quote Link to comment Share on other sites More sharing options...
yungbloodreborn Posted September 13, 2006 Author Share Posted September 13, 2006 *bump* *nudge* *tap* Quote Link to comment Share on other sites More sharing options...
redarrow Posted September 13, 2006 Share Posted September 13, 2006 Use sessions so the user can go back and alter the information and also use eregi to give an error on the things you dont wont entred. Quote Link to comment Share on other sites More sharing options...
yungbloodreborn Posted September 13, 2006 Author Share Posted September 13, 2006 I'm already using sessions. This is in a members only section. I understand how to add stuff like editing. I simply don't want to allow raw html code being entered in from the user. I don't want the possibility of users adding malicous code, i.e. scripts and the like. Quote Link to comment Share on other sites More sharing options...
roopurt18 Posted September 13, 2006 Share Posted September 13, 2006 You can use a combination of regular expressions or built in PHP functions to achieve this.htmlentities and strip_tags are the built in functions that could get you started.I find using htmlentities but allowing common bulletin board codes to be a simple way of giving formatting options and still preventing the insertion of unwanted scripts. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.