Safety and correctness questions

[arbitter]

Hi there,

 

I've got this BBCode parser and I need to make sure NOTHING can go wrong by injection or anything, as it will affect a part of the main page of a site. I'm a little confused with what happens with code when it gets cleaned, so I'm not sure if it'll work like this.

 

So there's a textarea, and the contents of that textarea should be put in a MySQL database. So I guess this will do:

mysql_real_escape_string(htmlentities($string))

 

But how do 'enter's' get put in a database? Because the parser code is:

<?php
function bbcode_format($str){
   $str = htmlentities($str);
   $format_search =  array(
      '#\[b\](.*?)\[/b\]#is', // Bold ([b]text[/b]
      '#\[i\](.*?)\[/i\]#is', // Italics ([i]text[/i]
      '#\[u\](.*?)\[/u\]#is', // Underline ([u]text[/u])
      '#\[color=\#?([A-F0-9]{3}|[A-F0-9]{6})\](.*?)\[/color\]#is', // Font color ([color=#00F]text[/color])
      '#\[url=((?:ftp|https?)://.*?)\](.*?)\[/url\]#i', // Hyperlink with descriptive text ([url=http://url]text[/url])
      '#\[img\](https?://.*?\.(?:jpg|jpeg|gif|png|bmp))\[/img\]#i', // Image ([img=http://url_to_image])
  '#\[titel\](.*?)\[/titel\]#is',//titel
  '#\[inhoud\](.*?)\[/inhoud\]#is'
   );
   $format_replace = array(
      '<strong>$1</strong>',
      '<em>$1</em>',
      '<span style="text-decoration: underline;">$1</span>',
      '<span style="color: #$1;">$2</span>',
      '<a href="$1">$2</a>',
      '<img src="$1" alt="" />',
  '<span class="mainheader">$1</span>',
  '<span class="inhoud">$1</span>'
   );
   $str = preg_replace($format_search, $format_replace, $str);
   $str = nl2br($str);
   return $str;
}
?>

 

Also, is it safe to send all this information through ajax? How should it be 'cleaned' to pass through ajax and php without any trouble?

 

Thanks in advance,

arbitter

[requinix]

The order of functions:

1. htmlentities() on the original input

2. bbcode_format() (if needed) on the escaped string

3. mysql_real_escape_string() on that to put it into a query

 

There are three ways you're inserting user input:

1. As HTML directly ($1). htmlentities() addresses this.

2. In an attribute for an HTML tag (). htmlentities() will escape double-quotes, so by using double-quotes for your attribute you are safe.

3. In a CSS value (color: #$1;). Your regex enforces a strict pattern so there's no risk of injection.

 

All that combined means you're 99% safe.

 

For AJAX, as long as you use json_encode you're fine - nothing else to do.

[arbitter]

So the data that'll be in the database will allready be html-ish? They will already be eg "<b>text</b>" instead of "text"?

And I guess I'll have to do with that 99%, unless there's something I can do about it?

 

I'll give the json_encode a try tomorrow, thanks a lot!

[DavidAM]

If you store it in the database that way, you can not let the user edit their post. The BBcode will be gone. If you want to allow the user to edit the post, you should store it in the database (using mysql_real_escape_string()). Then use your BBcode Formatter and htmlentities() when you want to display it.

[requinix]

Then use your BBcode Formatter and htmlentities() when you want to display it.

Depending on circumstances (eg, traffic) you might want to store the BBCode and HTML versions. That way the processing only happens when the post is submitted/edited and the code to display the post only has to echo some string.

[arbitter]

If you store it in the database that way, you can not let the user edit their post. The BBcode will be gone. If you want to allow the user to edit the post, you should store it in the database (using mysql_real_escape_string()). Then use your BBcode Formatter and htmlentities() when you want to display it.

Great remark, I indeed want them to be able to edit it. So:

Storage: mysql_real_escape_string();

Show when editable: htmlentities();

Show when not-editable: bbcode_format(htmlentities());

 

Like that? Or is there a chance that the htmlentities() can mess up the bbcodes and should it be done in the other order?