Stop parsing

jaymc · October 16, 2006

I have a profile system on my website which allows members to fill in fields with data

For example

[b]First name = Jamie[/b]

But, what happens when you get a scripty who comes along and does this

[b]First name = <? echo "HI"; ?>[/b]

It screws up the page... I need a way to stop it from parsing

I have found a tag called [b]<xmp> [/b] which does actually work for both HTML and PHP suprisingly

Im just wondering if this is the proper way to go about protecting my site from code injection.

If it is, do I have to wrap <xmp></xmp> around any dynamic data a member can submit

Thanks

trq · October 16, 2006

First name = <? echo "HI"; ?> should not effect your page unless you are using [url=http://php.net/eval]eval[/url] in some evil way.

In any case, just strip unwanted chars from the string.

jaymc · October 17, 2006

Im not using eval, but it is still causing problems

So, the professional way to go about this is to basically to

str_replace() any occurances of
[b]<?
<?php
?>[/b]

printf · October 17, 2006

Instead of removing stuff, just make it safe!

[code]htmlentities();
// or
htmlspecialchars();[/code]

me!

jaymc · October 17, 2006

So basically put that when ever echoing out any piece of data that is coming from the users fields?

Sign In

Stop parsing

Recommended Posts

jaymc

Link to comment

Share on other sites

trq

Link to comment

Share on other sites

jaymc

Link to comment

Share on other sites

printf

Link to comment

Share on other sites

jaymc

Link to comment

Share on other sites

Archived

Browse

Activity

Important Information