Jump to content

Archived

This topic is now archived and is closed to further replies.

jaymc

Stop parsing

Recommended Posts

I have a profile system on my website which allows members to fill in fields with data

For example

[b]First name = Jamie[/b]

But, what happens when you get a scripty who comes along and does this

[b]First name = <? echo "HI"; ?>[/b]

It screws up the page... I need a way to stop it from parsing

I have found a tag called [b]<xmp> [/b] which does actually work for both HTML and PHP suprisingly

Im just wondering if this is the proper way to go about protecting my site from code injection.

If it is, do I have to wrap <xmp></xmp> around any dynamic data a member can submit

Thanks

Share this post


Link to post
Share on other sites
First name = <? echo "HI"; ?> should not effect your page unless you are using [url=http://php.net/eval]eval[/url] in some evil way.

In any case, just strip unwanted chars from the string.

Share this post


Link to post
Share on other sites
Im not using eval, but it is still causing problems

So, the professional way to go about this is to basically to

str_replace() any occurances of
[b]<?
<?php
?>[/b]

Share this post


Link to post
Share on other sites
Instead of removing stuff, just make it safe!

[code]htmlentities();
// or
htmlspecialchars();[/code]

me!

Share this post


Link to post
Share on other sites
So basically put that when ever echoing out any piece of data that is coming from the users fields?

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.