Jump to content


Photo

Stop parsing


  • Please log in to reply
4 replies to this topic

#1 jaymc

jaymc
  • Members
  • PipPipPip
  • Advanced Member
  • 1,521 posts
  • LocationLiverpool

Posted 16 October 2006 - 11:46 PM

I have a profile system on my website which allows members to fill in fields with data

For example

First name = Jamie

But, what happens when you get a scripty who comes along and does this

First name = <? echo "HI"; ?>

It screws up the page... I need a way to stop it from parsing

I have found a tag called <xmp> which does actually work for both HTML and PHP suprisingly

Im just wondering if this is the proper way to go about protecting my site from code injection.

If it is, do I have to wrap <xmp></xmp> around any dynamic data a member can submit

Thanks
I would love to change the world, but they won't give me the source code

SEO Agency

#2 trq

trq
  • Staff Alumni
  • Advanced Member
  • 31,041 posts

Posted 16 October 2006 - 11:48 PM

First name = <? echo "HI"; ?> should not effect your page unless you are using eval in some evil way.

In any case, just strip unwanted chars from the string.

#3 jaymc

jaymc
  • Members
  • PipPipPip
  • Advanced Member
  • 1,521 posts
  • LocationLiverpool

Posted 17 October 2006 - 12:06 AM

Im not using eval, but it is still causing problems

So, the professional way to go about this is to basically to

str_replace() any occurances of
<?
<?php
?>

I would love to change the world, but they won't give me the source code

SEO Agency

#4 printf

printf
  • Staff Alumni
  • Advanced Member
  • 889 posts

Posted 17 October 2006 - 12:13 AM

Instead of removing stuff, just make it safe!

htmlentities();
// or
htmlspecialchars();

me!

#5 jaymc

jaymc
  • Members
  • PipPipPip
  • Advanced Member
  • 1,521 posts
  • LocationLiverpool

Posted 17 October 2006 - 12:25 AM

So basically put that when ever echoing out any piece of data that is coming from the users fields?
I would love to change the world, but they won't give me the source code

SEO Agency




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users