Jump to content

Recommended Posts

I have set up the final part of a site that I have been working on for a while now.

 

I just finished "almost" the forum for it and was hoping you could test it and let me know of any kind of holes are flaws.

 

I have not installed the cussing filter, but I do have one already opperational on another part of the site, so please if you would like, keep it free of searing and stuff like that.

 

This is my first project of this nature so any constructive critism and teaching is very appreciated.

 

Thanks

That is designed to do that, if certain items are input into the url, the script dies at the top beofre anything else happens. I am trying to stop XSS, and that is the best way I have found to filter out embedding code.

That is designed to do that, if certain items are input into the url, the script dies at the top beofre anything else happens. I am trying to stop XSS, and that is the best way I have found to filter out embedding code.

 

designed to do that? it DOES look like the page has been ungracefully killed, so you can argue that in designing it to stop it looking bad on one hand, it looks bad on the other.

 

surely though - if you have the script in place to recognise "bad" input and handle it by just killing the script, surely you could just not kill the script and handle it more gracefully? even if just a message saying "Sorry, there was a problem" and/or a redirect back to the forum main page?

That is designed to do that, if certain items are input into the url, the script dies at the top beofre anything else happens. I am trying to stop XSS, and that is the best way I have found to filter out embedding code.

 

Hmm... you really should come up with something more friendly. Simply killing the script when a "<" or ">" appears really isn't very nice to look at. There are valid reasons that those characters may appear (among others). Running your variables through something like htmlentities() would be a better protection.

 

Also, when your registration form errors, you need to take them back to the form with the errors displayed instead of requiring them to fill out the entire form again.

A couple more things:

 

1. I would highly recommend you concentrate on allowing for a level of formatting within your text box for posting. I just posted a multiline test, and everything is run together on one line. Run it through nl2br() and/or other functions when you display it for a much better response.

 

2. You're not allowing for any special characters like "<" or ">" in the posts, either. Also, there's no BBCode support, so there's very limited ability for a user to post much. When you error out on the characters that are being entered, you need to error gracefully with an informative message telling the user what is wrong rather than simply the "That type of communication is not allowed" message you currently have.

 

These are good things to start with, although there are some other little things in display that would be extremely helpful as well.

Ok I changed the error for input strings and turned off the spam checking which kept someone from posting html, I suppose that since I log everything and can suspend users and delete posts, that should be ok to let users input html, I will work on a good filter to let them only insert images, links and text formatting, that will take me a little while, any suggestions on how to approach that would be greatly appreciated.

 

I also changed it so now any line returns in the input field while posting will remain when the post has viewed.

 

Thank you for all your help and keep the good advice coming.

I just turned the html ban back on, but installed bb code support. I also changed the way that the html ban works, it does not kill the script but does something totally different. I think that should handle that aspect of it.

Keep in mind that putting in a "<" or a ">" is completely different than putting in HTML. I suggest you look into my suggestion above for using strip_tags() or htmlentities() instead of trying to match individual characters. It's one thing to keep HTML from being inserted, but it's something else entirely to keep your users from being able to use legitimate characters. Otherwise, it's definitely coming along.

I suppose that the things that I am trying to filter is simply inserting javascript or embedding dhtml. I would really like users to be able to format what they say any way they would like, including posting links and the like. 

 

I am not trying to limit expression, merely make my site more secure. If I use strip tags, then the post would not be formatted.

 

I am getting ready to to create a function that will automatically change html to bbcode while posting. Then I will compare a preg_match to the types of xss that I am trying to filter out.

 

I really do appreciate the advice, it is pushing me to develope my skills which is a good thing.

I suppose that the things that I am trying to filter is simply inserting javascript or embedding dhtml. I would really like users to be able to format what they say any way they would like, including posting links and the like. 

 

I am not trying to limit expression, merely make my site more secure. If I use strip tags, then the post would not be formatted.

 

I am getting ready to to create a function that will automatically change html to bbcode while posting. Then I will compare a preg_match to the types of xss that I am trying to filter out.

 

I really do appreciate the advice, it is pushing me to develope my skills which is a good thing.

 

I completely understand your wanting to not limit users but to protect yourself. That's why I recommend the use of strip_tags(). You can predetermine what tags you do want to allow and it will leave all of those and strip the rest.

Here is the punchlist I have made for this project and where I am thanks to suggestions from you all:

 

Things are complete:

1: Create a normalized DB to make querying easier

2: Secure site by filtering out bad and malicious input

    a: changed the way pages error out when certain things are detected

    b: still need to create a function to allow most html input

3: Secure site by changing default settings of sessions and cookies

4: Allow more expression of thought by implementing limited bbcode

5: Create a secure method of allowing passwords to be reset after a certain number of bad login attempts

 

Things to do:

1: Finish wysiwyg style editor much like we have here at phpfreaks for user input

2: Create function to allow most direct html input into forum

3: Install my custom cussing filter that is already in use on another site(get done by Easter)

4: About a million other things that are going to be asked for when this site goes live

 

Thanks for the suggestions, unlike some of the people here, I am actually using them to make my sites they best they can be.

Thank you for the compliment. I did a lot of homework on what makes a site like that work. I have also gotten lots of ideas/info from all you folks and really do appreciate it.

link=topic=134876.msg573447#msg573447 date=1176461944]

that's what we're here for aint it? 8) yeah i know... the people on this site are really nice and patient when it comes to helping... i think everyone owes everyone a thanks and your welcome  ;D

 

Well, I for one believe that the community would be nothing if not for members like you all who are willing to not only take the criticism and compliments, but also to use them to adjust and improve your sites. When you're willing to learn from criticism and comments alike, you're well on your way!

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.