madcrazy Posted May 31, 2007 Share Posted May 31, 2007 Hello everyone! Client API version 5.0.24 php 4.4.7 I am trying to make code that will let users upload images and embeded object tags via a simple web form. I have it working correctly, it does what i want it to: user uploads say <img src="http://blabla"> from a web form. it gets dumped into the sql table. this is the "behind the scenes" code that works on the form submission: case "Images": { ## VALIDATE FORM ENTRY: if (get_magic_quotes_gpc()==0) { $V1 = filter_str(strip_tags($_POST['V1']),$connector) $V2 = filter_str(strip_tags($_POST['V2']),$connector); } ## ADD ENTRY INTO DATABASE: $query_add="INSERT INTO `tbl_mytable` (`uid` , `name` , `bigimage` ) VALUES ('".$_SESSION['uid']."', '$V1', '$V2')"; $result=mysql_query($query_add); $_REQUEST['page'] = "Images"; $ErrorMessage = "Image updated successfully"; }break; then it is retrieved via a webpage with this query: <? ## GET INFORMATION $RunThisQuery = "SELECT id, bigimage FROM files WHERE uid=".$_REQUEST['id']; $results = $connector->query($RunThisQuery); while ($row = $connector->fetchArray($results)){ ?> <a href="<? print $row['bigimage']; ?>"></a> <? } ?> i had to set get_magic_quotes_gpc()==0 in order to upload the tags, otherwise setting to 1 strips them away. the problems i have with this are: 1.)Any code can be submitted, i am not aware of the kind of code that could be submitted that could potentially breach security/privacy or damage my whole website. but just to be sure i would like to be able to have users upload using this form, but only strip away potentially dangerous code from getting into the database. Can someone please help. Thanks Quote Link to comment Share on other sites More sharing options...
fenway Posted May 31, 2007 Share Posted May 31, 2007 There must be some php function that cleans up html -- otherwise, just replace script and iframe blocks and you should be ok. Quote Link to comment Share on other sites More sharing options...
madcrazy Posted May 31, 2007 Author Share Posted May 31, 2007 Hi, Sorry i'm lost. you say: just replace script and iframe blocks and you should be ok. i dont know how to do it. and i am not sure what this will do. please explain thank you ~ Quote Link to comment Share on other sites More sharing options...
fenway Posted May 31, 2007 Share Posted May 31, 2007 Only script/iframe blocks can be used to access remote sites/scripts -- if you simply replace these tags (e.g. <script with <s2cript ) then the browser will ignore it. Or you can actually clean it up in your car. Quote Link to comment Share on other sites More sharing options...
madcrazy Posted May 31, 2007 Author Share Posted May 31, 2007 Greetings, Im assuming your saying that is someone sends a <script tag this is really the only thing that could harm my website(besides appearance wise). please correct me if i am wrong. Also. could this solution be implemented by just adding the script tags like so.. <? ## GET INFORMATION $RunThisQuery = "SELECT id, bigimage FROM files WHERE uid=".$_REQUEST['id']; $results = $connector->query($RunThisQuery); while ($row = $connector->fetchArray($results)){ ?> <a href="<sc2ript <? print $row['bigimage']; ?>scrip2t>">[/url] <? } ?> Is this what you mean? i had already nested the output in an href , was not sure this would work also. thank you~ Quote Link to comment Share on other sites More sharing options...
madcrazy Posted May 31, 2007 Author Share Posted May 31, 2007 If the above is not a solution, i have found this bit of code: function html2txt($document){ $search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript '@<style[^>]*?>.*?</style>@siU', // Strip style tags properly '@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments including CDATA ); $text = preg_replace($search, '', $document); return $text; } but i dont know how to integrate this code with: if (get_magic_quotes_gpc()==1) { $V1 = filter_str(strip_tags($_POST['V1']),$connector) $V2 = filter_str(strip_tags($_POST['V2']),$connector); } At one point I actually took out this whole thing: if (get_magic_quotes_gpc()==1) { $V1 = filter_str(strip_tags($_POST['V1']),$connector) $V2 = filter_str(strip_tags($_POST['V2']),$connector); } to make the code work, but this just caused everything not to work so i just changed get_magic_quotes_gpc()==0 it worked but doesnt strip anything Quote Link to comment Share on other sites More sharing options...
fenway Posted May 31, 2007 Share Posted May 31, 2007 I was referring to the replace solution you showed... Quote Link to comment Share on other sites More sharing options...
madcrazy Posted May 31, 2007 Author Share Posted May 31, 2007 Can you help me with implementing this please: function html2txt($document){ $search = array('@<script[^>]*?>.*?</script>@si', // Strip out javascript '@<style[^>]*?>.*?</style>@siU', // Strip style tags properly '@<![\s\S]*?--[ \t\n\r]*>@' // Strip multi-line comments including CDATA ); $text = preg_replace($search, '', $document); return $text; } Quote Link to comment Share on other sites More sharing options...
fenway Posted May 31, 2007 Share Posted May 31, 2007 It's just an array of regexes... Quote Link to comment Share on other sites More sharing options...
madcrazy Posted June 1, 2007 Author Share Posted June 1, 2007 ok, but how can i get it to work with my setup? ??? Quote Link to comment Share on other sites More sharing options...
fenway Posted June 1, 2007 Share Posted June 1, 2007 I don't see you using that function, I see you using other functions that I have no idea what they do. Quote Link to comment Share on other sites More sharing options...
madcrazy Posted June 1, 2007 Author Share Posted June 1, 2007 1.)all the program does is take a web form entry from a user. 2.)puts that information in an sql table 3.)displays that infomation when print row is called Thats it! i want the form entry data to be monitored and striped if it is potentially harmful. Quote Link to comment Share on other sites More sharing options...
fenway Posted June 1, 2007 Share Posted June 1, 2007 Great... I'll say again, I don't see you using this function -- call it on whatever string content you want converted. Quote Link to comment Share on other sites More sharing options...
madcrazy Posted June 1, 2007 Author Share Posted June 1, 2007 Can you give me an example of how to call a row that can take out a <sript tag? thank you Quote Link to comment Share on other sites More sharing options...
fenway Posted June 2, 2007 Share Posted June 2, 2007 Can you give me an example of how to call a row that can take out a <sript tag? thank you Wherever you have your input variable, wrap it in the function call -- I can't be more specific. Quote Link to comment Share on other sites More sharing options...
madcrazy Posted June 2, 2007 Author Share Posted June 2, 2007 wrap it in the function call, how do i wrap it? ok example please when you say function call it is very confusing. because when you say function call it sounds like getting data from the table row Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.