BBCode rant

[Nameless12]

I always thought people who wrote the majority of php tutorials were noobs for a lot of reasons, but i really had no idea how stupid they could be.

I was writing my own bbcode parser, and why looking for lists of bbcode params etc for my parser I came across some code

 

http://elouai.com/bb2html.php.txt

 

this code reminded me of many tutorials I saw a long long time ago before i learned anything about security. People who are writing tutorials etc should know better then to release code like this, millions of webpages will of copied the above technique... BBCode was invented as a security measure, code like the above is not secure and if you are going to code like that it is as insecure as html.

 

I find it very odd that the phrase BBCode Injection is rarely heard of, I imagine this is probably one of the most common security flaws on the web.

 

 

 

 

 

 

 

 

 

 

 

[roopurt18]

As long as you used it in conjunction with another function that stripped the HTML tags of it, I don't see a problem.

 

Sometimes when writing a tutorial the author wants to cover everything in depth, but certain subjects would shoot off into a huge tangent of information irrelevant to the focus of the tutorial.

 

Slap on the wrist for the author's not mentioning that its up to the reader to research security on their own though.