graham23s Posted September 24, 2007 Share Posted September 24, 2007 Hi Guys, i'm thinking of doing a cut down version of a myspace/community type site, planning it on paper just now but 1 thing i can't figure out is how the users add html to the dynamic pages, i take it the html is stored in myslq (in the users membership details) just to echo out like any other piece of information you grab from mysql but would that not disrupt the entire layout of the site for the user if thay put in non-proper code? is there a better way i could do this? any info or advide would be appreciated Graham Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted September 24, 2007 Share Posted September 24, 2007 It is the way to do it. You just need to have some validation in place which will strip improper tags... Quote Link to comment Share on other sites More sharing options...
graham23s Posted September 24, 2007 Author Share Posted September 24, 2007 ah i see then maybe some preg_match code to make sure the proper tags are implemented? cheers Graham Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted September 24, 2007 Share Posted September 24, 2007 Yes. You'll have to use some regular expression to test for improper tags, tags which aren't closed ect. For example you wouldn't want any <body>, <head> or <title> tags. So strip those... Further more you would want your users "site" to be contained within a single div or something like that so it can't mess up the entire site Quote Link to comment Share on other sites More sharing options...
rarebit Posted September 24, 2007 Share Posted September 24, 2007 Just to confuse... You could allow them to put in php and evaluate it with 'eval()' (http://uk3.php.net/manual/en/function.eval.php)... Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted September 24, 2007 Share Posted September 24, 2007 He could but that would pose a greater risk than a messed up layout. If he evaluate user submitted php without disallowing certain functions the user would be able to delete files ect. But cool idea... it's certainly doable Quote Link to comment Share on other sites More sharing options...
rarebit Posted September 24, 2007 Share Posted September 24, 2007 Mine does, but only admin priv for php... Quote Link to comment Share on other sites More sharing options...
Wuhtzu Posted September 24, 2007 Share Posted September 24, 2007 Can your admins use unlink() ? Quote Link to comment Share on other sites More sharing options...
rarebit Posted September 24, 2007 Share Posted September 24, 2007 At the moment, they can use anything they want, a whole section of site just mimics a directory set full of php pages which are wrapped up into a cms template... But I know what you mean and it is possible to parse out offending words, however I want it so that script structure is not damaged and errors out (e.g. thinking about spliting on ';' and then checking each line, but not sure, future devs!). Quote Link to comment Share on other sites More sharing options...
graham23s Posted September 24, 2007 Author Share Posted September 24, 2007 hey guys, "You could allow them to put in php" so aswell as the user being able to put in html they could also put in php? that sounds pretty nifty:) Graham Quote Link to comment Share on other sites More sharing options...
rarebit Posted September 24, 2007 Share Posted September 24, 2007 I use eval() to evaluate code saved in my mods' settings. They can have a hook which returns a variable structure, for which can be used to store setting in for a block, then when called it is evaluated and used. A one size fits all idea... Quote Link to comment Share on other sites More sharing options...
graham23s Posted September 24, 2007 Author Share Posted September 24, 2007 ah thanks for the tips guys will add them to my list:) Graham Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.