Jump to content


Photo

editing script to disallow HTML/URLs


  • Please log in to reply
3 replies to this topic

#1 satan165

satan165
  • Members
  • Pip
  • Newbie
  • 4 posts

Posted 15 April 2006 - 12:54 AM

a while back i had to import some SQL data from one host to another.
the old host 'gave' me a php guestbook, but the actual script was not accessible
so i figured it out (and with some help from this forum) i was able to write my own new php guestbook and also use my existing sql data (from the old guestbook)

all was well but now im getting crushed by spammers
im well aware i could use any of 1 million other guestbooks from elsewhere that would more easily keep the spammers out

but i want to keep my own since i worked so hard on it in the 1st place

i want to make it so html is definately not allowed to be input in any field
as well as URLs (maybe some 'keywords' to be disallowed could be: 'www', '.com', 'net', etc...)

maybe they will just spam anyways and find ways around it but maybe it will slow things down

at any rate, id apprecaite some help with a patch to this script that woudl take care of these things
thank you all very much!!

<?php






if (isset($_POST['submit'])) {

$error = null;

if(empty($_POST['name'])) {
   $name = FALSE;
   $error .= '<B>Please enter your name</b><br>';
} else {
  $name = $_POST['name'];
}

if (empty($_POST['comment'])) {
   $comment = FALSE;
  $error .= '<B>Please enter comments</b>';
} else {
  $comment = $_POST['comment'];
}

// if they are both filled out
if ($name && $comment) {

$db = mysql_connect("localhost", "XXX", "XXX");

  mysql_select_db("XXX",$db);

  $sql = "INSERT INTO guestbook (name,email,comment,added) VALUES ('$name','$email','$comment','$added')";

  $result = mysql_query($sql);
  if ($result) {
      echo "<h1>Thank you for signing the guestbook!</h1><p><a href='/guestbook.html'>return to guestbook...</a><BR>\n";
}

}

if (isset($error)) {
echo $error;
}

} //submit




else {

  ?>

<center>
<h1>WWW.LOWPRO708.COM GUESTBOOK</h1><BR>







  <form method="post" action="<?php echo $PHP_SELF?>">

  <input type=hidden name="added" value="<?php echo date('Y-m-d h:i:s')  ?>">


  <strong>Your Name: </strong><input type="Text" name="name"><p>

  <strong>E-Mail Address: </strong><input type="Text" name="email"><br><I>Your address will not be subject to any unsolicited mail and<BR>will not be displayed in our guestbook publicly!</i><P>

  <strong>Comment: </strong><input type="Text" size=55 name="comment"><p>


  <input type="Submit" name="submit" value="Sign Guestbook">

  </form>


<?php


}
?>


#2 satan165

satan165
  • Members
  • Pip
  • Newbie
  • 4 posts

Posted 18 April 2006 - 03:44 AM

any possible help on this?

#3 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 18 April 2006 - 04:27 AM

First, never trust user inputs, especially when adding them to a database. If you don't want any HTML tags to be present use the function [a href=\"http://www.php.net/striptags\" target=\"_blank\"]striptags[/a](). When displaying the comments back to the screen, use the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a](), which should render any tags that may have been missed useless.

When entering information into the database use the function [a href=\"http://www.php.net/mysql_real_escape_string\" target=\"_blank\"]mysql_real_escape_string[/a]() to eliminate the possiblility of a mysql injection.
<?php
  $sql = "INSERT INTO guestbook (name,email,comment,added) VALUES ('" . mysql_real_escape_string($name) . "','" . mysql_real_escape_string($email) . "','" . mysql_real_escape_string($comment) . "','$added')";
?>

Ken


#4 satan165

satan165
  • Members
  • Pip
  • Newbie
  • 4 posts

Posted 18 April 2006 - 09:44 PM

ok, i updated my script with teh code you provided above. i noticed when viewing my SQL db that there were entries with bogus dates/times. i took it that this meant the spammers were making their entries directly to my db, and foregoing the actual guestbook script. and you are saying the use of the mysql_real_escape_string() will make this impossible in the future, correct?

second, how can i integrate striptags() into the same statements to prevent HTML?



how can i integrate htmlentities() into this script (the 'view' portion of my guestbook)?

thank you very much for this much needed security lesson!
<?php



$db = mysql_connect("localhost", "xxx", "xxx");



mysql_select_db("xxx",$db);



$result = mysql_query("SELECT *,DATE_FORMAT(added, '%M %D %Y') AS the_date FROM guestbook ORDER BY id DESC",$db);






while ($myrow = mysql_fetch_array($result)) {



        printf("<b>%s</b><BR><h1>%s</h1><i>%s</i><hr>\n",
         $myrow[1], $myrow[3], $myrow['the_date']);







}
?>





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users