Jump to content

Archived

This topic is now archived and is closed to further replies.

satan165

editing script to disallow HTML/URLs

Recommended Posts

a while back i had to import some SQL data from one host to another.
the old host 'gave' me a php guestbook, but the actual script was not accessible
so i figured it out (and with some help from this forum) i was able to write my own new php guestbook and also use my existing sql data (from the old guestbook)

all was well but now im getting crushed by spammers
im well aware i could use any of 1 million other guestbooks from elsewhere that would more easily keep the spammers out

but i want to keep my own since i worked so hard on it in the 1st place

i want to make it so html is definately not allowed to be input in any field
as well as URLs (maybe some 'keywords' to be disallowed could be: 'www', '.com', 'net', etc...)

maybe they will just spam anyways and find ways around it but maybe it will slow things down

at any rate, id apprecaite some help with a patch to this script that woudl take care of these things
thank you all very much!!

[code]
<?php






if (isset($_POST['submit'])) {

$error = null;

if(empty($_POST['name'])) {
   $name = FALSE;
   $error .= '<B>Please enter your name</b><br>';
} else {
  $name = $_POST['name'];
}

if (empty($_POST['comment'])) {
   $comment = FALSE;
  $error .= '<B>Please enter comments</b>';
} else {
  $comment = $_POST['comment'];
}

// if they are both filled out
if ($name && $comment) {

$db = mysql_connect("localhost", "XXX", "XXX");

  mysql_select_db("XXX",$db);

  $sql = "INSERT INTO guestbook (name,email,comment,added) VALUES ('$name','$email','$comment','$added')";

  $result = mysql_query($sql);
  if ($result) {
      echo "<h1>Thank you for signing the guestbook!</h1><p><a href='/guestbook.html'>return to guestbook...</a><BR>\n";
}

}

if (isset($error)) {
echo $error;
}

} //submit




else {

  ?>

<center>
<h1>WWW.LOWPRO708.COM GUESTBOOK</h1><BR>







  <form method="post" action="<?php echo $PHP_SELF?>">

  <input type=hidden name="added" value="<?php echo date('Y-m-d h:i:s')  ?>">


  <strong>Your Name: </strong><input type="Text" name="name"><p>

  <strong>E-Mail Address: </strong><input type="Text" name="email"><br><I>Your address will not be subject to any unsolicited mail and<BR>will not be displayed in our guestbook publicly!</i><P>

  <strong>Comment: </strong><input type="Text" size=55 name="comment"><p>


  <input type="Submit" name="submit" value="Sign Guestbook">

  </form>


<?php


}
?>
[/code]

Share this post


Link to post
Share on other sites
First, never trust user inputs, especially when adding them to a database. If you don't want any HTML tags to be present use the function [a href=\"http://www.php.net/striptags\" target=\"_blank\"]striptags[/a](). When displaying the comments back to the screen, use the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a](), which should render any tags that may have been missed useless.

When entering information into the database use the function [a href=\"http://www.php.net/mysql_real_escape_string\" target=\"_blank\"]mysql_real_escape_string[/a]() to eliminate the possiblility of a mysql injection.
[code]<?php
  $sql = "INSERT INTO guestbook (name,email,comment,added) VALUES ('" . mysql_real_escape_string($name) . "','" . mysql_real_escape_string($email) . "','" . mysql_real_escape_string($comment) . "','$added')";
?>[/code]

Ken

Share this post


Link to post
Share on other sites
ok, i updated my script with teh code you provided above. i noticed when viewing my SQL db that there were entries with bogus dates/times. i took it that this meant the spammers were making their entries directly to my db, and foregoing the actual guestbook script. and you are saying the use of the mysql_real_escape_string() will make this impossible in the future, correct?

second, how can i integrate striptags() into the same statements to prevent HTML?



how can i integrate htmlentities() into this script (the 'view' portion of my guestbook)?

thank you very much for this much needed security lesson!
[code]
<?php



$db = mysql_connect("localhost", "xxx", "xxx");



mysql_select_db("xxx",$db);



$result = mysql_query("SELECT *,DATE_FORMAT(added, '%M %D %Y') AS the_date FROM guestbook ORDER BY id DESC",$db);






while ($myrow = mysql_fetch_array($result)) {



        printf("<b>%s</b><BR><h1>%s</h1><i>%s</i><hr>\n",
        $myrow[1], $myrow[3], $myrow['the_date']);







}
?>
[/code]

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.