Jump to content

editing script to disallow HTML/URLs


satan165

Recommended Posts

a while back i had to import some SQL data from one host to another.
the old host 'gave' me a php guestbook, but the actual script was not accessible
so i figured it out (and with some help from this forum) i was able to write my own new php guestbook and also use my existing sql data (from the old guestbook)

all was well but now im getting crushed by spammers
im well aware i could use any of 1 million other guestbooks from elsewhere that would more easily keep the spammers out

but i want to keep my own since i worked so hard on it in the 1st place

i want to make it so html is definately not allowed to be input in any field
as well as URLs (maybe some 'keywords' to be disallowed could be: 'www', '.com', 'net', etc...)

maybe they will just spam anyways and find ways around it but maybe it will slow things down

at any rate, id apprecaite some help with a patch to this script that woudl take care of these things
thank you all very much!!

[code]
<?php






if (isset($_POST['submit'])) {

$error = null;

if(empty($_POST['name'])) {
   $name = FALSE;
   $error .= '<B>Please enter your name</b><br>';
} else {
  $name = $_POST['name'];
}

if (empty($_POST['comment'])) {
   $comment = FALSE;
  $error .= '<B>Please enter comments</b>';
} else {
  $comment = $_POST['comment'];
}

// if they are both filled out
if ($name && $comment) {

$db = mysql_connect("localhost", "XXX", "XXX");

  mysql_select_db("XXX",$db);

  $sql = "INSERT INTO guestbook (name,email,comment,added) VALUES ('$name','$email','$comment','$added')";

  $result = mysql_query($sql);
  if ($result) {
      echo "<h1>Thank you for signing the guestbook!</h1><p><a href='/guestbook.html'>return to guestbook...</a><BR>\n";
}

}

if (isset($error)) {
echo $error;
}

} //submit




else {

  ?>

<center>
<h1>WWW.LOWPRO708.COM GUESTBOOK</h1><BR>







  <form method="post" action="<?php echo $PHP_SELF?>">

  <input type=hidden name="added" value="<?php echo date('Y-m-d h:i:s')  ?>">


  <strong>Your Name: </strong><input type="Text" name="name"><p>

  <strong>E-Mail Address: </strong><input type="Text" name="email"><br><I>Your address will not be subject to any unsolicited mail and<BR>will not be displayed in our guestbook publicly!</i><P>

  <strong>Comment: </strong><input type="Text" size=55 name="comment"><p>


  <input type="Submit" name="submit" value="Sign Guestbook">

  </form>


<?php


}
?>
[/code]
Link to comment
Share on other sites

First, never trust user inputs, especially when adding them to a database. If you don't want any HTML tags to be present use the function [a href=\"http://www.php.net/striptags\" target=\"_blank\"]striptags[/a](). When displaying the comments back to the screen, use the function [a href=\"http://www.php.net/htmlentities\" target=\"_blank\"]htmlentities[/a](), which should render any tags that may have been missed useless.

When entering information into the database use the function [a href=\"http://www.php.net/mysql_real_escape_string\" target=\"_blank\"]mysql_real_escape_string[/a]() to eliminate the possiblility of a mysql injection.
[code]<?php
  $sql = "INSERT INTO guestbook (name,email,comment,added) VALUES ('" . mysql_real_escape_string($name) . "','" . mysql_real_escape_string($email) . "','" . mysql_real_escape_string($comment) . "','$added')";
?>[/code]

Ken
Link to comment
Share on other sites

ok, i updated my script with teh code you provided above. i noticed when viewing my SQL db that there were entries with bogus dates/times. i took it that this meant the spammers were making their entries directly to my db, and foregoing the actual guestbook script. and you are saying the use of the mysql_real_escape_string() will make this impossible in the future, correct?

second, how can i integrate striptags() into the same statements to prevent HTML?



how can i integrate htmlentities() into this script (the 'view' portion of my guestbook)?

thank you very much for this much needed security lesson!
[code]
<?php



$db = mysql_connect("localhost", "xxx", "xxx");



mysql_select_db("xxx",$db);



$result = mysql_query("SELECT *,DATE_FORMAT(added, '%M %D %Y') AS the_date FROM guestbook ORDER BY id DESC",$db);






while ($myrow = mysql_fetch_array($result)) {



        printf("<b>%s</b><BR><h1>%s</h1><i>%s</i><hr>\n",
        $myrow[1], $myrow[3], $myrow['the_date']);







}
?>
[/code]
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.