FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » BB type posting - is this secure?
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: BB type posting - is this secure? [message #176384 is a reply to message #176383] Thu, 29 December 2011 23:14 Go to previous messageGo to previous message
A is currently offline  A
Messages: 17
Registered: June 2011
Karma:
Junior Member
"Michael Joel" <no(at)please(dot)com> wrote in message
news:ptqpf75jh2fra5qfu8jhum3bn4ug6r17ot(at)4ax(dot)com...
> I am allowing posts to the page and wanted to see if this is secure.

> data from sql is placed in an array (say $MyArray):
> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
> $MyArray["Post"] = strip_tags($MyArray["Post"], "<BR>");
> I notice with this text like <script>alert("hi");</script> is rendered
> as literal so no script is actually recognised.

strip_tags($MyArray["Post"], "<BR>");
doesn't really help because it removes only <BR> tags and not other HTML
tags.

Use htmlspecialchars - it renders all HTML special characters to safe
variants for displaying.

And before inserting them into database use parametrized query to stop all
sql injection.
http://stackoverflow.com/questions/1299182/prepared-parameterized-query-wit h-pdo
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: Help with script that retrieve remote files
Next Topic: Give me the names of some CRM php projects
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Tue Nov 26 19:46:31 GMT 2024

Total time taken to generate the page: 0.03883 seconds