Jump to content

php security


birbal

Recommended Posts

i am making a simple message board. i hav escaped all data before inserting to the database.in message board html code or php code tag are not allowed. so i am using strip_tags. and rather than that all charctres are allowed.1) do i need to anything further or is it enough to secure it or is it ok?2) as i am escaping all data before inserting database so all tags will be escaped and when it will display it will show the proper code.if i dont use strip_tags and want to show the codes. will it be allright?i need some correction and confirmation regarding this. want be sure.thank you

Link to comment
Share on other sites

if you don't use strip_tags then someone one could insert malicious code into your page, for example, someone could add a script tag and import an external javascript file that might gather cookie information from the user.Sometimes you want to allow basic formatting, and let your user feel more advanced if he/she wishes to, so you can allow certain tags for example the following code would strip all tags except the strong and em tags.

$txt =  strip_tags($input, '<strong><em>');

If by the following quote you meant you want to allow users to type code and for that code to be displayed and not become part of the actual HTML, then you should look at PHP's htmlspecialchars function

if i dont use strip_tags and want to show the codes. will it be allright?
Link to comment
Share on other sites

You may want to escape the characters instead by turning them into entities, so people can still post HTML. PHP has the htmlspecialchars() function for this.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...