Jump to content
Sign in to follow this  
birbal

php security

Recommended Posts

i am making a simple message board. i hav escaped all data before inserting to the database.in message board html code or php code tag are not allowed. so i am using strip_tags. and rather than that all charctres are allowed.1) do i need to anything further or is it enough to secure it or is it ok?2) as i am escaping all data before inserting database so all tags will be escaped and when it will display it will show the proper code.if i dont use strip_tags and want to show the codes. will it be allright?i need some correction and confirmation regarding this. want be sure.thank you

Share this post


Link to post
Share on other sites

if you don't use strip_tags then someone one could insert malicious code into your page, for example, someone could add a script tag and import an external javascript file that might gather cookie information from the user.Sometimes you want to allow basic formatting, and let your user feel more advanced if he/she wishes to, so you can allow certain tags for example the following code would strip all tags except the strong and em tags.

$txt =  strip_tags($input, '<strong><em>');

If by the following quote you meant you want to allow users to type code and for that code to be displayed and not become part of the actual HTML, then you should look at PHP's htmlspecialchars function

if i dont use strip_tags and want to show the codes. will it be allright?
Edited by djp

Share this post


Link to post
Share on other sites

You may want to escape the characters instead by turning them into entities, so people can still post HTML. PHP has the htmlspecialchars() function for this.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
Sign in to follow this  

×
×
  • Create New...