birbal Posted October 20, 2010 Share Posted October 20, 2010 i am making a simple message board. i hav escaped all data before inserting to the database.in message board html code or php code tag are not allowed. so i am using strip_tags. and rather than that all charctres are allowed.1) do i need to anything further or is it enough to secure it or is it ok?2) as i am escaping all data before inserting database so all tags will be escaped and when it will display it will show the proper code.if i dont use strip_tags and want to show the codes. will it be allright?i need some correction and confirmation regarding this. want be sure.thank you Link to comment Share on other sites More sharing options...
djp1988 Posted October 20, 2010 Share Posted October 20, 2010 if you don't use strip_tags then someone one could insert malicious code into your page, for example, someone could add a script tag and import an external javascript file that might gather cookie information from the user.Sometimes you want to allow basic formatting, and let your user feel more advanced if he/she wishes to, so you can allow certain tags for example the following code would strip all tags except the strong and em tags. $txt = strip_tags($input, '<strong><em>'); If by the following quote you meant you want to allow users to type code and for that code to be displayed and not become part of the actual HTML, then you should look at PHP's htmlspecialchars function if i dont use strip_tags and want to show the codes. will it be allright? Link to comment Share on other sites More sharing options...
Synook Posted October 20, 2010 Share Posted October 20, 2010 You may want to escape the characters instead by turning them into entities, so people can still post HTML. PHP has the htmlspecialchars() function for this. Link to comment Share on other sites More sharing options...
Fmdpa Posted October 20, 2010 Share Posted October 20, 2010 I came across a very good article on PHP security just a couple days ago: Common Security Mistakes in Web Applications Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.