Jump to content

stopping dangerous code


Recommended Posts

I have a game website with alot of user textareas and textbox's.Quite recently i have had to ban a person from the site because he was getting data from the server via a textboxsupposably.What i want to do is make sure nothing other than plain text can get through.Here is a typical input form:

if(isset($_POST['save'])){if(!$_POST['text']){$message .= "You must enter some text."; }else{mysql_query("UPDATE `users` SET `text` = '$_POST[text]' WHERE `usersid` = '$USER'");$message .= "Text saved!"; }}

is there a php function i can use to check the text for stuff that should not be there?Thanks Again.

Link to post
Share on other sites
That's up to you what to use.None are more or less secure, as I know, but I'm always using POST, because GET just makes mess in the adress bar.
This is why GET could be perceived to be less secure than POST since the only variables GET can pass are through the query string, whereas POST can use the request body for data. It's less secure for the user if there is any important data in the query string.OP, yes, you should definitely be escaping your sql values, its a different escape function depending on which DB system youre using.You can use htmlspecialchars() on the string to escape all the potential markup, however, if you actually want to remove all markup completely, a regex would be better:
$text = preg_replace('/<[^>]+>|&[^\s]+;/', '', $text);

That will remove all markup and entities. You should also do an htmlspecialchars() on the string afterwards for good measure.

Edited by Dilated
Link to post
Share on other sites
mysql_query("UPDATE `users` SET `text` = '$_POST[text]' WHERE `usersid` = '$USER'");

NEVER, NEVER, NEVER directly interpolate user-defined data into the query string. $_POST is not much more secure than $_GET, except for that fact that the data is not visibly passed through the url. However, any $_POST data can be manipulated just like $_GET. You must escape any user-defined variables that will be interpolated into the query. Also, make sure $USER is based off of a $_SESSION variable, or something like that. NOT a hidden input or cookie. Remember, even hidden inputs can be modified. There are websites that I've come across that get important data from hidden inputs. It is a serious breach in security.

Edited by Fmdpa
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...