nielcleo Posted August 7, 2011 Share Posted August 7, 2011 Hi there,anyone here can help me filter my input field to avoid php hack.. Link to comment Share on other sites More sharing options...
birbal Posted August 7, 2011 Share Posted August 7, 2011 I am not sure what type of php hack you are mentioning. i think you are looking for some sort of xss prevention..if it is so..You can use http://php.net/function.htmlspecialchars to prevent inputing malicious code Link to comment Share on other sites More sharing options...
nielcleo Posted August 7, 2011 Author Share Posted August 7, 2011 I am not sure what type of php hack you are mentioning. i think you are looking for some sort of xss prevention..if it is so..You can use http://php.net/function.htmlspecialchars to prevent inputing malicious codeyup xss and sql injections and question is it is safe to use HTML tags or WYSIWYG text editor? Link to comment Share on other sites More sharing options...
birbal Posted August 8, 2011 Share Posted August 8, 2011 html alone may not create any problems but javascript can (eg wth <script> tag)...other than that you may want to customise the use of html tags to visual formating ...where bbcode comes intoyou can avoid sql injection by using mysql_real_escape_string() and if you are using mysqli you can use prepared statement also. Link to comment Share on other sites More sharing options...
Synook Posted August 8, 2011 Share Posted August 8, 2011 Most WYSIWYG editors generate HTML in the end anyway — it's best not to allow people to use HTML at all, and if formatting is necessary use another markup language like BBCode instead (as birbal says). Link to comment Share on other sites More sharing options...
nielcleo Posted August 8, 2011 Author Share Posted August 8, 2011 Most WYSIWYG editors generate HTML in the end anyway — it's best not to allow people to use HTML at all, and if formatting is necessary use another markup language like BBCode instead (as birbal says).how can i work it out for disabling the <script> tag and the BBCodes?im using WYSISYG on admin page only but for just incase i dont want to allow to attack my page so i need to ask some help with you guys about the securing the forms.. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 8, 2011 Share Posted August 8, 2011 Here's a function to strip all HTML tags except the ones you allow:http://www.php.net/manual/en/function.strip-tags.phpIn the comments on that page there are additional functions to only strip specific tags or strip BBcode. Link to comment Share on other sites More sharing options...
Synook Posted August 9, 2011 Share Posted August 9, 2011 Note that stripping tags isn't always the best idea, because people may want to enter HTML code for display purposes, such as is common on this forum. You can use other functions, such as htmlspecialchars(), to escape input instead, but then no formatting would be possible. That's why there are other systems, like BBCode. Link to comment Share on other sites More sharing options...
nielcleo Posted August 9, 2011 Author Share Posted August 9, 2011 Note that stripping tags isn't always the best idea, because people may want to enter HTML code for display purposes, such as is common on this forum. You can use other functions, such as htmlspecialchars(), to escape input instead, but then no formatting would be possible. That's why there are other systems, like BBCode.how can use bbcode rather using HTML tags? Link to comment Share on other sites More sharing options...
thescientist Posted August 9, 2011 Share Posted August 9, 2011 look it uphttp://www.google.com/#sclient=psy&hl=...433&bih=779 Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.