Akula_dude Posted September 10, 2006 Share Posted September 10, 2006 Im writing myself a clansite and I (will) have a guestbook, forums, and screenshot uploading. All of these (will) work, but Im worried about security. How do I strip off code from inputs? Because right now if someone posted in the guestbook or forum with </body> or something it would screw the whole thing up.Any help is much appreciated. And im sure this has been asked before, but I couldnt find it in a search... Link to comment Share on other sites More sharing options...
eguru Posted September 10, 2006 Share Posted September 10, 2006 well you must not allow HTML tags in the forum to execute, if u even allow them. Link to comment Share on other sites More sharing options...
Akula_dude Posted September 10, 2006 Author Share Posted September 10, 2006 Yeah, thats what i meant :)Im not sure how to do that though... I still want to have html code display in the forums, just not particular tags (like </body> etc). Is it possible to replace particular tags? For example, someone types </body> into their post and it shows as </body>, without executing any code? Link to comment Share on other sites More sharing options...
skym Posted September 10, 2006 Share Posted September 10, 2006 addslashes, htmlentities, or mysql_real_escape_string if the output is for databases. Search for them at php.net Link to comment Share on other sites More sharing options...
Akula_dude Posted September 10, 2006 Author Share Posted September 10, 2006 Cool, i think i've got it. Thanks! Link to comment Share on other sites More sharing options...
eguru Posted September 10, 2006 Share Posted September 10, 2006 what did you get Link to comment Share on other sites More sharing options...
reportingsjr Posted September 10, 2006 Share Posted September 10, 2006 take the easy way before putting into the database with eregi_replace. $posted = $_POST['post'];$post = eregi_replace("<", "<", $posted); Link to comment Share on other sites More sharing options...
justsomeguy Posted September 11, 2006 Share Posted September 11, 2006 That code didn't come through, it printed the character. But there's no reason to use regular expressions for things like this, the regular expression engine is fairly slow and requires more overhead then str_replace. Regular expressions get their power because they can find a pattern instead of a specific string. But when finding or replacing a specific string or character, it's always better to not use regexp. Link to comment Share on other sites More sharing options...
Akula_dude Posted September 11, 2006 Author Share Posted September 11, 2006 Well, I kind of gave up. I've been writing my clansite and forums for a while now, and I decided that it was a bit above me since I've only been learning PHP six weeks. So... PHP-Fusion it is.Rest assured, I will complete my clansite sometime and swap it over from the CMS, but not yet Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now