| Posted by lexington, 07-06-2008, 10:53 AM | | Hello, you do not have to post alternate code or anything I just need to know if this is ok. I believe it is but wanted to confirm. I use the database to users to enter text or html. All entries use htmlspecialchars() so if someone enters:
into the database it is stored as:
I looked at the page source and it appears as the actual php code on the page which is expected:
Even though the code seems to be in php format it doesn't work it displays nothing since I assume that the browser sees it as php in an html file. However I want to make sure that it will not work to a hacker's advantage. Thanks.
|
| Posted by Tyler, 07-06-2008, 11:43 AM | | If that is all you're doing, then no, that is not "hacker safe". Also keep in mind, that anything can be exploited.
Since you didn't want me to post alternate code, I won't. But you will want to research the topic on SQL injection.
|
| Posted by lexington, 07-06-2008, 11:55 AM | | No that is not all that I am using I also use trim and mysql_real_escape_string. I learned about SQL injection many years ago. I was more concerned with the output result on the page not the sql entry.
|
| Posted by horizon, 07-06-2008, 12:55 PM | | Here's a good way to inject without outputing from the database. When you're about to inject, use this:
Only the word test will remain between the tags.
|
| Posted by lexington, 07-06-2008, 01:34 PM | | Hello horizon how are you Yeah a bit eariler I figured it would be better to just create an error check on the form page to prevent the user from using those tags. Could you integrate your code into this function so that it would locate the and possibly asp/perl tags?
Thanks
|
| Posted by horizon, 07-06-2008, 03:43 PM | | Try this:
|
| Posted by lexington, 07-06-2008, 04:40 PM | | Ah yes that would be the easy way haha I wanted it to error so the user knows that it is not allowed but that will do. Thanks
|
| Posted by horizon, 07-06-2008, 04:57 PM | | Here:
Once the function has failed, you may return the error message you'd like so users would be notified.
|
| Posted by acidhoss, 07-08-2008, 03:18 PM | | There are so many other things to worry about with SQL injection and XSS.
Check out this site that has some tips to avoid PHP XSS:
http://devzone.zend.com/node/view/id/1752
|
| Posted by horizon, 07-22-2008, 03:37 PM | | I have just discovered an alternative way to check if are inside a tag name:
The function will return true if it's the case.
The alternative way, if you do not wish to return an error message, would be to straightly remove these two variances like this:
How the function works (1st one):
How the function works (2nd one):
Last edited by horizon; 07-22-2008 at 03:41 PM.
|
| Posted by lexington, 07-22-2008, 03:38 PM | | Hey thanks
|
|
 Add to Favourites
 Print this Article
|
