|
|
Posted by John Nichel on 02/25/05 21:03
Dave wrote:
> PHP General,
>
> 1. The Situation:
> I have a forum in which users can enter text which is then displayed
> on my web site. I want to be able to allow them to insert their own <a
> href> tags to provide links. The text is stored in a MySQL database.
>
> 2. The Problem:
> My understanding is that if the input of HTML tags or other coding
> elements is left unrestricted, then the potential is there for users to
> cause damage either maliciously or by accident by inserting scripts or
> MySQL commands. Although the users who have access to the text input
> forms have to pass a username and password check first, I would still
> rather be safe than sorry. Mostly I am concerned about people unfamiliar
> with HTML inserting incorrect code which may break the page design.
>
> 3. The Question:
> Can I set up a PHP script which will strictly only allow instances of
> <a href="???"> and </a> and absolutely nothing else? I would like the
> default behavior to be that if any other tag element, or use of "<" or
> ">" be simply deleted from the text before inserting it into the
> database. I could reject text with incorrect tags altogether, but then
> I'll be spending a lot of time explaining how to correct code to people
> who are anxious to get their text on the site. Far better that they at
> least be able to get basic text up even when they mess up the code they
> want to insert.
> Can this be done?
http://us4.php.net/striptags
> Will it be sufficient to protect the system against bad code?
No. This will only strip out the HTML tags. You still need to sanatize
user input. Look at things like mysql_real_escape_string() and
addslashes().
--
John C. Nichel
ÜberGeek
KegWorks.com
716.856.9675
john@kegworks.com
Navigation:
[Reply to this message]
|