Page 1 of 1

having troubles with strpos

Posted: Tue Jan 12, 2010 5:53 pm
by psychotomus
whether I enter the php tags or not. it always says we found some php in your css file.

also while we on this topic, what other exploits should I try to stop when allowing people to edit css files?

Code: Select all

    //vars
    $css = strip_tags($_POST['textCSS']);
    $phpcheck1 = strpos($css, "<?");
    $phpcheck2 = strpos(strtolower($css), "<?php");
    
 
    if(($phpcheck1 === true) || ($phpcheck2 === true))
    {
        $msg = "Belive we found some php in your css file. if this is a mistake. Contact an Admin...";
    }
    else
    {
        $fp = fopen("../templates/default/styles/$game_name.css", 'w');
        fwrite($fp, $css);
        fclose($fp);
        
        $msg = "CSS Successfully edited...";
    }

Re: having troubles with strpos

Posted: Tue Jan 12, 2010 8:18 pm
by requinix
1. strip_tags always removes PHP tags.
2. strpos never returns true.
There is no way you got that message.

3. There are no "exploits" for pure CSS. There's nothing to protect against besides poor design.
(Unless you do something silly like try to run the CSS through a PHP parser...)

Re: having troubles with strpos

Posted: Tue Jan 12, 2010 9:54 pm
by psychotomus
I'm creating a php game maker where I am allowing people to fully edit the css of the site for there game only. So I don't want no malicous stuff inserted.