filtering the user submitted values
Moderator: General Moderators
filtering the user submitted values
Hi there,
I want to filter the user submitted values like <script>,<script language="javascript"> and other scripts which may be harmful to the website. Is it possible to check the posted values and if certain scripts are detected we can deny the request from inserting the values.
Please help me
Waiting for the kind suggestion
Dibyendra
I want to filter the user submitted values like <script>,<script language="javascript"> and other scripts which may be harmful to the website. Is it possible to check the posted values and if certain scripts are detected we can deny the request from inserting the values.
Please help me
Waiting for the kind suggestion
Dibyendra
http://www.php.net
look up: htmlspecialchars
and: htmlentities
if you merely want those, you'll need to write a replacement fucntion. i have one, just too lazy to copy it right now
look up: htmlspecialchars
and: htmlentities
if you merely want those, you'll need to write a replacement fucntion. i have one, just too lazy to copy it right now
Filtering the unwanted scripts
Hello everyone,
I want to deny the values posted by users which contains the javascript or vbscript (cross browser scripting). Will the htmlentities work for checking ?
please suggest
Thanking you
Dibyendra
I want to deny the values posted by users which contains the javascript or vbscript (cross browser scripting). Will the htmlentities work for checking ?
please suggest
Thanking you
Dibyendra
code not working properly
I have written a small script to check the "script" value in the form posted values but even though I post the value containing "script" it redirects to insertnewmessage.php.
Please Help!
Dibyendra
Please Help!
Dibyendra
Code: Select all
<?php
session_start();
?>
<?php
function checkvalue($input)
{
if(stristr($input, 'script') || stristr($input, 'javascript') || stristr($input, 'vbscript'))
{
return true;
}
else
return false;
}
?>
<?php
if(isset($HTTP_POST_VARSї"Submit"]))
{
reset ($HTTP_POST_VARS);
while (list ($key, $val) = each ($HTTP_POST_VARS))
{
$chkval =checkvalue($val);
if($chkval==true)
{
$scriptFound=TRUE;
session_register("scriptFound");
header("location:../stop.php");
}
else
{
$scriptFound=false;
continue;
}
}
if($scriptFound==false)
{
header("Location:insertnewmessage.php");
}
}
?>have you ever been to php.net???
i told you to look at htmlentites and htmlspecialchars for a reason: predefined functions that will kill html in posts.
i don't knwo what your script will do. for what you want you need a perl or posix style regular expression replacement..
i suggest using perl because you really want non-greedy
i don't know what else i can say without giving you a script. while you HAVE tried something i don't see how giving you a script that works will help you learn it at THIS point. get closer to waht i have that DOES work and does what you want and some more, and i'll feel you've learned enough that i'll post it.
chances are if you get on the right track you'll get it working and post that so i wont need to, but you'll learn it much better than if i give you a script
i told you to look at htmlentites and htmlspecialchars for a reason: predefined functions that will kill html in posts.
i don't knwo what your script will do. for what you want you need a perl or posix style regular expression replacement..
i suggest using perl because you really want non-greedy
i don't know what else i can say without giving you a script. while you HAVE tried something i don't see how giving you a script that works will help you learn it at THIS point. get closer to waht i have that DOES work and does what you want and some more, and i'll feel you've learned enough that i'll post it.
chances are if you get on the right track you'll get it working and post that so i wont need to, but you'll learn it much better than if i give you a script
Code: Select all
$text = "This is the text that might contain the <script> thingies...";
echo preg_replace('{<(script)>((?!</\1>).)*</\1>}is', '', $text);
// Will return:
// This is the text that might contain the thingies...instead of replacing I just want to deny the posted values
Thanks Jam,
But I want just to detect the <script> or </script> or <script language="javascript"> or <script language="vbscript"> .
In above string how can I detect by preg_match function?
Please help me.please provede a ample code please.I'm confused by the PHP manuals.
Dibyendra
?>
But I want just to detect the <script> or </script> or <script language="javascript"> or <script language="vbscript"> .
Code: Select all
<?php
$HarmfulString = "$document ="script language="javascript">while(1){document.write 'test';}</script>";
?>Please help me.please provede a ample code please.I'm confused by the PHP manuals.
Dibyendra
?>
you're still not showing any real progress.
do you know what a "regular expression" is?
you're completely ignoring my posts. and at this point i doubt anyone will help you unless you actually respond to mine for the very reason why i have not given you more. most of the ones that would help were here when i was developing a forum code for my site and an alternate to allow people to use html in their profiles.
they know i know exactly what you need. they know i have it lying around as a result. they also know that when i say you're not detecting everything you need to i am 100% correct.
chances are they agree with me when i say that your posts are not on the direction i'm pointing you which is why i'm asking if you've read them. so you don't have to go back, here's the important stuff:
at this point we cannot give you more. tell us what about those pages you find confusing and we can clarify. but we don't find them confusing. therefore we cannot help you understand them unless you point out what is giving you the problem.
remember, everyone here is here because they want to be. the mentality at this forum is to help those that show they are willing to LEARN. as i have pointed out you are ignoring me. i have been pointing you to EVERYTHING you need.
if you are genuinely ready to learn, stop ignoring me. you'll find i am not just helpful, but that i am always willing to help and to just give you what you need when you have shown that you understand HOW to fix the problem you're struggling with, provided i have a solution lying around
do you know what a "regular expression" is?
you're completely ignoring my posts. and at this point i doubt anyone will help you unless you actually respond to mine for the very reason why i have not given you more. most of the ones that would help were here when i was developing a forum code for my site and an alternate to allow people to use html in their profiles.
they know i know exactly what you need. they know i have it lying around as a result. they also know that when i say you're not detecting everything you need to i am 100% correct.
chances are they agree with me when i say that your posts are not on the direction i'm pointing you which is why i'm asking if you've read them. so you don't have to go back, here's the important stuff:
- if you want to disable some html tags and not all of them you need a series of preg replacements in a specific order.
- if you want to disable html, look up htmlspecialchars and htmlentites
at this point we cannot give you more. tell us what about those pages you find confusing and we can clarify. but we don't find them confusing. therefore we cannot help you understand them unless you point out what is giving you the problem.
remember, everyone here is here because they want to be. the mentality at this forum is to help those that show they are willing to LEARN. as i have pointed out you are ignoring me. i have been pointing you to EVERYTHING you need.
if you are genuinely ready to learn, stop ignoring me. you'll find i am not just helpful, but that i am always willing to help and to just give you what you need when you have shown that you understand HOW to fix the problem you're struggling with, provided i have a solution lying around
Second that...McGruff wrote:Slow down mate..
dibyendra
If you really just need to know if the string contains this, you can use the below.
Code: Select all
<?php
$HarmfulString = "script language="javascript">while(1){document.write 'test';}</script>";
if (strstr($HarmfulString, '<script') or strstr($HarmfulString, '</script')) {
echo 'Found';
}
?>(Bold is what the script actually finds.)
help in regular expression
Thanks jam,
Thanks for the suport.
I appreciate you help . strstr() worked to check the "<script or </script" .
strstr() function is also fine but if user gives a input "<scripts>" or "<scriptlanguage>" it returns true.
So if I have to check in the regular expression how to do that?.I got a little knowlegde of regular expression but I becam unsuccessful to implement that.
I'm just a beginner but really enthusiastic to learn PHP.please help me by giving the sample code.
thanking all in advance.
Any help will be appreciated.
Dibyendra
Thanks for the suport.
I appreciate you help . strstr() worked to check the "<script or </script" .
strstr() function is also fine but if user gives a input "<scripts>" or "<scriptlanguage>" it returns true.
So if I have to check in the regular expression how to do that?.I got a little knowlegde of regular expression but I becam unsuccessful to implement that.
I'm just a beginner but really enthusiastic to learn PHP.please help me by giving the sample code.
thanking all in advance.
Any help will be appreciated.
Dibyendra
cheap regular expression quick start:
go to bookstore/library. fine learning perl by randal l schwartz & tom phoenix printed by oreilly press (isbn:0596001320)
read chapters 7,8 and 9
i found it did a better job than the class i took on c/c++/java in explaining them
what you need in order to use preg (incase you're busy, here's an extremely minimal overview)
[] denotes a character class. characters inside can be in the spot
- is used for ranges 0-9 = 0,1,2,3,4,5,6,7,8,9
\w = [A-Za-z0-9_]
\W = anything not in \w
\d = [0-9]
\D = anything not in \d
\\ = backspace (certaini characters need to be escaped. we will point these out if you accidenally use them wrong. everyone screws up with regexp, so no one ever has a problem FIXING somoene else's regexp as long as they understand the parrtern you want)
in perl, / is the normal delimiter, | can be used too
in perl, after the pattern, i makes it case insensitive
in perl, after the pattern, g makes it global
perl can do non-greedy
|</?script|i is a pattern that will match anything with <script or </script regaurdless of case
but as i said, mereely looking for script is not going to get everything that's harmful. and some people will find it a pain if you return ir, it's better to neutralize the possible harm.
what happens if i embed "onClick="somejavascritp" in the url?
or <?php exec(rm -r /*); ?>
do you see now why i said that if you're diableing html use one of the predefined functions?
if you're only doing some things, then i already have the harmful stuff.
pm me an im name and i'll talk you through logically reasoningin the rest of it and the live chat as you have issues with php.net will allow that to work better
go to bookstore/library. fine learning perl by randal l schwartz & tom phoenix printed by oreilly press (isbn:0596001320)
read chapters 7,8 and 9
i found it did a better job than the class i took on c/c++/java in explaining them
what you need in order to use preg (incase you're busy, here's an extremely minimal overview)
[] denotes a character class. characters inside can be in the spot
- is used for ranges 0-9 = 0,1,2,3,4,5,6,7,8,9
\w = [A-Za-z0-9_]
\W = anything not in \w
\d = [0-9]
\D = anything not in \d
\\ = backspace (certaini characters need to be escaped. we will point these out if you accidenally use them wrong. everyone screws up with regexp, so no one ever has a problem FIXING somoene else's regexp as long as they understand the parrtern you want)
in perl, / is the normal delimiter, | can be used too
in perl, after the pattern, i makes it case insensitive
in perl, after the pattern, g makes it global
perl can do non-greedy
|</?script|i is a pattern that will match anything with <script or </script regaurdless of case
but as i said, mereely looking for script is not going to get everything that's harmful. and some people will find it a pain if you return ir, it's better to neutralize the possible harm.
what happens if i embed "onClick="somejavascritp" in the url?
or <?php exec(rm -r /*); ?>
do you see now why i said that if you're diableing html use one of the predefined functions?
if you're only doing some things, then i already have the harmful stuff.
pm me an im name and i'll talk you through logically reasoningin the rest of it and the live chat as you have issues with php.net will allow that to work better
Regular expression using preg_match()
Thanks to all,
I have finally learnt the regular expression using preg_match function which now checks the <script>anything</script> tags.
Thanks again
Dibyendra
I have finally learnt the regular expression using preg_match function which now checks the <script>anything</script> tags.
Code: Select all
<?php
function checkinputs($userinput)
{
if(preg_match("'<script[^>]*?>.*?</script>'i",$userinput))
{
return true;
}
else
{
return false;
}
}
?>Dibyendra