Page 1 of 1

Preventing page stretching by long strings

Posted: Sun Aug 31, 2008 5:01 pm
by Cut
I've scrapped something together to make sure none of the strings in my users' input are longer than 66 characters. However, I want to make exceptions for BBcode: thiscanstillbe62charactersevenwithoutspaceafterthetag. Right now, I check if the string begins with [url=, and if it does, explode it at ] and count the characters after that:

Code: Select all

 
 $nostretch = explode(" ", $_POST['stuff']);
 foreach($nostretch as $word) {
  if(strlen($word) > 66) {
   if(strpos($word, '[url=') === 0) {
    $word2 = explode(']', $word);
    if (strlen($word[1]) > 70) {
    error("Your post contained a string that exceeded the maximum allowed number of characters. Please avoid stretching the page.");
    }
   }
   else {
    error("Your post contained a string that exceeded the maximum allowed number of characters. Please avoid stretching the page.");
   }
  }
 }
 
Clearly, this can be exploited. (e.g., [url=reallylongstringwithnoclose). Edit: Actually, that wouldn't work, cuz now I make sure strpos(]) is true, but there's other vulnerabilites I'm sure.

Any suggestions for a better method?

Re: Preventing page stretching by long strings

Posted: Sun Aug 31, 2008 6:08 pm
by marcth
Use the wordwrap and str_word_count functions.

Re: Preventing page stretching by long strings

Posted: Sun Aug 31, 2008 6:13 pm
by Cut
marcth wrote:Use the wordwrap and str_word_count functions.
Thanks, but I don't want to wrap the text at a certain number of characters. That's a lot like using absolute widths. I also wouldn't want to randomly break someone's string in half with a linebreak without warning them first.

Re: Preventing page stretching by long strings

Posted: Sun Aug 31, 2008 6:52 pm
by marcth
I thought you didn't want your strings to be more than 66 characters? That's pretty absolute isn't it? If you're looking for a more fluid approach, I don't reckon PHP can help you. Best do it via CSS.

Re: Preventing page stretching by long strings

Posted: Sun Aug 31, 2008 6:59 pm
by Cut
marcth wrote:I thought you didn't want your strings to be more than 66 characters? That's pretty absolute isn't it? If you're looking for a more fluid approach, I don't reckon PHP can help you. Best do it via CSS.
I don't want strings that do not contain spaces to be longer than 66 characters. That's as far as I'm willing to go with absolutes.

Also, I just discovered another problem with my code: it explodes by spaces, so if words are seperated by a newline, they're treated as a single string in the array. Solution?

(I'm hiding overflow with css, too, but that's ugly.)

Re: Preventing page stretching by long strings

Posted: Mon Sep 01, 2008 6:33 pm
by marcth
I post this string without spaces:
"TestingAVeryLongWord ThatProbablyDo esNotExistsJustFor <span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span> ndGigglesToSeeIf DevNetwo rkNetAddressesTheIssue." and DevNetwork Posts:

<span style='color:blue' title='I&#39;m naughty, are you naughty?'>smurf</span>.

Re: Preventing page stretching by long strings

Posted: Tue Sep 02, 2008 6:35 am
by Sindarin
I have some minor problems with my cms as well. Because I use tiny mce, the summary function also counts the html inside the output sometimes making little text appear as a preview. Problem is when the user overflows horizontally the textbox with text, it would stretch the table. Now I use a div and have overflow-x hidden. This will make the user, re-enter properly the text, I even think of setting a vertical line as the textarea background so the user knows how far he can write (like in Borland Delphi).