Page 1 of 1
Preventing page stretching by long strings
Posted: Sun Aug 31, 2008 5:01 pm
by Cut
I've scrapped something together to make sure none of the strings in my users' input are longer than 66 characters. However, I want to make exceptions for BBcode:
thiscanstillbe62charactersevenwithoutspaceafterthetag. Right now, I check if the string begins with [url=, and if it does, explode it at ] and count the characters after that:
Code: Select all
$nostretch = explode(" ", $_POST['stuff']);
foreach($nostretch as $word) {
if(strlen($word) > 66) {
if(strpos($word, '[url=') === 0) {
$word2 = explode(']', $word);
if (strlen($word[1]) > 70) {
error("Your post contained a string that exceeded the maximum allowed number of characters. Please avoid stretching the page.");
}
}
else {
error("Your post contained a string that exceeded the maximum allowed number of characters. Please avoid stretching the page.");
}
}
}
Clearly, this can be exploited. (e.g., [url=reallylongstringwithnoclose). Edit: Actually, that wouldn't work, cuz now I make sure strpos(]) is true, but there's other vulnerabilites I'm sure.
Any suggestions for a better method?
Re: Preventing page stretching by long strings
Posted: Sun Aug 31, 2008 6:08 pm
by marcth
Use the wordwrap and str_word_count functions.
Re: Preventing page stretching by long strings
Posted: Sun Aug 31, 2008 6:13 pm
by Cut
marcth wrote:Use the wordwrap and str_word_count functions.
Thanks, but I don't want to wrap the text at a certain number of characters. That's a lot like using absolute widths. I also wouldn't want to randomly break someone's string in half with a linebreak without warning them first.
Re: Preventing page stretching by long strings
Posted: Sun Aug 31, 2008 6:52 pm
by marcth
I thought you didn't want your strings to be more than 66 characters? That's pretty absolute isn't it? If you're looking for a more fluid approach, I don't reckon PHP can help you. Best do it via CSS.
Re: Preventing page stretching by long strings
Posted: Sun Aug 31, 2008 6:59 pm
by Cut
marcth wrote:I thought you didn't want your strings to be more than 66 characters? That's pretty absolute isn't it? If you're looking for a more fluid approach, I don't reckon PHP can help you. Best do it via CSS.
I don't want strings that
do not contain spaces to be longer than 66 characters. That's as far as I'm willing to go with absolutes.
Also, I just discovered another problem with my code: it explodes by spaces, so if words are seperated by a newline, they're treated as a single string in the array. Solution?
(I'm hiding overflow with css, too, but that's ugly.)
Re: Preventing page stretching by long strings
Posted: Mon Sep 01, 2008 6:33 pm
by marcth
I post this string without spaces:
"TestingAVeryLongWord ThatProbablyDo esNotExistsJustFor <span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span> ndGigglesToSeeIf DevNetwo rkNetAddressesTheIssue." and DevNetwork Posts:
<span style='color:blue' title='I'm naughty, are you naughty?'>smurf</span>.
Re: Preventing page stretching by long strings
Posted: Tue Sep 02, 2008 6:35 am
by Sindarin
I have some minor problems with my cms as well. Because I use tiny mce, the summary function also counts the html inside the output sometimes making little text appear as a preview. Problem is when the user overflows horizontally the textbox with text, it would stretch the table. Now I use a div and have overflow-x hidden. This will make the user, re-enter properly the text, I even think of setting a vertical line as the textarea background so the user knows how far he can write (like in Borland Delphi).