Is this secure?
Posted: Tue Jan 25, 2011 11:13 am
Heya, I'm basically making a simple forum script integrated with a website. I want to protect myself from sql injection and xss, so I figured I'd use PDO prepared statements and simple strip_tags. I'm still fairly new to php so I don't have the knowledge of all possible ways to protect myself.
The script looks like this:
Now before I output the result I filter it with a function similar to this:
The question is; is this xss and sql injection safe?
The script looks like this:
Code: Select all
$postbody = $_POST['postbody'] ; // I get the message body and NOT process it while writing to database, except checking if it doesn't exceed the allowed size.
// the writing part
$prep = $sql->prepare("INSERT INTO `a_forum_posts` (`created`, `account_id`, `forum_id`, `character`, `parent`, `title`, `body`, `class`)
VALUES (:created, :acc_id, :fid, :character, :title, :postbody, :class)", array(PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY)) ;
$prep->execute(array(':created' => time(),
':acc_id' => $account_logged->getId(),
':fid' => $fid,
':character' => $poster_info['pname'],
[b]':postbody' => $postbody,[/b]
':class' => $poster_info['level'] .' '. myGetVoc($poster_info['voc'], $poster_info['promo']))) ;
Code: Select all
function decodePost($str) {
$search = array('[b]', '[/b]') ; // a lot more of bb code conversion...
$replace = array('<b>', '</b>') ;
return str_ireplace($search, $replace, nl2br(strip_tags($str))) ;
}