Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
zephid
Forum Newbie
Posts: 2 Joined: Mon Jul 09, 2007 12:27 am
Post
by zephid » Mon Jul 09, 2007 12:30 am
I considering to use tinymce as an editor for a forum and comment system, my question is then, would it a security risk to use that kind of WYSIWYG editing?
superdezign
DevNet Master
Posts: 4135 Joined: Sat Jan 20, 2007 11:06 pm
Post
by superdezign » Mon Jul 09, 2007 6:15 am
Security? No. In fact, it may increase security (don't depend on it, though).
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Mon Jul 09, 2007 6:52 am
It's only a security risk if you accept its submissions as authoritative.
zephid
Forum Newbie
Posts: 2 Joined: Mon Jul 09, 2007 12:27 am
Post
by zephid » Mon Jul 09, 2007 11:18 am
feyd wrote: It's only a security risk if you accept its submissions as authoritative.
I am using mysql_real_escape_string on all queries to the database, would that be good?
feyd
Neighborhood Spidermoddy
Posts: 31559 Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA
Post
by feyd » Mon Jul 09, 2007 11:33 am
zephid wrote: I am using mysql_real_escape_string on all queries to the database, would that be good?
I was actually referring to XSS as well as malformed tags and such, but yes, you should escape the input always too.