Hi all, I am new to PHP.
I was thinking about validating text inputs. For things such as email address, passwords, usernames etc. I can just use validation to check the chars and the pattern of the string. This I understand.
However, what if we allowed users to write into a blog, and this inturn got passed into a database to get stored and retrived? What are the techniques to reduce the possibilty of users entering commands? - I can not really use any pattern, and more charaters are likely to be used in a blog then something I can set limits on, such as a username or email (only letters and numbers, 6-12 chars long for example)
Also, lets say a user wanted to type in some javscript in this blog textarea input, so they would start it with <SCRIPT language="JavaScript"> CODE HERE </SCRIPT> - I know I can use str_replace() to replace these tags with '' (i.e nothing - delete them) - but what about the code inbetween - is there a function I can use to replace code inbetween two strings? Or is there a better way of doing this too?
I havn't started to write any code - just thinking about it.
Basically want a way so that if a user trys to enter javascript into a blog space, it will automatically delete it (from opening tags to closing tags), and escapes/gets rid of any code that could be harmful or executed...
Deleting javascript in textarea?
Moderator: General Moderators
-
newbie2php
- Forum Commoner
- Posts: 35
- Joined: Wed Nov 07, 2007 4:44 pm
You could use strip_tags(), but that is inpractical because you would have to insert all the allowed html tags
The second option is regex with preg_replace() function
Sample regex, not tested:
The second option is regex with preg_replace() function
Sample regex, not tested:
Code: Select all
/<script(.*?)>(.*?)<\/script>/si
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Always apply htmlspecialchars() on user input to avoid XSS injection.[/url]
-
newbie2php
- Forum Commoner
- Posts: 35
- Joined: Wed Nov 07, 2007 4:44 pm
Thanks guys.
Lets say someone wanted to log on - and I wanted to make sure the username and password were in the correct format, can I add these functions to the $_POST varibles to make sure?
Also I have created some more, are these correct?
Also what about $_GET ?
If I was wanting to display information about a motor bike, and I retrieved its info via (say... URL was http://www.bikes.com/view-bike.php?bikeno=17265)
On the bike page I wanted to retrieve all infomation from mysql about this bike
I do:
$bikeno = $_GET['bikeno'];
to make this more secure, would this work...
Is this correct?
Jcart - Cheers
so lets say someone writes into blog which then goes to get sent to the database for storage, would it go something like:
Sorry for all the questions, as you can tell, I am a newbie[/syntax]
Lets say someone wanted to log on - and I wanted to make sure the username and password were in the correct format, can I add these functions to the $_POST varibles to make sure?
Also I have created some more, are these correct?
Code: Select all
// validate input data
//check to make sure emails are inputed in correct format, if not, return false.
function check_email_format($string)
{
$pattern = "/^[A-z0-9\._-]+"
. "@"
. "[A-z0-9][A-z0-9-]*"
. "(\.[A-z0-9_-]+)*"
. "\.([A-z]{2,6})$/";
if (preg_match($pattern,$string))
{
return true;
}
else
{
return false;
}
}
// check username is only letters and numbers, no spaces, and is between 6 and 12 charaters long
function check_username_format($string)
{
if(preg_match("/[A-z0-9{6,12}]/",$string)
{
return true;
{
else
{
return false;
}
}
// check $input is only digits, return false if not
function check_is_digits($input) {
if(preg_match("/[^0-9]/", $input))
{
return true;
}
else
{
return false;
}
}
// check $input is only letter, return false if not
function check_is_letters($input) {
if(preg_match ("/[^A-z]/", $input))
{
return true;
}
else
{
return false;
}
}
// check $string is within $min and $max boundaries
function check_within_length($string, $min, $max) {
$length = strlen ($string);
if (($length < $min) || ($length > $max))
{
return false;
}
else
{
return true;
}
}
Also what about $_GET ?
If I was wanting to display information about a motor bike, and I retrieved its info via
Code: Select all
$_GET['bikeno']On the bike page I wanted to retrieve all infomation from mysql about this bike
I do:
$bikeno = $_GET['bikeno'];
to make this more secure, would this work...
Code: Select all
$bikeno = check_is_digits($_GET['bikeno']);
if ($bikeno)
{
CODE RETRIEVE FROM DATBASE
}
else
{
echo "Can\'t display bike details";
}Jcart - Cheers
Code: Select all
$blogstring = htmlspecialchars($_POST['blog']);-
newbie2php
- Forum Commoner
- Posts: 35
- Joined: Wed Nov 07, 2007 4:44 pm