Deleting javascript in textarea?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
newbie2php
Forum Commoner
Posts: 35
Joined: Wed Nov 07, 2007 4:44 pm

Deleting javascript in textarea?

Post by newbie2php »

Hi all, I am new to PHP.

I was thinking about validating text inputs. For things such as email address, passwords, usernames etc. I can just use validation to check the chars and the pattern of the string. This I understand.

However, what if we allowed users to write into a blog, and this inturn got passed into a database to get stored and retrived? What are the techniques to reduce the possibilty of users entering commands? - I can not really use any pattern, and more charaters are likely to be used in a blog then something I can set limits on, such as a username or email (only letters and numbers, 6-12 chars long for example)

Also, lets say a user wanted to type in some javscript in this blog textarea input, so they would start it with <SCRIPT language="JavaScript"> CODE HERE </SCRIPT> - I know I can use str_replace() to replace these tags with '' (i.e nothing - delete them) - but what about the code inbetween - is there a function I can use to replace code inbetween two strings? Or is there a better way of doing this too?

I havn't started to write any code - just thinking about it.

Basically want a way so that if a user trys to enter javascript into a blog space, it will automatically delete it (from opening tags to closing tags), and escapes/gets rid of any code that could be harmful or executed...
User avatar
arjan.top
Forum Contributor
Posts: 305
Joined: Sun Oct 14, 2007 4:36 am
Location: Hoče, Slovenia

Post by arjan.top »

You could use strip_tags(), but that is inpractical because you would have to insert all the allowed html tags

The second option is regex with preg_replace() function

Sample regex, not tested:

Code: Select all

/<script(.*?)>(.*?)<\/script>/si
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Always apply htmlspecialchars() on user input to avoid XSS injection.[/url]
newbie2php
Forum Commoner
Posts: 35
Joined: Wed Nov 07, 2007 4:44 pm

Post by newbie2php »

Thanks guys.

Lets say someone wanted to log on - and I wanted to make sure the username and password were in the correct format, can I add these functions to the $_POST varibles to make sure?

Also I have created some more, are these correct?

Code: Select all

// validate input data

//check to make sure emails are inputed in correct format, if not, return false.
function check_email_format($string)
{
$pattern = "/^[A-z0-9\._-]+"
         . "@"
         . "[A-z0-9][A-z0-9-]*"
         . "(\.[A-z0-9_-]+)*"
         . "\.([A-z]{2,6})$/";
				 
	if (preg_match($pattern,$string))
		{
		return true;
		}
	else
	{
		return false;
	}
}

// check username is only letters and numbers, no spaces, and is between 6 and 12 charaters long
function check_username_format($string)
{
	if(preg_match("/[A-z0-9{6,12}]/",$string)
	{
		return true;
	{
	else
	{
		return false;
	}

}

// check $input is only digits, return false if not
function check_is_digits($input) {
  if(preg_match("/[^0-9]/", $input))
	{
		return true;
	}
	else
	{
		return false;
	}
}

// check $input is only letter, return false if not
function check_is_letters($input) {
	if(preg_match ("/[^A-z]/", $input))
	{
		return true;
	}
	else
	{
		return false;
	}
}

// check $string is within $min and $max boundaries
function check_within_length($string, $min, $max) {
  $length = strlen ($string);
  if (($length < $min) || ($length > $max)) 
	{
    return false;
  } 
	else 
	{
    return true;
  }
}

Also what about $_GET ?

If I was wanting to display information about a motor bike, and I retrieved its info via

Code: Select all

$_GET['bikeno']
(say... URL was http://www.bikes.com/view-bike.php?bikeno=17265)

On the bike page I wanted to retrieve all infomation from mysql about this bike

I do:

$bikeno = $_GET['bikeno'];

to make this more secure, would this work...

Code: Select all

$bikeno = check_is_digits($_GET['bikeno']);

if ($bikeno)
{
CODE RETRIEVE FROM DATBASE
}
else
{
echo "Can\'t display bike details";
}
Is this correct?

Jcart - Cheers :) so lets say someone writes into blog which then goes to get sent to the database for storage, would it go something like:

Code: Select all

$blogstring = htmlspecialchars($_POST['blog']);
Sorry for all the questions, as you can tell, I am a newbie[/syntax]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

"A-z" matches more than letters.
newbie2php
Forum Commoner
Posts: 35
Joined: Wed Nov 07, 2007 4:44 pm

Post by newbie2php »

feyd wrote:"A-z" matches more than letters.
Oh - I just thought it was a short cut to mean "letters, upper or lower case" - is it [a-zA-Z] instead?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yep.
Post Reply