Hi,
I have been making a website in php for a DJ. I have hand coded everything even the CMS. I am now at the stage of making sure that it is all secure..
The website gives the user their own page (like myspace). The only thing i need to know is how to stop any server side coding and css from being entered in comment box's. I would like them to still be able to HTML..
Any Sugestions let me know,,
Thanks for your time in advance.
James
Input field validation - STOP PHP
Moderator: General Moderators
Re: Input field validation - STOP PHP
You need to know other things, but hardly this. What are you doing with the form data that you're afraid that it's going to be executed as PHP (or CSS). Also HTML is a concern, you need a filtering library like HTMLPurifier or you'll face ... defacement.jswany wrote:The only thing i need to know is how to stop any server side coding and css from being entered in comment box's.
"Now" is a bit lateI am now at the stage of making sure that it is all secure
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Input field validation - STOP PHP
If you are databasing the content then you needn't worry about server-side code executing unless you are pushing the content through eval(). I would however worry significantly about client side code.
I agree with mordred. Security should have been built into the core of the app not placed into it as an afterthought. It will be a little harder to go back into the code and crack it open to put all your checks and balances into it.
More importantly, I would suggest you establish, clearly, the rules the posted data must follow then code the validators to those rules. Always always always filter your input and always escape output.
I agree with mordred. Security should have been built into the core of the app not placed into it as an afterthought. It will be a little harder to go back into the code and crack it open to put all your checks and balances into it.
More importantly, I would suggest you establish, clearly, the rules the posted data must follow then code the validators to those rules. Always always always filter your input and always escape output.
Re: Input field validation - STOP PHP
Here's a list of security tips. Read and understand them all. While the articles (tips) are small, follow up on them by searching the Internet. Especially, cross-site scripting (XSS)!!
http://devzone.zend.com/public/view/con ... ult/page/1
http://devzone.zend.com/public/view/con ... ult/page/1
Re: Input field validation - STOP PHP
Cheers guys, i have sorted it now. And in future i WILL DEFINITELY worry about security from the start of the project, It seems obvious now, (i so stupid
).
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Re: Input field validation - STOP PHP
HTMLPurifier - apply to all user input HTML 