Lets start with what I'm working with..
I have user inputs. You must log in to post anything.
The user inputs are being filtered with this:
Code: Select all
$fix1=str_ireplace("javascript", "-", $info);
$fix2=str_ireplace("mysql", "..", $fix1);
$fix3=str_ireplace("mysqli", "..", $fix2);
$fix4=str_ireplace("connect", "..", $fix3);
$fix5=str_ireplace("query", "..", $fix4);
$fix6=str_ireplace("[b]", "<b>", $fix5);
$fix6_1=str_ireplace("[/b]", "</b>", $fix6);
$fix7=str_ireplace("[i]", "<i>", $fix6_1);
$fix7_1=str_ireplace("[/i]", "</i>", $fix7);
$fix8=str_ireplace("[p]", "<p>", $fix7_1);
$fix8_1=str_ireplace("[/p]", "</p>", $fix8);
$fix9=str_ireplace("[break]", "<br />", $fix8_1);
$fix10=str_ireplace("$_session", "..", $fix9);
$fix11=str_ireplace("$user_id", "..", $fix10);
$fix12=str_ireplace("array (", "..", $fix11);
$fix13=str_ireplace("mail(", "..", $fix12);
$fix14=str_ireplace("$id", "..", $fix13);
$fix15=str_ireplace("submit", "..", $fix14);
$fix16=str_ireplace("<form", "..", $fix15);
$fix17=str_ireplace(".php", "..", $fix16);
$fix18=str_ireplace(".cfm", "..", $fix17);
$fix19=str_ireplace(".asp", "-", $fix18);
$fix20=str_ireplace("/?", "..", $fix19);
$final=$fix20;disable_functions = fopen,popen,file,exec,rmdir,set_time_limit,filepro,filepro_retrieve,filepro_rowcount,highlight_file,system
I am storing users ip's every time they log in if it changes they must re-log in.
On log out I am using session_destroy(); Not just setting the session details to nothing aka unset them. (unset $_session['*']
What else do you suggest I do to secure my website?
I have tested php on the user input and it seems to NOT run the php but send the code to the browser hidden..? it's there it just doesn't show almost like it's in an HTML hidden input tag.
So I'm unsure on how that is working that way But I like it Haha...
But anyway.
Obviously the data is being stored within a Database.
That is MySQL 5.0.
Users have a profile so I am allowing Css and some html.
Should I user html entities and list every html I am allowing? so it filters the others?