Need critique on 'code samples' script

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

Post Reply
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Need critique on 'code samples' script

Post by social_experiment »

I am creating a blog that will have user input which might sometimes consist of code samples. The data would be stored inside a database so i would use mysql_real_escape_string() when inserting the data and stripslashes() when displaying the data. Below is the php code that i created to help decide which method would be best :

Code: Select all

 
<?php
 //
 echo "<form method=\"post\" action=\"".$_SERVER['PHP_SELF']."\" />";
 echo "<textarea cols=\"20\" rows=\"10\" name=\"sampleText\" /></textarea>";
 echo "<input type=\"submit\" name=\"btn\" value=\"test sample text\" />";
 echo "</form>";
 //
 
 $text = $_POST['sampleText'];
 
 //
 echo "Using a <pre> tags and htmlentities<br />";
 echo "<pre>".stripslashes(htmlentities($text, ENT_QUOTES))."</pre>";
 
?>
 
The user input is displayed as 'sample code' without being parsed. I tried using the html tags <code></code> instead of <pre></pre> but i want the 'code' entered to be displayed as the user enters it into the textarea. Is this a (relatively) secure method for allowing visitors to post code samples?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
MichaelR
Forum Contributor
Posts: 148
Joined: Sat Jan 03, 2009 3:27 pm

Re: Need critique on 'code samples' script

Post by MichaelR »

Perhaps this:

Code: Select all

 
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" />
<textarea cols="20" rows="10" name="sampleText" /></textarea>
<input type="submit" name="btn" value="test sample text" />
</form>
 
<?php
 
  $text = stripslashes($_POST['sampleText']);
 
  $text = str_replace('<', '<', $text);
  $text = str_replace('>', '>', $text);
 
  echo '<pre>' . $text . '</pre>';
 
?>
 
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Need critique on 'code samples' script

Post by social_experiment »

Code: Select all

 
# <?php
#  
#   $text = stripslashes($_POST['sampleText']);
#  
#   $text = str_replace('<', '<', $text);
#   $text = str_replace('>', '>', $text);
#  
#   echo '<pre>' . $text . '</pre>';
#  
# ?>
 
It could work ( I'll test it and get back ) but what about if a malicious user were to attempt something such as :

Code: Select all

 
<script type="text/javascript">
 alert('Possible XXS');
</script>
 
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Need critique on 'code samples' script

Post by social_experiment »

Code: Select all

 
<?php
 $match_str = array('<', '>');
 
 $replace_str = array('<', '>');
  
 $replaced = str_replace($match_str, $replace_str, $_POST['sampleText']);
 
 echo stripslashes($replaced);
?>
 
I used your suggestion and it seems that it works just as good. Thanks for the critique.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
MichaelR
Forum Contributor
Posts: 148
Joined: Sat Jan 03, 2009 3:27 pm

Re: Need critique on 'code samples' script

Post by MichaelR »

My answer to any questions as to why use str_replace instead of htmlentities: the only problematic characters are < and >, and so only these really need changing. Changing everything is just superfluous.

To social_experiment: did your test answer your own question regarding the javascript? If not; the script will be output as text not as code because of the str_replace converting < and >.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Need critique on 'code samples' script

Post by social_experiment »

To social_experiment: did your test answer your own question regarding the javascript? If not; the script will be output as text not as code because of the str_replace converting < and >
Yes i found that the 'code' is displayed as text as it should, i can just echo that $replaced_text between <pre></pre> tags and would get the same result ( i think ).

Thanks for the critique :)
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply