Page 1 of 1
Need critique on 'code samples' script
Posted: Wed Nov 25, 2009 7:50 am
by social_experiment
I am creating a blog that will have user input which might sometimes consist of code samples. The data would be stored inside a database so i would use mysql_real_escape_string() when inserting the data and stripslashes() when displaying the data. Below is the php code that i created to help decide which method would be best :
Code: Select all
<?php
//
echo "<form method=\"post\" action=\"".$_SERVER['PHP_SELF']."\" />";
echo "<textarea cols=\"20\" rows=\"10\" name=\"sampleText\" /></textarea>";
echo "<input type=\"submit\" name=\"btn\" value=\"test sample text\" />";
echo "</form>";
//
$text = $_POST['sampleText'];
//
echo "Using a <pre> tags and htmlentities<br />";
echo "<pre>".stripslashes(htmlentities($text, ENT_QUOTES))."</pre>";
?>
The user input is displayed as 'sample code' without being parsed. I tried using the html tags <code></code> instead of <pre></pre> but i want the 'code' entered to be displayed as the user enters it into the textarea. Is this a (relatively) secure method for allowing visitors to post code samples?
Re: Need critique on 'code samples' script
Posted: Wed Nov 25, 2009 8:48 am
by MichaelR
Perhaps this:
Code: Select all
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>" />
<textarea cols="20" rows="10" name="sampleText" /></textarea>
<input type="submit" name="btn" value="test sample text" />
</form>
<?php
$text = stripslashes($_POST['sampleText']);
$text = str_replace('<', '<', $text);
$text = str_replace('>', '>', $text);
echo '<pre>' . $text . '</pre>';
?>
Re: Need critique on 'code samples' script
Posted: Wed Nov 25, 2009 10:27 am
by social_experiment
Code: Select all
# <?php
#
# $text = stripslashes($_POST['sampleText']);
#
# $text = str_replace('<', '<', $text);
# $text = str_replace('>', '>', $text);
#
# echo '<pre>' . $text . '</pre>';
#
# ?>
It could work ( I'll test it and get back ) but what about if a malicious user were to attempt something such as :
Code: Select all
<script type="text/javascript">
alert('Possible XXS');
</script>
Re: Need critique on 'code samples' script
Posted: Wed Nov 25, 2009 10:40 am
by social_experiment
Code: Select all
<?php
$match_str = array('<', '>');
$replace_str = array('<', '>');
$replaced = str_replace($match_str, $replace_str, $_POST['sampleText']);
echo stripslashes($replaced);
?>
I used your suggestion and it seems that it works just as good. Thanks for the critique.
Re: Need critique on 'code samples' script
Posted: Wed Nov 25, 2009 11:10 am
by MichaelR
My answer to any questions as to why use str_replace instead of htmlentities: the only problematic characters are < and >, and so only these really need changing. Changing everything is just superfluous.
To social_experiment: did your test answer your own question regarding the javascript? If not; the script will be output as text not as code because of the str_replace converting < and >.
Re: Need critique on 'code samples' script
Posted: Wed Nov 25, 2009 4:41 pm
by social_experiment
To social_experiment: did your test answer your own question regarding the javascript? If not; the script will be output as text not as code because of the str_replace converting < and >
Yes i found that the 'code' is displayed as text as it should, i can just echo that $replaced_text between <pre></pre> tags and would get the same result ( i think ).
Thanks for the critique
