|
|
before you post your form into a mysql database, you can disable html using the following functions $iPost = @$_POST['post']; $iPost = htmlspecialchars($iPost); $iPost = nl2br($iPost); that way, it parses line breaks, but turns stuff like > into & gt ;
Last Edit: Mar 7, 2006 13:17:53 GMT by Llanilek
|
|
|
|
|
|
|
or: htmlentities($_POST['post'],ENT_QUOTES);
Adding a "addslashes" function with it is also a good idea, all of this is usuaully to prevent mysql injection attacks.
There is also mysql_real_escape_string, but that can only be used when a mysql connection has been established.
|
|
|
|
|
yeh... sql injection sucks.. really badly... thanks for pointing them things out CJ 
|
|
|
|
|
|
|
|
That is what I had to use for my shoutboxes.
|
Further Solutions :: Hosting :: Scripts :: Templates
furthersolutions.com
v4 Studios - Coming soon
|
|
|
|
|
another quick tip is to use all of them, bt make it into your own function.. something like thie
<?php
function keepSafe($iPost) {
$iPost = htmlspecialchars($iPost); // strip all html chars from the string
$iPost = addslashes($iPost); // escape all unescaped quotes.
$iPost = mysql_real_escape_string($iPost); // optional if you don't use add slashes.
$iPost = nl2br($iPost);
return $iPost;
}
?>
simple security checks like this can stop holes appearing in your scripts, i always try to encourage good coding practices when it comes to security.. check, double and triple check your scripts before you upload them to a live server... if needed, find a CEH (Certified Ethical Hacker) or "White Hat" to check through your script if you know someone you trust to do this
Last Edit: Aug 29, 2006 15:50:32 GMT by Llanilek
|
|
|
|
|
|
|
Bad idea. addslashes and mysql_real_escape_string don't mix.  Also, I think you forgot the return....
|
|
|
|
|
|
Bad idea. addslashes and mysql_real_escape_string don't mix. Also, I think you forgot the return.... which is why i didn't add the comment for real escape... it is optional. as for the return.. well spotted *adds*
|
|
|
|
|
