PHP - Could Someone Check Out My Little Bbcode For Security Issues
Hi all, if someone of you has a little spare time i would love to hear what you find about the small code below. I combined some scattered stuff around the internet. and was hoping some guru could tell me if its ok to output without any sneaky javascript to get inserted within the tags or other nasty stuff.
Its a bb code that first trims the string, applies html entities than puts newlines to breaks and finishes it of with a little bbcode in the end. I was hoping if this is secure enough to output text in this case a post var but am aiming for data from the database. Thanks in advance Code: [Select] <?php //replace stuff //bb function function bbcode($data) { $input = array( '/\[b\](.*?)\[\/b\]/is', '/\[i\](.*?)\[\/i\]/is', '/\[u\](.*?)\[\/u\]/is', '/\[img\](.*?)\[\/img\]/is', '/\[url\](.*?)\[\/url\]/is', '/\[url\=(.*?)\](.*?)\[\/url\]/is' ); $output = array( '<strong>$1</strong>', '<em>$1</em>', '<u>$1</u>', '<img src="$1" />', '<a href="$1">$1</a>', '<a href="$1">$2</a>' ); $rtrn = preg_replace ($input, $output, $data); return $rtrn; } // if(isset($_POST['submit'])&& !empty($_POST['textvar'])){ $error_message = ''; $string = trim(htmlentities($_POST['textvar'], ENT_QUOTES)); $clean = nl2br($string); $super_clean = bbcode($clean); }else{ $error_message = 'enter some text'; $clean = ''; $super_clean =''; } Similar TutorialsHello, I am using <?=$PHP_SELF?> in a search form so it will stay on the same page. I have been advised that there are security risk to using that and that is is susceptible to sql injections and my database can be at risk. I have read about using the following code instead: htmlentities($_SERVER['PHP_SELF']) Is that more secure or are there other code that is more secure? Also could someone look at my database connection and see if there are any issues with it? Code: [Select] <?php $db_host = "localhost"; $db_user = "user"; $db_pass = "password"; $db_name = "database"; function db_connect() { global $db_host; global $db_user; global $db_pass; global $db_name; $connection = mysql_connect($db_host,$db_user,$db_pass); if (!(mysql_select_db($db_name,$connection))) { echo "Could not connect to the database"; } return $connection; } // Connect to the database db_connect(); ?> Thank you for any help you can provide. Code: [Select] if ($ibforums->input['display1'] == "1"){ // }else{ $std->Error2("You're being Nawty!"); } Ok, this works fine. If they submit anything other then "1" for that input it shows "you're being nawty" but I want it to beable to be anything besides 1 or 0 so I added Code: [Select] if ($ibforums->input['display1'] == "0" OR "1"){ // }else{ $std->Error2("You're being Nawty!"); } and it still let's me submit anything...... i only want my $ibforums->input['display1'] to accept 1 or 0 as a input!!!! I don't want any hackers submitting other input values for this field! any help?! Hi Chaps, I'm about to start building a MySQL/PHP forum but would like to know what are the best administration steps to take. Basically it'll be open to members of a site to share info (as like many forums out there), but obviously I don't want anybody to post either harmful content or offensive material. Can someone point me in the right direction, or give me a basic outline of what I have to look out for? Many thanks Hi everybody !
Am back with the never ending security issues, just that this time it has to do with the character set related security issues. I read the whole day on utf-8 and am still lost on certain aspects related to PHP security.
Consider the simple script below:
<?php //error_reporting(E_ALL & ~E_NOTICE); session_start(); if(isset($_POST['login'], $_POST['password'])) { $login = $_POST['login']; $password = $_POST['password']; if(!empty($login) && !empty($password)) { //echo "Ok"; echo "Welcome ". $login; echo "<br> You password is.$password "; } } ?> <html> <body> <form action="welcome2.php" method="post"> Name: <input type="text" name="login" /> Password: <input type="password" name="password" /> <input type="submit" name="submit"/> </form> </body> </html>It is not a login script, but assuming that it was one, I would like to know that if UTF-8 was the charset that was selected for this script, then : 1. how could it be exploited to pass a string that would effectively break thorugh this login. It would be great if someone can demonstrate the hack using the above script example. 2. Could the same be thwarted by the use of input filters? 3. I also read that the use of a regex to limit the use of special characters in passwords is not good . So in case the hack can be thwarted by the use of regex and that is a bad idea in the first place what should be done? There are a few more questions that are on my mind but I would only ask those once I am clear on these that I have just asked. Thanks all. Hello, I'm creating an application where a user can input there own CSS. The problem I'm having is understanding if this will open security holes if... 1. Users input is saved to a file called style.css 2. Each user is on their own a sub-domain from my reseller hosting plan. 3. The style.css file will be included in the page code like so: Code: [Select] <link type='text/css' rel='stylesheet' href='style.css' /> Any advice? if i use code as follows, This is a safe way to take the value of the form ?
<html> <head></head> <body> <form method='post'> <input type='text' name='name' value='akli'> <input type='submit' name ='view' value='view'> </form> </body> </html> <?php extract($_POST); if($view) echo $name; ?>please healp me I have made a classified website. it works and I am proud of it. But as far as securing it goes, I have done almost nothing and I am sure, if in case the site becomes popular, it would be compromised with ease. So I have started reading a book ' essential php security' and am reading several articles on php security online , but am still unable to wrap my head around the whole security issue. Can someone help me ? there are a lot of unfamiliar topics, filtering, escaping , validating, session hijacking etc etc and it all goes over my head. Its a classified website , considering this on what should I concentrate on as far as security goes ? btw what I have managed to do is use mysql_real_escape_string on every var going into a mysql $query. Thanks Hey, I need help with my BBCode function... im trying to allow it to embed you tube videos but im kinda confused as to how i can do it when i need the link to be in the bbcode html ouput twice with my current method. Here is my function: http://www.paste.to/MzE3Mg== I could not post the script as it was messing up with this site's BBcode. Any one can help me please ? Thankss when posting a new message on my forum and it contains a url. How do i automatically add the bbcode url tags to a url in the message? I'm trying to work on BBCode for a forum. I have this: Code: [Select] <?php $bb_Code = array( '[ code]' => '<code>', '[ /code]' => '</code>' ); foreach ($bb_Code as $value => $replace) { $text = str_replace($value, $replace, $text); } ?> Question is.. how would I get it so when I insert information into the database it gets cleaned (strip_tags, etc.) but doesn't disturb what is in the [ code ] tags? So basically it makes the html, etc. in the [ code ] tags just plain text? Thanks in advanced. ok bare with me if this sounds stupid. How do i get it so that bbcode can be added within a textarea tag? im assuming it is a lot of str_replace. is there a tutorial on this somewhere? Hello guys, i need help with my BBcoding ... Its about browser game.. but i need someone who has some time to listen me about how things work and than help me.. every time i put : when sending message ingame i automaticly get smiley ... but please if anyone have time let me know Best Regards Code: [Select] $txt = preg_replace( "#\[yt\]http://www.youtube.com/watch?v=(.+?)\[/yt\]#is", '<embed src="http://www.youtube.com/v/\\1" type="application/x-shockwave-flash" wmode="transparent" width="512" height="313" allowfullscreen="true" />', $txt ); Okay this is my code just for inserting it into HTML, the problem is whenever I try to use: Code: [Select] [yt]http://www.youtube.com/watch?v=l1G7TJD6Xu0[/yt] On my form to enter it does not work? But if I use Code: [Select] $txt = preg_replace( "#\[yt\](.+?)\[/yt\]#is", '<embed src="http://www.youtube.com/v/\\1" type="application/x-shockwave-flash" wmode="transparent" width="512" height="313" allowfullscreen="true" />', $txt ); Code: [Select] [yt]l1G7TJD6Xu0[/yt] It works. But I want to use the full URL of the youtube, so I don't want my users to copy/paste just the "l1G7TJD6Xu0" Code , any help? Thank you I'm trying to work on BBCode for a forum. Code: [Select] <?php $bb_Code = array( '[ code]' => '<code>', '[ /code]' => '</code>' ); foreach ($bb_Code as $value => $replace) { $text = str_replace($value, $replace, $text); } ?> Question is.. how would I get it so when I insert information into the database it gets cleaned (strip_tags, etc.) but doesn't disturb what is in the [ code ] tags? So basically it makes the html, etc. in the [ code ] tags just plain text? Thanks in advanced. Code: [Select] [b][i][u] test test test test test test test test test test test test test test test. [/b][/i]/[u] If I need to cut the first five words, the bbcode closing tags will be remove. This topic has been moved to Third Party PHP Scripts. http://www.phpfreaks.com/forums/index.php?topic=317329.0 This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=354638.0 i am wanting to add a code tag to my bbcode list. Anything within this tag will be printed as is(like the html code). I have tried using htmlspecialchars() but it isnt printing the code. Here is the parser section for the tag: $patern = "#\[code = ([^\]]*)\]([^\[]*)\[/code\]#i"; $replace = "<table class=\"code\"> <tr> <th>\\1</th> </tr> <tr> <td>".htmlspecialchars('\\2')."</td> </tr> </table>"; $str=preg_replace($patern, $replace, $str); Any ideas? Hi there, This isn't really a bbcode parser problem, but it kind of is. And I am awful at explaining things, as you have noticed. The problem is that I'd like to allow input for the main page of a site. But the part has this structu Code: [Select] <div class='mainheader'>TITLE</div> <div class='content'> The content of the webpage blabla</div> I'd like this whole page to be changeable, so also the title and the content. But how can I ensure that people use the content div after the mainheader div? I would like it if it were possible that they only needed to 'select' the header, how can I do this? Thanks in advance! I was wonder how I could make some BBcode for my messaging system I made for a website. I made some simple ones like just by replace [ red ] with font color etc. I want to know how to do something like this: [ url = http://google . ca] Google [ / url ] without the spaces. ~AJ |