|
PHP - Safety
It is possible to use HTML in my input type, so I need the code to make it impossible to destroy the information in my database.
Similar TutorialsHi there, I've got this BBCode parser and I need to make sure NOTHING can go wrong by injection or anything, as it will affect a part of the main page of a site. I'm a little confused with what happens with code when it gets cleaned, so I'm not sure if it'll work like this. So there's a textarea, and the contents of that textarea should be put in a MySQL database. So I guess this will do: Code: [Select] mysql_real_escape_string(htmlentities($string)) But how do 'enter's' get put in a database? Because the parser code is: Code: [Select] <?php function bbcode_format($str){ $str = htmlentities($str); $format_search = array( '#\[b\](.*?)\[/b\]#is', // Bold ([b]text[/b] '#\[i\](.*?)\[/i\]#is', // Italics ([i]text[/i] '#\[u\](.*?)\[/u\]#is', // Underline ([u]text[/u]) '#\[color=\#?([A-F0-9]{3}|[A-F0-9]{6})\](.*?)\[/color\]#is', // Font color ([color=#00F]text[/color]) '#\[url=((?:ftp|https?)://.*?)\](.*?)\[/url\]#i', // Hyperlink with descriptive text ([url=http://url]text[/url]) '#\[img\](https?://.*?\.(?:jpg|jpeg|gif|png|bmp))\[/img\]#i', // Image ([img]http://url_to_image[/img]) '#\[titel\](.*?)\[/titel\]#is',//titel '#\[inhoud\](.*?)\[/inhoud\]#is' ); $format_replace = array( '<strong>$1</strong>', '<em>$1</em>', '<span style="text-decoration: underline;">$1</span>', '<span style="color: #$1;">$2</span>', '<a href="$1">$2</a>', '<img src="$1" alt="" />', '<span class="mainheader">$1</span>', '<span class="inhoud">$1</span>' ); $str = preg_replace($format_search, $format_replace, $str); $str = nl2br($str); return $str; } ?> Also, is it safe to send all this information through ajax? How should it be 'cleaned' to pass through ajax and php without any trouble? Thanks in advance, arbitter I have a file on my server that I will stream to the browser: header( "Content-Description: File Transfer" ); header( "Content-Type: application/force-download"); header( "Content-Length: " . filesize( $filename ) ); header( "Content-Disposition: attachment; filename=$filename"); readfile( $filename ); $filename is going to be in a location that's not publicly available (there's no URL to it, as it's on the server, and not within public_html or subdirectories). Any safety concerns here? Basically, I'm just curious if a user has any way to steal the file or otherwise access the directory. I don't think so, but I'm just tossing this out here as a general discussion. Thanks! |
|||||||