[PHP] Preventing users from inserting malicious HTML into comments
I'm setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I'd like to prevent people from posting Javascript and other malicious html. Basically, I'd like the comments to be bbcode and text only, using this bbcode parser: http://il.php.net/manual/en/function.preg-replace.php#69398 How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I'd rather not risk a security breach by trying to reinvent it myself. Dotan Cohen http://lyricslist.com/ http://song-lirics.com/ -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP] Preventing users from inserting malicious HTML into comments
-Original Message- From: Dotan Cohen [mailto:[EMAIL PROTECTED] Sent: Monday, November 06, 2006 3:24 PM I'm setting up a comments system on a site, with the comments stored in a mysql database. To prevent sql-injection, I run mysql_real_escape_string() on ingoing data. This should be enough to protect the database (tell me if otherwise), but I'd like to prevent people from posting Javascript and other malicious html. Basically, I'd like the comments to be bbcode and text only, using this bbcode parser: http://il.php.net/manual/en/function.preg-replace.php#69398 How can I strip the remaining html, javascript, and whatnot from the posts? If somebody has already invented this wheel, then I'd rather not risk a security breach by trying to reinvent it myself. http://us2.php.net/manual/en/function.strip-tags.php http://us2.php.net/manual/en/function.htmlspecialchars.php http://us2.php.net/manual/en/function.str-replace.php DÆVID -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
