[PHP] security, receiving html from a form
For my website I created an updating system in php. Where my staff and I can write articles that then get saved to the server, linked to, etc. I allowed html to be passed from the form because a lot of the staff likes to use html tags in their articles. Which I know is a security issue. I know I could use HTMLSpecialChars() and then devise my own mark up system; which I will if I have no other alternative. But I was wondering if just searching the article string for ?, ?, script, etc and not writing the file if they're found would suffice. That almost seems too simple though. Thanks, Matt -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
Re: [PHP] security, receiving html from a form
For my website I created an updating system in php. Where my staff and I can write articles that then get saved to the server, linked to, etc. I allowed html to be passed from the form because a lot of the staff likes to use html tags in their articles. Which I know is a security issue. I know I could use HTMLSpecialChars() and then devise my own mark up system; which I will if I have no other alternative. But I was wondering if just searching the article string for ?, ?, script, etc and not writing the file if they're found would suffice. That almost seems too simple though. You could also define a list of tags you allow and pass them to the strip_tags() function. See http://php.net/strip_tags -Rasmus -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
