Forum Topic: Security question

(136 views • 4 replies)
New Topic Post Reply

This topic is 1 page long.

<< < > >>
None

Loccie

[ Profile | Posts | Contact ]

Reply To Post Reply & Quote

Posted at: 5/7/09 08:36 AM

Loccie NEUTRAL LEVEL 16

Sign-Up: 02/27/04

Posts: 1,059

I just wrote a little BB coding system and I'm going to add security to it now. I wanted to know if removing 'javascript:' is enough. This should prevent javascript injections right? SQL injections should be blocked already since I'm using prepared statements.


None

DFox

[ Profile | Posts | Contact ]

Reply To Post Reply & Quote

Posted at: 5/7/09 09:26 AM

DFox LIGHT LEVEL 30

Sign-Up: 08/09/03

Posts: 9,490

Preventing "JavaScript" injections has nothing to do with removing javascript:. Just worry about turning brackets into entities (htmlentities()), that way a JavaScript tag can never be interpreted...

ScoresAnywhere.com! -- Orange Fox Games

BBS Signature

None

Deja-Vu

[ Profile | Posts | Contact ]

Reply To Post Reply & Quote

Posted at: 5/7/09 12:52 PM

Deja-Vu NEUTRAL LEVEL 25

Sign-Up: 05/03/02

Posts: 556

Run the text through at least strip_tags() and htmlentities()

BBS Signature

None

Loccie

[ Profile | Posts | Contact ]

Reply To Post Reply & Quote

Posted at: 5/7/09 01:10 PM

Loccie NEUTRAL LEVEL 16

Sign-Up: 02/27/04

Posts: 1,059

At 5/7/09 09:26 AM, DFox wrote: Preventing "JavaScript" injections has nothing to do with removing javascript:. Just worry about turning brackets into entities (htmlentities()), that way a JavaScript tag can never be interpreted...

I don't know what I was thinking, htmlentities() is so obvious. Thanks.

At 5/7/09 12:52 PM, Deja-Vu wrote: Run the text through at least strip_tags() and htmlentities()

I don't understand the need for strip_tags(). I mean, don't all the tags get converted by htmlentities() to normal text?


None

X8X

[ Profile | Posts | Contact ]

Reply To Post Reply & Quote

Posted at: 5/7/09 01:15 PM

X8X FAB LEVEL 28

Sign-Up: 03/22/03

Posts: 2,214

At 5/7/09 01:10 PM, Loccie wrote: I don't understand the need for strip_tags(). I mean, don't all the tags get converted by htmlentities() to normal text?

Yes they do, if you use htmlentities(), there's no need for strip_tags(). Strip_tags() only removes stuff like: <script> (which will then already be turned into normal text).

strip_tags() also makes it impossible for somebody to post code for other people to view, since the entire content between the tags will also be stripped.

1074


All times are Eastern Standard Time (GMT -5) | Current Time: 04:01 PM

<< Back

This topic is 1 page long.

<< < > >>

Forum Search

You need a Grounds Gold Account to post on the NG BBS! If you don't have one, click here to sign up now! It's fast, free, and easy — and opens up tons of great NG features!