• # June 6, 2012 at 8:46 am

    hi !
    I want to protect my comment box … I mean if any user can use the html codes in his comment … but i want to protect this box … if he use bad words … like get cookies or information of database or somthing like this … i wish if anybody have any function to do this work to help me.
    i’m sorry about my english, it’s not well :(

    # June 6, 2012 at 11:34 am

    This reply has been reported for inappropriate content.

    do you want to allow certain html content (e.g., the way css-tricks does)? If so, you’ll need to use regular expressions to find “allowable” tags, while stripping the others. You should use a whitelist approach to this. Keep in mind, however, that it can be difficult to implement completely and correctly.

    If you don’t want any html at all (usually, you don’t really need it – you can offer other methods to allow formatting, like BBCode, Markdown, or a WYSIWYG editor), then just use strip_tags() on every form submission.

    To filter “bad words,” you’d need to first make a list of the words you don’t want, and then compare the submission to each word on the list. This is also difficult, and prone to mistakes: for example:

    you might put the word “a**” on your “bad words” list, but if you’re not careful, you’ll end up blocking words like “assign” or “assume” as well.

    likewise, your visitors can usually circumvent the check by simply misspelling the “bad” word (leaving out vowels, etc.). A better solution is to moderate your content – post rules about what you allow people to post, and then visit your site regularly to remove offensive comments, or even ban specific users if need be.

    regarding the security issue:

    if you disallow javascript (including “onclick” attributes in html tags), then you should be mostly safe from client-side attacks.

    As for your database, you shouldn’t be allowing a user form submission to do anything that could possibly affect your database like that. Some key points to remember:

    1. ALWAYS SANITIZE USER INPUT. This means you must never,never,never use user input directly in an SQL query. If you do anything like SELECT col FROM table WHERE field='{$_POST}', then you are wide-open to attacks – but you’ll probably break something simply by accident first.

    2. READ RULE #1 AGAIN.

    3. ALWAYS VALIDATE USER INPUT. Make sure that the info the submitted is the info your script expects. If you’re expecting a number, throw away submissions that use letters and symbols.

    4. VALIDATE THE USER AND THE FORM ITSELF. If a user is not logged in, they should not be allowed to do logged-in things. The simple fact that the form is “only shown on logged-in pages” means absolutely nothing. Likewise, you should NEVER accept a form submission when you didn’t just give someone a form. Sessions are a good way to track this.

    You might read this for more insights.

    # June 6, 2012 at 6:11 pm

    I understand you … I use the bbcode and this is my security function

    public function post($post,$type=false) {
    $post = stripslashes($post);
    $post = mysql_real_escape_string($post);
    $post = trim($post);
    $post = ($type==false?strip_tags($post):htmlspecialchars($post));
    return $post;

    in comment box i’m doing


    and on each other i’m doing


    this is true ?

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.