FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


How to: Make text inputs safe?





ocalhoun
On a new site I'm building, I have three types of text input forms:
1: Should allow plain text only, no code at all
2: Should allow basic HTML (specific tags), but no scripts
3: Should allow client-side scripts, but not server-side scripts

However, I'm not sure about how to do this in such a way as to make it truly secure.

How can I filter these fields out to make absolutely sure that users are not putting disallowed things in the text boxes?
It is very important, because some of the inputs will be used later in ways that could allow specially designed php code to execute, and some of them will be written to files, which somebody might try to execute.

Search key so I can find this later: GMSOVHOFMRM
BlueVD
escape, escape, escape. Or encode.
Either choice. Depending on how you want to store the data you can pick one of them. And if you're pecky, make your own markup language (like bbcode). This way you'll sort out the allowed tags thingie.
There are lots of tutorials (see this one);
ocalhoun
^Well, that would help with #2, but I still need a way to make it secure, and a way to allow only client-side scripts...
zinitine
http://ca.php.net/manual/en/function.strip-tags.php

1: Only use the first parameter.
2: In the allowed tags array, put bold tags, italics, or whatever else you want to allow.
3: In the allowed tags array, allow the script tags, bold tags, italics, and anything else you want.

This function has always worked for me.
kv
You can use bbcode editors (like the one used in forum softwares). There are free editors which check for scripts, non allowed html, etc. Just google and you will find several of them.
roboguyspacedude
you could also use the htmlspecialschars() function which changes all < > & ' " into their html numerical equivalents so " would become &quot; etc.
http://ca.php.net/manual/en/function.htmlspecialchars.php
you could also use bbcodes editors. for example:
Code:
<?
function bbcode_format ($str) {
$str = htmlspecialschars($str);
$str = nl2br($str); // convert all line endings into <br />
    $simple_search = array(
                '/\[b\](.*?)\[\/b\]/is',                               
                '/\[i\](.*?)\[\/i\]/is',                               
                '/\[u\](.*?)\[\/u\]/is',                               
                '/\[url\=(.*?)\](.*?)\[\/url\]/is',                         
                '/\[url\](.*?)\[\/url\]/is',                             
                '/\[align\=(left|center|right)\](.*?)\[\/align\]/is',   
                '/\[img\](.*?)\[\/img\]/is',                           
                '/\[mail\=(.*?)\](.*?)\[\/mail\]/is',                   
                '/\[mail\](.*?)\[\/mail\]/is',                           
                '/\[font\=(.*?)\](.*?)\[\/font\]/is',                   
                '/\[size\=(.*?)\](.*?)\[\/size\]/is',                   
                '/\[color\=(.*?)\](.*?)\[\/color\]/is',       
                );

    $simple_replace = array(
                '<strong>$1</strong>',
                '<em>$1</em>',
                '<u>$1</u>',
                '<a href="$1">$2</a>',
                '<a href="$1">$1</a>',
                '<div style="text-align: $1;">$2</div>',
                '<center><a href="javascript:newpopup(\'$1\')"><img border="0" src="blog_script/resize_image.php?url=$1&type=1"></a><br><font style="font-size:10px; font-family:Tahoma;">Click Image to Enlarge (Pop-Up)</font></center>',
                '<a href="mailto:$1">$2</a>',
                '<a href="mailto:$1">$1</a>',
                '<span style="font-family: $1;">$2</span>',
                '<span style="font-size: $1;">$2</span>',
                '<span style="color: $1;">$2</span>',
                );
    // Do simple BBCode's
    $str = preg_replace ($simple_search, $simple_replace, $str);
   $search = array("[list]", "[*]", "[/list]");
   $replace = array("<ul>", "<li>", "</ul>",);
   
$str = str_replace($search,$replace,$str);

    return $str;

}

$str = bbcode_format ($str);
?>
ocalhoun
zinitine wrote:
http://ca.php.net/manual/en/function.strip-tags.php

1: Only use the first parameter.
2: In the allowed tags array, put bold tags, italics, or whatever else you want to allow.
3: In the allowed tags array, allow the script tags, bold tags, italics, and anything else you want.

This function has always worked for me.

Looks like that should work... Thanks for the help!
If it doesn't work, I'll come back here and say so.
Oh, and question: does this function also get rid of php code? Even the '\'?
Related topics
help me with converting decimal value to text
Okay, I'm done trying to use CSS for layout.
A Guide to Safe FAX
[java scripts] Text effect , img ....
Text color of main page
Text stecked to the mouse
Create flash text or flash logo with tools
Text Editor in Forums
Change the "start" button text on Windows
Checking if user exists, whats wrong?
Wanting a PHP input security script: up to 1200frih$!
Writable select tag
Form inputs, specialized
Question about safe input from text boxes
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.