Comments. Restrict userinput.

[NoteMe]

I have for a long time, restricted a lot of input in my comments on my web page. Just because I have never had time to get on top of what can be dangerous and what is not dangerous to allow to be added.


but I want to change this a bit. What should I be carefull about. Is there any HTML tags I should now allow? What about JS, how can I prevent this. Just addslashes or what?


Thanks.
- ØØ -

[john tindell]

I found the best way is to just stop all HTML tags, and if you want the user to have some formatting then implement some kinda of BB tags. Its just means that they cant have javascript, or CSS, which will mess up the display of your site. To convert html to friendly version look at htmlentities().

[NoteMe]

But if I want to implement vBulleting tags. IF I use that function you showed me. Wouldn't the vBulletin tags get converted then?

Wouldn't it be better to use strip_tags()


??

[john tindell]

The BB tags would get converted to HTML but any HTML that the user tried to display would either be convert to > < etc. But yes if you used strip_tags() it would remove the HTML before you parsed it with the BB code. It just depends if you want people to be able to post HTML so that it appears like on here

[penagate]

I use htmlentities() and BB tags like John suggested. htmlentities() does not affect BB tags in any way.

If you decide to use regex's for it feel free to rip them from my parser (a bit messy, but works fairly well):
http://dev.penagate.spiralmindsinc.c...er/bbcode.phps

Ignore the [img] tags though.

[selfishy_me]

I use htmlentities() and BB tags like John suggested. htmlentities() does not affect BB tags in any way.

If you decide to use regex's for it feel free to rip them from my parser (a bit messy, but works fairly well):
http://dev.penagate.spiralmindsinc.c...er/bbcode.phps

Ignore the [img] tags though.

Do you have a bookmark or resource that teaches string literals? The PHP manual has rather limited info and Google shows string literals for languages I've never even heard of... unless it's all the same?

[penagate]

I am not sure what you mean. A string literal is just a string that is hardcoded.

In PHP there are two types of string literal, those with single quotes and those with double quotes. Single-quoted literals are not parsed. Double quoted literals are parsed for escape sequences (\n, \0 etc.) and variables.

PHP Code:

$something = 5;
echo '$something';  // outputs $something
echo "$something";  // outputs 5 


Is that what you were after?

[selfishy_me]

Oh, um. I think I called it the wrong thing then? I mean this stuff in your example code:

([a-z0-9\+\-=\._\/\*\(\),@\'$:;&\!\?\~\#]*)

I'm reading it and I've got to the part... a-z lower case, 0-9, and then I'm lost. lol

[penagate]

Those are called regular expressions. You can learn them here:
regularexpressions.info

PHP can use both ereg and preg expressions. preg is the more common type. I don't know anything about ereg's.

[selfishy_me]

Thanks! That's exactly what I'm looking for. ^_^

[NoteMe]

The BB tags would get converted to HTML but any HTML that the user tried to display would either be convert to > < etc. But yes if you used strip_tags() it would remove the HTML before you parsed it with the BB code. It just depends if you want people to be able to post HTML so that it appears like on here

Ahh..I was thinking that also the [ and ] would change into [ and ] too.. My head was probably spinning that day. Well, then I guess both can be used, with different results. Thanks.



Still I would be keen to hear about SQL injection and any other threats I might not know about..


- ØØ -

[john tindell]

check out http://www.devarticles.com/c/a/MySQL...-Are-You-Safe/

[EDIT]
the code example on that link are in ASP but the principles they talk about are the same