> -----Oorspronkelijk bericht-----
> Van: John W. Holmes [mailto:[EMAIL PROTECTED]
> Verzonden: vrijdag 21 november 2003 14:38
>
> Wouter van Vliet wrote:
> >John W. Holmes
> >>Troy S wrote:
> >>>What is the best way to remove the characters from strings that may
> >>>cause security problems? Namely, `, ', ", <, >, \ and all non-printing
> >>>strings. Did I miss any? Thanks.
> >>
> >>Why do you need to remove them? So I can't type <grin>? Is that a
> >>security violation? All you need to do is use htmlentities() and/or
> >>addslashes() to protect data being displayed or entered into a database.
> >>
> > If you're worried about HTML code being entered (guess from
> desire to strip
> > <, > and /) and messing up your site's layout, you might wanna call
> > strip_tags($String, $AllowedTags); where $AllowedTags is a string like
> > '<b><u><i>' if you want to allow bold, underline and italics.
>
> You could do this if you want to allow cross site scripting
> vulerabilities on your site:
>
> Hello <b onmouseover="alert('hi');">you</b>.
>
> And prevent such evil text as "<grin>" or "<foo>"...
>
> --
Let's make this personal: what would be your answer if I would advice the
friendly person to do this:
<?php
(..) $Content holds the string that you would want to be safe
# Create an array with allowed tags
$Allowed = Array('b', 'u', 'i', 'grin', 'foo');
# Compose var to send to strip_tags
$AllowedTags = '';
foreach($Allowed as $Tag) $AllowedTags .= '<'.$Tag.'>';
# Strip tags
$Content = strip_tags($Content, $AllowedTags);
# Make tags SAFE
$Content = preg_replace('/<('.join($Allowed, '|').')([^>]+)>/', '<$1>',
$Content);
?>
Your turn !
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
