Page 1 of 4 123 ... LastLast
Results 1 to 10 of 31

Thread: safe users commenting

  1. #1
    Join Date
    Aug 2009
    Posts
    399
    Thanks
    42
    Thanked 4 Times in 4 Posts

    Default safe users commenting

    hi, i want to know how i need to change forum script that noone could enter some php or other code to damage my site. (as example !error strings)
    My script:
    PHP Code:
    <?php 

    //connect to the database 
    $connect mysql_connect("nnn","nnn","nnn") or die("Error connecting to db"); 
    //select table 
    mysql_select_db("nnn") or die("Error selecting db"); 

    //use query to get ALL data 
    $queryget mysql_query("SELECT * FROM guestbook ORDER BY `date` DESC, `time` DESC") or die("Error with query");
    while (
    $row mysql_fetch_array($queryget)) 

        
    // get row data and store in variables 
        
    $id $row['id']; 
        
    $name $row['name']; 
        
    $message $row['message']; 
        
    $date $row['date']; 
        
    $time $row['time']; 
         
        
    // show data to user 
        
    echo 
        <table> 
            <tr> 
                <td width='500px'>
                <font size='2' face='Showcard Gothic'>            
                <hr>Autorius: <b>
    $name</b> <br> $date 
                </b></font>
                </td> 
            </tr> 
            <tr> 
                    <td width='500px' bgcolor='#5CB3FF'>
                    <font size='2' face='Showcard Gothic'><b>
                    
    $message<br><hr>
                    </b></font>
                    </td> 
            </tr> 
        </table> 
        "
    ;     


    echo 
    "<hr>"

    if (
    $_POST['submit']) 

       
      
    $name $_SESSION['nick']; 
      
    $message $_POST['message']; 
      
    $date date("Y-m-d"); 
      
    $time date("H:i:s"); 
       
      if (
    $message
      { 
       
      
    $tag $_POST['message']; // this is the posted message field, from the form 

    $tag str_replace(':|''<img src="images/emoticons/blank.gif" alt="">'$tag); 


    echo 
    $tag// echo the output, with emoticons showing. 

    // all else is self-explanatory.  
       
      
    mysql_query("INSERT INTO guestbook (Name, Message, time, date) 
            VALUES('
    $name', '$tag', '$time', '$date')") or die(mysql_error());
      echo 
    "Please wait...<meta http-equiv='refresh' content='2'>";
      
      } 
      else 
        echo 
    "Please fill out all fields!"



    ?>
    i use tag to convert pictures, i also could use it to solve this problem, but i need better idea, because i cant write all the error variables, etc... There always will be new code to broke my webpage.

    If you need more info ASK. THANKS
    Last edited by auriaks; 11-14-2009 at 11:13 PM.

  2. #2
    Join Date
    Jul 2009
    Location
    Coquitlam BC Canada
    Posts
    46
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Default

    Is there a strip tag thing to remove tags??

  3. #3
    Join Date
    Sep 2006
    Location
    St. George, UT
    Posts
    2,769
    Thanks
    3
    Thanked 157 Times in 155 Posts

    Default

    you could use mysql_real_escape_string(), strip_tags(), htmlspecialchars(), and htmlentities() to take care of this.

    Hope this helps.
    "Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music." - Kristian Wilson, Nintendo, Inc, 1989
    TheUnlimitedHost | The Testing Site | Southern Utah Web Hosting and Design

  4. #4
    Join Date
    Jan 2008
    Posts
    4,168
    Thanks
    28
    Thanked 628 Times in 624 Posts
    Blog Entries
    1

    Default

    Remember to use the functions before the data is inserted into any database, especially mysql_real_escape_string, or your database is vulnerable to sql injection.
    Jeremy | jfein.net

  5. #5
    Join Date
    Aug 2009
    Posts
    399
    Thanks
    42
    Thanked 4 Times in 4 Posts

    Default

    ok. Thanks you guys

  6. #6
    Join Date
    Jul 2009
    Location
    Coquitlam BC Canada
    Posts
    46
    Thanks
    0
    Thanked 4 Times in 4 Posts

    Default

    Ur welcome.

  7. #7
    Join Date
    Aug 2009
    Posts
    399
    Thanks
    42
    Thanked 4 Times in 4 Posts

    Default

    hey, when i want to check variable is it is only number i write:
    PHP Code:
    if (!is_numeric($password)) { } else {
      exit(
    "only numbers!"); 
    what i have to write to check if there are characters like .,/\|#$%^&!@)(_+? ?
    Last edited by auriaks; 11-11-2009 at 04:43 PM.

  8. #8
    Join Date
    Sep 2006
    Location
    St. George, UT
    Posts
    2,769
    Thanks
    3
    Thanked 157 Times in 155 Posts

    Default

    for that you would want to use preg_match and regular expressions.

    Hope this helps.
    "Computer games don't affect kids; I mean if Pac-Man affected us as kids, we'd all be running around in darkened rooms, munching magic pills and listening to repetitive electronic music." - Kristian Wilson, Nintendo, Inc, 1989
    TheUnlimitedHost | The Testing Site | Southern Utah Web Hosting and Design

  9. #9
    Join Date
    Jan 2008
    Posts
    4,168
    Thanks
    28
    Thanked 628 Times in 624 Posts
    Blog Entries
    1

    Default

    When learning regular expressions, keep in mind it can get frustrating, and they are hard to learn (atleast for me).
    Jeremy | jfein.net

  10. #10
    Join Date
    Aug 2009
    Posts
    399
    Thanks
    42
    Thanked 4 Times in 4 Posts

    Default

    What then will happen? "frustrating" what thet means?

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •