Results 1 to 3 of 3

Thread: security question

  1. #1
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default security question

    Hi, just wondering if any malicious code can be entered into this code below. I really rather doubt it, but thought I might ask anyway.
    PHP Code:
    <?php
    $string
    =$_POST['data'];
    $word1=$_POST['word1'];
    $word2=$_POST['word2'];
    $word1=stripslashes($word1);
    $word2=stripslashes($word2);
    $string=stripslashes($string);
    $string=str_replace("$word1","$word2",$string);
    $word1=htmlentities($word1);
    $word2=htmlentities($word2);
    ?><body style='background-color:tan;'>
    <form action=<?php echo $_SERVER['PHP_SELF']; ?> method="POST">
    Enter text document here:
    <br>
    <textarea rows=40 cols=130 name="data"><?php print $string?></textarea>
    <br><input type='text' size=75 name="word1" value="<?php print $word1?>"> < -- Remove this
    <br><input type='text' size=75 name="word2" value="<?php print $word2?>"> < -- and replace it with this
    <br><input type='submit' name="queryButton" value="Submit">
    </form></body>
    Last edited by james438; 03-14-2010 at 03:39 AM.
    To choose the lesser of two evils is still to choose evil. My personal site

  2. #2
    Join Date
    Apr 2008
    Location
    So.Cal
    Posts
    3,643
    Thanks
    63
    Thanked 516 Times in 502 Posts
    Blog Entries
    5

    Default

    Where is it going? If it's going to your DB you should apply mysql_real_escape_string(). If it's just going to be used as text/html, then it should be fine (I assume that's why you're using htmlentities-though keep in mind, htmlentities will leave the markup visible). If you want to actually strip html tags, try using strip_tags(). You can also define a whitelist of tags to allow (such as <b>, <i>, etc.).

  3. #3
    Join Date
    Jan 2007
    Location
    Davenport, Iowa
    Posts
    1,875
    Thanks
    92
    Thanked 97 Times in 95 Posts

    Default

    It's just for generic usage. It doesn't go to the database and if some random person wants to use it that's fine too.
    To choose the lesser of two evils is still to choose evil. My personal site

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •