By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
455,040 Members | 1,200 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 455,040 IT Pros & Developers. It's quick & easy.

Detect embedded php code?

P: n/a
Hi!,

I don't think I have posted to this group before. Have been using PHP
on my webserver for a few months now and finding that I like it quite
a bit.

Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.

Thanks in advance for your advice,

Lawrence Kennon
www.theNewAgeSite.com
Jul 17 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a

On 2-Nov-2003, aq**********@yahoo.com (Aquarius2431) wrote:
Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.


You don't need to check for embedded PHP code unless you are passing the
user data in some way to eval() or creating a .php file with it.

You do need to addslashes() before inserting user data in an sql statement
to avoid sql injection attacks.

It's a good idea to check for HTML otherwise users could insert bad html
that would affect your page or dirty pictures or whatever. What if someone
enters "</body></html>" or even "<b>" without the end tag. Check for the
tags you don't want to allow or better yet don't allow HTML tags but let the
users use a limited set of other tags. I did a quick google search and here
is a page with some alternative tags you might use:

http://www.velcom.com/support/tickettags.php


--
Tom Thackrey
www.creative-light.com
tom (at) creative (dash) light (dot) com
do NOT send email to ja*********@willglen.net (it's reserved for spammers)
Jul 17 '05 #2

P: n/a

"Aquarius2431" <aq**********@yahoo.com> wrote in message
news:c2**************************@posting.google.c om...
Hi!,

I don't think I have posted to this group before. Have been using PHP
on my webserver for a few months now and finding that I like it quite
a bit.

Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.

Thanks in advance for your advice,

Lawrence Kennon
www.theNewAgeSite.com


I can see your concern though I'm uncertain on how you would redisplay any
info/text input by a user - If you are really concerned, I would use
something like htmlentities() to translate any special characters...

Randell D.
Jul 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.