473,397 Members | 2,116 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > detect embedded php code?

Join Bytes to post your question to a community of 473,397 software developers and data experts.

Detect embedded php code?

Hi!,

I don't think I have posted to this group before. Have been using PHP
on my webserver for a few months now and finding that I like it quite
a bit.

Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.

Thanks in advance for your advice,

Lawrence Kennon
www.theNewAgeSite.com
Jul 17 '05 #1
2 3529

On 2-Nov-2003, aq**********@yahoo.com (Aquarius2431) wrote:
Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.


You don't need to check for embedded PHP code unless you are passing the
user data in some way to eval() or creating a .php file with it.

You do need to addslashes() before inserting user data in an sql statement
to avoid sql injection attacks.

It's a good idea to check for HTML otherwise users could insert bad html
that would affect your page or dirty pictures or whatever. What if someone
enters "</body></html>" or even "<b>" without the end tag. Check for the
tags you don't want to allow or better yet don't allow HTML tags but let the
users use a limited set of other tags. I did a quick google search and here
is a page with some alternative tags you might use:

http://www.velcom.com/support/tickettags.php


--
Tom Thackrey
www.creative-light.com
tom (at) creative (dash) light (dot) com
do NOT send email to ja*********@willglen.net (it's reserved for spammers)
Jul 17 '05 #2

"Aquarius2431" <aq**********@yahoo.com> wrote in message
news:c2**************************@posting.google.c om...
Hi!,

I don't think I have posted to this group before. Have been using PHP
on my webserver for a few months now and finding that I like it quite
a bit.

Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.

Thanks in advance for your advice,

Lawrence Kennon
www.theNewAgeSite.com


I can see your concern though I'm uncertain on how you would redisplay any
info/text input by a user - If you are really concerned, I would use
something like htmlentities() to translate any special characters...

Randell D.
Jul 17 '05 #3
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
Detect power redirection to ups
by: Stephane Belzile | last post by:
Is there a way I can detect in vb.Net the power has switched to a UPS unit in case of power failure? Thanks
.NET Framework
1
detect end of video file.
by: sri_san | last post by:
Hello, I have a webpage in which a media player is embedded.I would like to close the page at the end of the video. Can I detect the end of the file so as to close the page programmatically? ...
Javascript
0
How to detect running under RRSAF or CAF?
by: Stefan Scherber | last post by:
Hi, is there any way to detect if a program is running under RRSAF (RRS Attachment Facility) or CAF (Call Attachment Facility)? What I want to do: I have a C++ DLL with embedded SQL calls...
DB2 Database
1
Detect version of media player
by: Oscar Thornell | last post by:
Hi, I need to detect (from a web page..) what version of Windows Media that are installed.. Any suggestions?? Regards /Oscar
C# / C Sharp
1
Detect JavaScript Enabled and cokies on SERVER SIDE
by: oreng | last post by:
Hey all, I have some problems detecting whether the client's browser javascript is enabled at the server side. While Request.Browser.JavaScript only check if the browser enable java script (and...
ASP.NET
3
Detect if client has .NET framework installed
by: fernandez.dan | last post by:
Hi I was wondering if there is a way to detect if the client has the .NET framework? I want to create an embedded Windows User Control. If the user doesn't have it installed I could then...
ASP.NET
6
how to detect CPU architecture..
by: rrs.matrix | last post by:
hi i have to detect the type of CPU. whether it is 32-bit or 64-bit.. how can this be done.. can anyone please help me.. thanks.
C / C++
3
How to detect System Time Change in CompactFramework?
by: José Joye | last post by:
In my application (written for Compact Framework 2.0 ), I have to be informed whenever a system Time change occurs (NTP, daylight saving, ...). Under the normal framework, I'm able to use the...
.NET Framework
30
Integer types in embedded systems
by: =?ISO-8859-1?Q?Tom=E1s_=D3_h=C9ilidhe?= | last post by:
Let's say we had a simple function for returning the amount of days in a month: unsigned DaysInMonth(unsigned const month) { switch (month) { case 8: case 3: case 5:
C / C++
0
How to turn on java script in a villaon keypad mobile phone
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
Java
0
Migrating Website to Cloud - Emmanuel Katto
by: emmanuelkatto | last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud. Please let me know. Thanks! Emmanuel
General
0
BarryA
Navigating the Data Structures and Algorithms (DSA)
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
Algorithms / Advanced Math
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!