security

On Tue, 24 Aug 2004 11:14:31 -0700, wj wrote:

Hi all,

Im trying to create a forum on my website. I use PHP and store the
messages in a mySQL dataqbase. Messages can be entered in a textarea.
What should i do to prevent that user enter code (javascript or php or
mysql or ...) that can be executed when i show a message with html? Is
it enough to use htmlspecialchar()?
Any tips?

strip_tags()

or use one of the many forum's already written.

wj wrote:

Hi all,

Im trying to create a forum on my website. I use PHP and store the
messages in a mySQL dataqbase. Messages can be entered in a textarea.
What should i do to prevent that user enter code (javascript or php or
mysql or ...) that can be executed when i show a message with html? Is
it enough to use htmlspecialchar()?
Any tips?

Thanx,
WJ

there are a number of recent posts regarding this. A google newsgroup search
should give you some pointers. **I** would also ensure that you can not be
hacked via "sql injection" - as search on these key words should give you more
than enough to make the appropriate decisions.

--
Michael Austin.
Consultant -Not Available.
Donations still welcomed. Http://www.firstdbasource.com/donations.html
:)

"wj" <wz*@jongnederland.nl> wrote in message
news:e8**************************@posting.google.c om...

Hi all,

Im trying to create a forum on my website. I use PHP and store the
messages in a mySQL dataqbase. Messages can be entered in a textarea.
What should i do to prevent that user enter code (javascript or php or
mysql or ...) that can be executed when i show a message with html? Is
it enough to use htmlspecialchar()?
Any tips?

Thanx,
WJ

Yes, using htmlspecialchars() will prevent Javascript from being inserted
into your pages. The trick is remembering to use it everywhere where
user-entered data appears. The danger is not just with text entered into a
textarea, but any text. I can disface your site just as effectively with
tags entered into a email field.