Preventing users from inserting malicious HTML into comments
- From: dotancohen@xxxxxxxxx ("Dotan Cohen")
- Date: Tue, 7 Nov 2006 01:24:22 +0200
I'm setting up a comments system on a site, with the comments stored
in a mysql database. To prevent sql-injection, I run
mysql_real_escape_string() on ingoing data. This should be enough to
protect the database (tell me if otherwise), but I'd like to prevent
people from posting Javascript and other malicious html. Basically,
I'd like the comments to be bbcode and text only, using this bbcode
parser:
http://il.php.net/manual/en/function.preg-replace.php#69398
How can I strip the remaining html, javascript, and whatnot from the
posts? If somebody has already invented this wheel, then I'd rather
not risk a security breach by trying to reinvent it myself.
Dotan Cohen
http://lyricslist.com/
http://song-lirics.com/
--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
.
- Follow-Ups:
- RE: [PHP] Preventing users from inserting malicious HTML into comments
- From: "Daevid Vincent"
- RE: [PHP] Preventing users from inserting malicious HTML into comments
- Prev by Date: Re: [PHP] postgreSQl and images
- Next by Date: Resolving Unable to Load Dynamic Library Warnings
- Previous by thread: Code execution speed
- Next by thread: RE: [PHP] Preventing users from inserting malicious HTML into comments
- Index(es):
