Hi!,
I don't think I have posted to this group before. Have been using PHP
on my webserver for a few months now and finding that I like it quite
a bit.
Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.
// Check that there is no embedded php code in $msg
if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.
Thanks in advance for your advice,
Lawrence Kennon
www.theNewAgeSite.com