473,320 Members | 2,080 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Detect embedded php code?

Hi!,

I don't think I have posted to this group before. Have been using PHP
on my webserver for a few months now and finding that I like it quite
a bit.

Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.

Thanks in advance for your advice,

Lawrence Kennon
www.theNewAgeSite.com
Jul 17 '05 #1
2 3523

On 2-Nov-2003, aq**********@yahoo.com (Aquarius2431) wrote:
Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.


You don't need to check for embedded PHP code unless you are passing the
user data in some way to eval() or creating a .php file with it.

You do need to addslashes() before inserting user data in an sql statement
to avoid sql injection attacks.

It's a good idea to check for HTML otherwise users could insert bad html
that would affect your page or dirty pictures or whatever. What if someone
enters "</body></html>" or even "<b>" without the end tag. Check for the
tags you don't want to allow or better yet don't allow HTML tags but let the
users use a limited set of other tags. I did a quick google search and here
is a page with some alternative tags you might use:

http://www.velcom.com/support/tickettags.php


--
Tom Thackrey
www.creative-light.com
tom (at) creative (dash) light (dot) com
do NOT send email to ja*********@willglen.net (it's reserved for spammers)
Jul 17 '05 #2

"Aquarius2431" <aq**********@yahoo.com> wrote in message
news:c2**************************@posting.google.c om...
Hi!,

I don't think I have posted to this group before. Have been using PHP
on my webserver for a few months now and finding that I like it quite
a bit.

Here is a question that just occurred to me. I recently created a BBS
(Bulletin Board Service) on my website where I allow people to post
messages via a form. It just occurred to me that conceivably they
could embed php code in their message trying to 'hack' my site. So I
added the following check in my code to detect the case-insensitive
string '<?php' and if I find that I disallow the post.

// Check that there is no embedded php code in $msg

if (stristr($msg,'<?php'))
{
$embedded = TRUE;
}
else
{
$embedded = FALSE;
}
Do you think that is adequate? Is there any reason I should check for
embedded html? I really don't care if people embed hyperlinks, for
example.

Thanks in advance for your advice,

Lawrence Kennon
www.theNewAgeSite.com


I can see your concern though I'm uncertain on how you would redisplay any
info/text input by a user - If you are really concerned, I would use
something like htmlentities() to translate any special characters...

Randell D.
Jul 17 '05 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
by: Stephane Belzile | last post by:
Is there a way I can detect in vb.Net the power has switched to a UPS unit in case of power failure? Thanks
1
by: sri_san | last post by:
Hello, I have a webpage in which a media player is embedded.I would like to close the page at the end of the video. Can I detect the end of the file so as to close the page programmatically? ...
0
by: Stefan Scherber | last post by:
Hi, is there any way to detect if a program is running under RRSAF (RRS Attachment Facility) or CAF (Call Attachment Facility)? What I want to do: I have a C++ DLL with embedded SQL calls...
1
by: Oscar Thornell | last post by:
Hi, I need to detect (from a web page..) what version of Windows Media that are installed.. Any suggestions?? Regards /Oscar
1
by: oreng | last post by:
Hey all, I have some problems detecting whether the client's browser javascript is enabled at the server side. While Request.Browser.JavaScript only check if the browser enable java script (and...
3
by: fernandez.dan | last post by:
Hi I was wondering if there is a way to detect if the client has the .NET framework? I want to create an embedded Windows User Control. If the user doesn't have it installed I could then...
6
by: rrs.matrix | last post by:
hi i have to detect the type of CPU. whether it is 32-bit or 64-bit.. how can this be done.. can anyone please help me.. thanks.
3
by: José Joye | last post by:
In my application (written for Compact Framework 2.0 ), I have to be informed whenever a system Time change occurs (NTP, daylight saving, ...). Under the normal framework, I'm able to use the...
30
by: =?ISO-8859-1?Q?Tom=E1s_=D3_h=C9ilidhe?= | last post by:
Let's say we had a simple function for returning the amount of days in a month: unsigned DaysInMonth(unsigned const month) { switch (month) { case 8: case 3: case 5:
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.