Comments on: Prevent code injection in PHP http://neo22s.com/prevent-code-injection-in-php/ Web development, scripts, source code and IT stuff Tue, 02 Mar 2010 14:24:03 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Chemahttp://neo22s.com/prevent-code-injection-in-php/comment-page-1/#comment-533 Chema Wed, 04 Nov 2009 21:00:41 +0000 http://neo22s.com/?p=601#comment-533 Rally useful Steve! I just bookmark it! nice ;) Rally useful Steve! I just bookmark it! nice ;)

]]> By: Stevehttp://neo22s.com/prevent-code-injection-in-php/comment-page-1/#comment-531 Steve Wed, 04 Nov 2009 19:44:55 +0000 http://neo22s.com/?p=601#comment-531 Here's a tutorial I wrote about creating a BBCode parser function: http://www.ultramegatech.com/blog/2009/04/creating-a-bbcode-parser/You also might be interested in this PECL extension, which seems to allow more advanced parsing: http://www.php.net/manual/book.bbcode.php Here’s a tutorial I wrote about creating a BBCode parser function:
http://www.ultramegatech.com/blog/2009/04/creating-a-bbcode-parser/

You also might be interested in this PECL extension, which seems to allow more advanced parsing:
http://www.php.net/manual/book.bbcode.php

]]> By: Chemahttp://neo22s.com/prevent-code-injection-in-php/comment-page-1/#comment-522 Chema Wed, 04 Nov 2009 08:18:07 +0000 http://neo22s.com/?p=601#comment-522 yes I think you are right and bbcode is better .Thanks for your sharing and if you have any example off bbcode is welcome. yes I think you are right and bbcode is better .

Thanks for your sharing and if you have any example off bbcode is welcome.

]]> By: Stevehttp://neo22s.com/prevent-code-injection-in-php/comment-page-1/#comment-514 Steve Tue, 03 Nov 2009 21:56:15 +0000 http://neo22s.com/?p=601#comment-514 Sorry, the code above got messed up. Here it is again:<pre>$clean = array_map('clean_input', $_POST); function clean_input($value) { return strip_tags($value, '<em><strong>'); }</pre> Sorry, the code above got messed up. Here it is again:

$clean = array_map('clean_input', $_POST);
function clean_input($value)
{
   return strip_tags($value, '');
}
]]> By: Stevehttp://neo22s.com/prevent-code-injection-in-php/comment-page-1/#comment-513 Steve Tue, 03 Nov 2009 21:52:49 +0000 http://neo22s.com/?p=601#comment-513 You can also do something like this to provide a white list of allowed tags. In this example, it allows p, em, and strong tags. Any CSS can be applied to these tags as well.$clean = array_map('clean_input', $_POST); function clean_input($value) { return strip_tags($value, '<em><strong>'); }Keep in mind that allowing some tags will also allow JavaScript injection, so it might be best to use BBCode type tags instead of allowing any HTML. You can also do something like this to provide a white list of allowed tags. In this example, it allows p, em, and strong tags. Any CSS can be applied to these tags as well.

$clean = array_map(‘clean_input’, $_POST);
function clean_input($value)
{
return strip_tags($value, ‘‘);
}

Keep in mind that allowing some tags will also allow JavaScript injection, so it might be best to use BBCode type tags instead of allowing any HTML.

]]> By: Chemahttp://neo22s.com/prevent-code-injection-in-php/comment-page-1/#comment-512 Chema Tue, 03 Nov 2009 20:59:39 +0000 http://neo22s.com/?p=601#comment-512 Hi Steve,Thanks for the info it is really usefull, your proposal is really good, but for example in my case I want it to allow css style. With the code that I propose it is possible since you can just comment the line and then it would be allowed.Another time thanks for the info ;) Hi Steve,

Thanks for the info it is really usefull, your proposal is really good, but for example in my case I want it to allow css style. With the code that I propose it is possible since you can just comment the line and then it would be allowed.

Another time thanks for the info ;)

]]> By: Stevehttp://neo22s.com/prevent-code-injection-in-php/comment-page-1/#comment-511 Steve Tue, 03 Nov 2009 17:48:26 +0000 http://neo22s.com/?p=601#comment-511 You'll probably be better off using the strip_tags function to remove any HTML tags. There's also htmlspecialchars and htmlentities to convert special characters to entities. Something like the below code will remove tags from input: $_POST = array_map('strip_tags', $_POST); $_GET = array_map('strip_tags', $_GET);Note that strip_tags also accepts a white list of allowed tags. Alternatively, the below will cause special characters to be displayed as text and not rendered by the browser: $_POST = array_map('htmlentities', $_POST); $_GET = array_map('htmlentities', $_GET);Also, the ereg* functions have been deprecated in favor of preg* functions for regular expressions.http://www.php.net/manual/function.strip-tags.php http://www.php.net/manual/function.htmlspecialchars.php http://www.php.net/manual/function.htmlentities.php http://www.php.net/manual/function.array-map.phpI hope you find this useful. :) You’ll probably be better off using the strip_tags function to remove any HTML tags. There’s also htmlspecialchars and htmlentities to convert special characters to entities. Something like the below code will remove tags from input:
$_POST = array_map(’strip_tags’, $_POST);
$_GET = array_map(’strip_tags’, $_GET);

Note that strip_tags also accepts a white list of allowed tags. Alternatively, the below will cause special characters to be displayed as text and not rendered by the browser:
$_POST = array_map(‘htmlentities’, $_POST);
$_GET = array_map(‘htmlentities’, $_GET);

Also, the ereg* functions have been deprecated in favor of preg* functions for regular expressions.

http://www.php.net/manual/function.strip-tags.php
http://www.php.net/manual/function.htmlspecialchars.php
http://www.php.net/manual/function.htmlentities.php
http://www.php.net/manual/function.array-map.php

I hope you find this useful. :)

]]>