simple, safe php-based forum

[Adek336]

Hi all!
I have a sumbiting form, fetching data from the user, saving it to a file, and then another php reading all the data.

Is there anything I should consider? For example, are there some cool-ready-to-use database functions in php?

And, is it possible for a user to type something like <?php exec("rm /etc/passwd"); ?> and make it run on my server? And for html tags: is it reasonable, to just embrace the output with <verbatim></verbatim> tags? What if.. the user typed in "blabla</verbatim><a href..."? However it would be simple to check for </verbatim> flags.

Cheers

[Curufir]

Is there anything I should consider? For example, are there some cool-ready-to-use database functions in php?

Yes. There are functions for a wide variety of databases (See manual for further information).

And, is it possible for a user to type something like <?php exec("rm /etc/passwd"); ?> and make it run on my server?

Not unless you actually want them to, and even if you did you'd have to call a function with the string they inputed. It can't be done accidentally.

And for html tags: is it reasonable, to just embrace the output with <verbatim></verbatim> tags? What if.. the user typed in "blabla</verbatim><a href..."? However it would be simple to check for </verbatim> flags.

I really wouldn't bother letting them use raw html on a webboard. Aim for something like the BB Code this board uses, where things like [] are translated int <i> by the php script. That's a lot safer than trying to deny dangerous html code on a case by case basis.

[Adek336]

Just before I find the proper chapter in the manual, how do I manage single characters in a string, just like good-ol' C text[offset-1] ? Is a php string null-terminated? Is there any function like memmove? How do I allocate more space for a string when I want to add a char? Are there functions to prepend data in the middle of a string? And most basically, are there any prebuilt functions which would change any "\n" into "<br>"?

Cheers
Curufir: I'll look at the mysql thing, cheers

[Curufir]

Just before I find the proper chapter in the manual, how do I manage single characters in a string, just like good-ol' C text[offset-1] ?

text{offset-1} will do the same thing.

Is a php string null-terminated?

Probably, I haven't bothered checking.

Is there any function like memmove?

No. You can't access memory directly. About the closest you could get would be to just make a copy of the variable.

How do I allocate more space for a string when I want to add a char?

Just concatenate it. Eg $String = $String . $Char
The interpreter will take care of the messy memory allocation details.

Are there functions to prepend data in the middle of a string? And most basically, are there any prebuilt functions which would change any "\n" into "<br>"?

Yes. In fact there's a specific PHP function for exactly that purpose ("\n" to "<br>"), but if you wanted a general way of replacing things in strings you'd use a regular expression.

Code: Select all

eg
$string = ereg_replace("\n", "<br />", $string);

I strongly recommend grabbing a copy of the manual (http://www.php.net/download-docs.php) and running through some tutorials. Pretty much all of the standard C functionality (Aside from memory allocation and pointers) is there in one way or other.

[AGI1122]

I recommend using preg_replace() rather than ereg_replace() because it's faster.

Although for this case there isn't any need for either since you arn't even using regex expressions in the replace so it would be better to use str_replace() instead. str_replace() is alot faster since it doesn't parse the regex expressions.

[bubach]

$new_text = nl2br($oldtext); // "\n" to <br />

[AGI1122]

That will work fine... well unless he wants to use HTML instead of XHTML, which I think he may since he used <br> in his post not <br />

[bubach]

so what? most people who use html and not xhtml don?t care about validation anyway..

[DennisCGc]

Another tip would be using a HTML filter
like:

Code: Select all

$c=htmlspecialchars($_POST['message']);

[AGI1122]

so what? most people who use html and not xhtml don?t care about validation anyway..

Not always, people trying to give backwards compatability for browsers that don't have XHTML... and people who prefer HTML to XHTML(I know it's not alot of people... but some people just do for some reason or another. ::))

As for the validation comment... there are people who still use HTML, and keep it valid, simply because they didn't want to change it all to XHTML. Or heck some people still might not even know about XHTML and just know about HTML.(was the case for me until I started working on YaBBSE a few years ago.)

Anyway... rant over... I love XHTML.

[bubach]

OT: i have to tell you how proud i am over my new OS homepage in XHTML..
lots of hours spend on divs and css-classes..
a preview can be found at http://bubach.1go.dk/BOS/test/

[AGI1122]

Looks good.

[Neo]

This is what i got.
was that some test text or something else?

[AGI1122]

Read the url... it says "test".

[bubach]

yeah, it?s only for filling up space..