Page 1 of 1
simple, safe php-based forum
Posted: Fri Jan 14, 2005 3:47 pm
by Adek336
Hi all!
I have a sumbiting form, fetching data from the user, saving it to a file, and then another php reading all the data.
Is there anything I should consider? For example, are there some cool-ready-to-use database functions in php?
And, is it possible for a user to type something like <?php exec("rm /etc/passwd"); ?> and make it run on my server? And for html tags: is it reasonable, to just embrace the output with <verbatim></verbatim> tags? What if.. the user typed in "blabla</verbatim><a href..."? However it would be simple to check for </verbatim> flags.
Cheers
Re:simple, safe php-based forum
Posted: Fri Jan 14, 2005 9:30 pm
by Curufir
Adek336 wrote:
Is there anything I should consider? For example, are there some cool-ready-to-use database functions in php?
Yes. There are functions for a wide variety of databases (See manual for further information).
And, is it possible for a user to type something like <?php exec("rm /etc/passwd"); ?> and make it run on my server?
Not unless you actually want them to, and even if you did you'd have to call a function with the string they inputed. It can't be done accidentally.
And for html tags: is it reasonable, to just embrace the output with <verbatim></verbatim> tags? What if.. the user typed in "blabla</verbatim><a href..."? However it would be simple to check for </verbatim> flags.
I really wouldn't bother letting them use raw html on a webboard. Aim for something like the BB Code this board uses, where things like [
] are translated int <i> by the php script. That's a lot safer than trying to deny dangerous html code on a case by case basis.
Re:simple, safe php-based forum
Posted: Sat Jan 15, 2005 9:58 am
by Adek336
Just before I find the proper chapter in the manual, how do I manage single characters in a string, just like good-ol' C text[offset-1] ? Is a php string null-terminated? Is there any function like memmove? How do I allocate more space for a string when I want to add a char? Are there functions to prepend data in the middle of a string? And most basically, are there any prebuilt functions which would change any "\n" into "<br>"?
Cheers
Curufir: I'll look at the mysql thing, cheers
Re:simple, safe php-based forum
Posted: Sat Jan 15, 2005 11:29 am
by Curufir
Adek336 wrote:
Just before I find the proper chapter in the manual, how do I manage single characters in a string, just like good-ol' C text[offset-1] ?
text{offset-1} will do the same thing.
Is a php string null-terminated?
Probably, I haven't bothered checking.
Is there any function like memmove?
No. You can't access memory directly. About the closest you could get would be to just make a copy of the variable.
How do I allocate more space for a string when I want to add a char?
Just concatenate it. Eg $String = $String . $Char
The interpreter will take care of the messy memory allocation details.
Are there functions to prepend data in the middle of a string? And most basically, are there any prebuilt functions which would change any "\n" into "<br>"?
Yes. In fact there's a specific PHP function for exactly that purpose ("\n" to "<br>"), but if you wanted a general way of replacing things in strings you'd use a regular expression.
Code: Select all
eg
$string = ereg_replace("\n", "<br />", $string);
I strongly recommend grabbing a copy of the manual (
http://www.php.net/download-docs.php) and running through some tutorials. Pretty much all of the standard C functionality (Aside from memory allocation and pointers) is there in one way or other.
Re:simple, safe php-based forum
Posted: Sat Jan 15, 2005 3:53 pm
by AGI1122
I recommend using preg_replace() rather than ereg_replace() because it's faster.
Although for this case there isn't any need for either since you arn't even using regex expressions in the replace so it would be better to use str_replace() instead. str_replace() is alot faster since it doesn't parse the regex expressions.
Re:simple, safe php-based forum
Posted: Mon Jan 17, 2005 2:48 am
by bubach
$new_text = nl2br($oldtext); // "\n" to <br />
Re:simple, safe php-based forum
Posted: Mon Jan 17, 2005 4:36 am
by AGI1122
That will work fine... well unless he wants to use HTML instead of XHTML, which I think he may since he used <br> in his post not <br />
Re:simple, safe php-based forum
Posted: Mon Jan 17, 2005 6:47 am
by bubach
so what? most people who use html and not xhtml don?t care about validation anyway..
Re:simple, safe php-based forum
Posted: Mon Jan 17, 2005 8:41 am
by DennisCGc
Another tip would be using a HTML filter
like:
Code: Select all
$c=htmlspecialchars($_POST['message']);
Re:simple, safe php-based forum
Posted: Mon Jan 17, 2005 1:47 pm
by AGI1122
bubach wrote:
so what? most people who use html and not xhtml don?t care about validation anyway..
Not always, people trying to give backwards compatability for browsers that don't have XHTML... and people who prefer HTML to XHTML(I know it's not alot of people... but some people just do for some reason or another. ::))
As for the validation comment... there are people who still use HTML, and keep it valid, simply because they didn't want to change it all to XHTML. Or heck some people still might not even know about XHTML and just know about HTML.(was the case for me until I started working on YaBBSE a few years ago.)
Anyway... rant over... I love XHTML.
Re:simple, safe php-based forum
Posted: Tue Jan 18, 2005 10:06 am
by bubach
OT: i have to tell you how proud i am over my new OS homepage in XHTML..
lots of hours spend on divs and css-classes..
a preview can be found at
http://bubach.1go.dk/BOS/test/
Re:simple, safe php-based forum
Posted: Tue Jan 18, 2005 3:05 pm
by AGI1122
Looks good.
Re:simple, safe php-based forum
Posted: Wed Jan 19, 2005 5:47 am
by Neo
This is what i got.
was that some test text or something else?
Re:simple, safe php-based forum
Posted: Thu Jan 20, 2005 4:49 am
by AGI1122
Read the url... it says "test".
Re:simple, safe php-based forum
Posted: Fri Jan 21, 2005 3:34 am
by bubach
yeah, it?s only for filling up space..