开发者

PHP Problem - When inserting </ to the database it renders as a code

Hey, I own http://ilikeyou.tk/ which is a facebook like website. Basically, users can add a phrase and/or a photo and like it on facebook. Recently, when I tested a few stuff I found out that when I insert </ in the text box and create the page, it messes up with the li开发者_JS百科ke list. (You can try posting </ and going back to homepage, scroll down to 'Recent Like' and watch it) In sites like twitter and facebook, this stuff never happen.. so there might be a solution.. Any suggestions?

P.S; Also, when i try to insert the photo link (http://profile.ak.fbcdn.net/hprofile-ak-snc4/188178_139794909415037_3755895_n.jpg) the whole index page goes down (I can still go to like pages like ilikeyou.tk/1/ but cant access ilikeyou.tk ... ). When deleting the link from the database its all working fine again.

P.S2; Sorry for my bad English

Thanks in advanced.


You need to call htmlspecialchars on all data coming from your database before displaying it on your page. Failure to do so not only causes problems such as the one you see, but it is also a big security issue: it allows cross-site scripting (XSS) attacks on your application.

So if you have $phrase coming in from anywhere (not only your database), it's wrong to do this:

echo $phrase;

You have to do this instead:

echo htmlspecialchars($phrase);

You can search SO or Google for "XSS" or "cross site scripting" for more information.


Well of course. I could also be inputting this into your text field:

<script type="text/javascript">
    window.location = 'http://mysite.com';
</script>

This would steal all your visitors and send them to my site.

You cannot trust user input. Ever. And you should never trustingly insert user input into other content unsanitized. I hope you're at least aware of SQL injection?

For output into HTML, you can either remove anything that looks like a tag using strip_tags or escape characters that have a special meaning in HTML using htmlentities. Possibly you should use a mix of both.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜