Reputation: 7847
How can I avoid users entering php code into my form
How can I stop users entering <?php ?> into my forms.
I am using urlencode() and then using urldecode() when echoing data onto my page what is the best thing to do??
UPDATE:
I am writing to the database with the text urlencoded:
htmlentities (urlencode($_POST['postmessage']));
I am using:
<?php echo htmlentities (urldecode($row['content'])) ?>
to echo the saved data. Is that enough??
Upvotes: 0
Views: 149
Answers (3)
Reputation: 29874
what are you doing with the code? execute it? when you echo the php code theres no need to worry server side... you rather want to do html_entity_encode to keep your website from beeing messed up or beeing injected by iframes/javascripts by user posts
Upvotes: 0
Reputation: 61597
Well, you can get rid of all the characters that don't belong in a URL
$var = filter_var($url, FILTER_SANITIZE_URL);
Then you can check that it is a valid URL
$var = filter_var($url, FILTER_VALIDATE_URL);
if($var == false)
die("Bad URL");
Upvotes: 0
Reputation: 382879
I would suggest you to use the HTML Purifier for that:
HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited,
secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications.
Upvotes: 4
Related Questions
- How can I sanitize user input with PHP?
- Preventing SQL injection insert into
- how to protect from sql injection when using php?id=
- SQL protect submitted data from SQL injections
- cause sql injection
- preventing php injection in forms (if a user submits php code into a form)
- Preventing SQL injection using ONLY php
- How to protect this code from sql injection?
- How to Prevent a site from SQL INJECTION
- Sanitize user input destined for database in PHP