Hi there...
I've gone through a tonne of these threads and havn't found what I'm looking for (although I'm sure this is a common question)...
I have a guestbook on my site that consists on a form textarea and an inline frame which displays a file called 'comments.html' (which I guess is self-explanitory).
When the user types stuff into the textarea and submits, a php page is called into the iframe which gets the stuff they typed, "appends" (for lack of a better word) it to the top of the 'comments.html' file, then re-opens the 'comments.html' into the iframe.
(I hope I didn't make that sound too confusing)
Anyway... It works fine, but it's a huge security risk because anyone (who knows what they're doing) can enter any HTML into the textarea, and it will go ahead and be rendered onto the page.
So... is there a way to disable an HTML comment, while the PHP file is being parsed??
Here is the PHP file (well... a simplified version)...
<html>
<head>
<title>My Guestbook</title>
<link rel="stylesheet" type="text/css" href="MyStyles.css" />
</head>
<body style="background-color:#ffffff">
<?php
$user=$_GET["username"];
$user=stripslashes($user);
$message=$_GET["message"];
$message=stripslashes($message);
print("<p class='txt'>Thank you!! Your comments have been added...<br /> <a class='txt' href=GuestbookContent.html>View your message</a>.</p>");
$in=fopen("GuestbookContent.html","rb");
$contents = fread($in, filesize("GuestbookContent.html"));
fclose($in);
$out=fopen("GuestbookContent.html","w");
if(!$out){
print("Could not load database :s");
exit;
}
fputs($out,implode,("\n"));
fwrite($out,"\n<hr><p><b>$user</b> (");
fwrite($out,date('d/m/Y'));
fwrite($out,")");
fwrite($out,"<br>$message</p>");
fwrite($out,"$contents");
fclose($out);
?>
</body>
</html>
Thanks!!
Originally Posted by Shaun(OfTheDead)
Bookmarks