SitePoint Sponsor

User Tag List

Results 1 to 2 of 2
  1. #1
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question help on secure form submission when posting code?

    I have a form where I want users to submit youtube embed code (and only youtube embed code or the youtube watch URL). I want the validation to be able to make sure it is YT embed code, extract the video url, and purge the rest of the embed code.

    So, user inputs random video embed code...
    Code:
    <object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/8sgycukafqQ"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/8sgycukafqQ" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350"></embed></object>
    Validation code below is where I want the help...
    I need mysql_real_escape_string, etc. but can't get it to work with preg_match.
    Code:
    $myvideo = $_POST['myvideo'];
    preg_match("/<param name=\"movie\" value=\"(.*)\"/U",$myvideo,$newmyvideo);
    if (preg_match("/\bhttp:\/\/www.youtube.com\/v\/\b/i", $newmyvideo[1])) {
    	$myvidok = substr("http://www.youtube.com/v/", "", $newmyvideo[1]);
    } else {
    	echo "problem with embed code";
    }
    I'd also like it to work with the youtube watch url (if it's added instead of the embed code)...
    Code:
    http://youtube.com/watch?v=8sgycukafqQ
    I just don't want any injections by allowing code to be passed. Help would be great. Thanks.

  2. #2
    SitePoint Evangelist
    Join Date
    Aug 2005
    Posts
    453
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    $search =  '<object width="425" height="350">'.
        
    '<param name="movie" value="http://www.youtube.com/v/8sgycukafqQ"></param>'.
        
    '<param name="wmode" value="transparent"></param>'.
        
    '<embed src="http://www.youtube.com/v/8sgycukafqQ" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350">'.
        
    '</embed>'.
        
    '</object>';

    function 
    ParseEmbeddString$In_text ) {
        
    $parts explode"</param>" $In_text ); // Explode @ param ends
        
        
    foreach( $parts as $V ) {
            if ( 
    strstr$V"embed" ) ) {
                
    // Get embed source
                
    $start strpos$V"src=" ) + 5;
                
    $end = ( strpos $V'"'$start ) ) - $start;
                
    $object["embed"]["src"] = substr$V$start$end );
                
    // Get embed type
                
    $start strpos$V"type=" ) + 6;
                
    $end = ( strpos $V'"'$start ) - $start );
                
    $object["embed"]["type"] = substr$V$start$end );
                
    // Get embed vmode
                
    $start strpos$V"wmode=" ) + 7;
                
    $end = ( strpos $V'"'$start ) - $start);
                
    $object["embed"]["wmode"] = substr$V$start$end );
                
    // Get embed width
                
    $start strpos$V"width=" ) + 7;
                
    $end = ( strpos $V'"'$start ) - $start);
                
    $object["embed"]["width"] = substr$V$start$end );
                
    // Get embed height
                
    $start strpos$V"height=" ) + 8;
                
    $end = ( strpos $V'"'$start ) - $start);
                
    $object["embed"]["height"] = substr$V$start$end );
            }
        }
        return 
    $object;
    }


    var_dumpParseEmbeddString$search ) ); 
    Yields :
    array(1) { ["embed"]=> array(5) { ["src"]=> string(36) "http://www.youtube.com/v/8sgycukafqQ" ["type"]=> string(29) "application/x-shockwave-flash" ["wmode"]=> string(11) "transparent" ["width"]=> string(3) "425" ["height"]=> string(3) "350" } }

    You can use the same type of logic to extract the
    Computers and Fire ...
    In the hands of the inexperienced or uneducated,
    the results can be disastrous.
    While the professional can tame, master even conquer.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •