SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Addict agentforte's Avatar
    Join Date
    May 2007
    Location
    Toronto, ON, Canada
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Question php.. how safe is my output?

    I am programming a website with PHP where users will be able to post content (text and images).

    I use the htmlspecialchars() fucntion before outputting content, but I do not use strip_tags()

    Is there any way for someone to put malicious content on the website if I do not use the strip_tags() function? Specifically running any scripts on my website that should not be there?

    Thanks

    -Frank

  2. #2
    ✯✯✯ silver trophybronze trophy php_daemon's Avatar
    Join Date
    Mar 2006
    Posts
    5,284
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Generally htmlspecialchars is enough.
    Saul

  3. #3
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    There was a recently discovered security issue with uploaded images. A user could put code inside the image file (just giving the file the appropriate extension).

    http://www.phpclasses.org/blog/post/...IF-images.html


  4. #4
    Worship the Krome kromey's Avatar
    Join Date
    Sep 2006
    Location
    Fairbanks, AK
    Posts
    1,621
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow, just what I've been saying for some time - don't trust user input and validate an uploaded file's extension! And people on this very site would tell me that checking the mimetype (either via getimagesize or magic.mime) was sufficient - looks like I was right after all!
    PHP questions? RTFM
    MySQL questions? RTFM

  5. #5
    SitePoint Wizard Hammer65's Avatar
    Join Date
    Nov 2004
    Location
    Lincoln Nebraska
    Posts
    1,160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A lot of people will use something like the following, to validate file extension.

    PHP Code:
    $good = array('gif','jpeg','jpg');//blah blah blah
    $filename 'nasty.gif.php';
    $nameArr explode('.',$filename);
    $ext $nameArr[1];// maybe the last element maybe not
    if(in_array($ext,$good))
    {
       
    //Okay file is fine
    }
    else
    {
       
    // Bad file.. Bad file

    Or they look for the string "gif" or "jpeg" in the file name.

    Both will let such a file through, but not this..

    PHP Code:
    $good = array('gif','jpeg','jpg');//blah blah blah
    $filename 'nasty.gif.php';
    $nameArr explode('.',$filename);
    // Get the very last $nameArr element for certain
    $ext $nameArr[(count($nameArr) - 1)];
    if(
    in_array($ext,$good))
    {
       
    //Okay file is fine
    }
    else
    {
       
    // Bad file.. Bad file

    There are of course additional measures you could take by analyzing the file contents, but this will do a good quick job. You shouldn't use include with image files, PDF, etc, anyway but if you must.......


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •