Hello, you do not have to post alternate code or anything I just need to know if this is ok. I believe it is but wanted to confirm. I use the database to users to enter text or html. All entries use htmlspecialchars() so if someone enters:

<php echo 'test'; ?>

into the database it is stored as:

&lt;?php echo 'test'; ?&gt;

I looked at the page source and it appears as the actual php code on the page which is expected:

<?php echo 'test'; ?>

Even though the code seems to be in php format it doesn't work it displays nothing since I assume that the browser sees it as php in an html file. However I want to make sure that it will not work to a hacker's advantage. Thanks.

If that is all you're doing, then no, that is not "hacker safe". Also keep in mind, that anything can be exploited.

Since you didn't want me to post alternate code, I won't. But you will want to research the topic on SQL injection.

No that is not all that I am using I also use trim and mysql_real_escape_string. I learned about SQL injection many years ago. I was more concerned with the output result on the page not the sql entry.

Here's a good way to inject without outputing <?php and ?> from the database. When you're about to inject, use this:


$output = 'test';
$output = preg_replace("/<[\?|%]+(php|=)?(.*)[\?|%]+>/siU", "", $output);



Only the word test will remain between the <?php and ?> tags. ;)

Hello horizon how are you :) Yeah a bit eariler I figured it would be better to just create an error check on the form page to prevent the user from using those tags. Could you integrate your code into this function so that it would locate the <? ?> and possibly asp/perl tags?


function disallow_tags($tag_name)
{
$disallowed = '<?php';
if ( preg_match("/\b$disallowed\b/i", $tag_name, $match) )
{
return TRUE;
}
}


Thanks :)

Try this:


function disallow_tags($tags_name) {

$tags_name = str_replace("<?php", "", $tags_name);
$tags_name = str_replace("?>", "", $tags_name);
}

Ah yes that would be the easy way haha :P I wanted it to error so the user knows that it is not allowed but that will do. Thanks :)

Ah yes that would be the easy way haha :P I wanted it to error so the user knows that it is not allowed but that will do. Thanks :)

Here:


function disallow_tags($tags_name) {

$check = true;

if ($tags_name = str_replace("<?php", "", $tags_name)) {
if ($tags_name = str_replace("?>", "", $tags_name)) {
$check = false;
}
}
if ($check == false) {
return false;
}
}


Once the function has failed, you may return the error message you'd like so users would be notified. ;)

There are so many other things to worry about with SQL injection and XSS.

Check out this site that has some tips to avoid PHP XSS:
http://devzone.zend.com/node/view/id/1752

I have just discovered an alternative way to check if <?php and ?> are inside a tag name:


if (!function_exists('disallow_tags')) {
function disallow_tags($tags_name) {
if (preg_match("=<\?php.*?\?>=s", $tags_name)) {
return true;
}
}
}
The function will return true if it's the case.

The alternative way, if you do not wish to return an error message, would be to straightly remove these two variances like this:


if (!function_exists('disallow_tags')) {
function disallow_tags($tags_name) {
if (preg_match("=<\?php.*?\?>=s", $tags_name)) {
$tags_name = preg_replace("=<\?php(.*?)\?>=se", "", $tags_name);
}
}
}
How the function works (1st one):


if (function_exists('disallow_tags') && disallow_tags($tags_name) == true) {
die ("You cannot use <?php and ?> inside tags name. Please try again.");
}
How the function works (2nd one):


if (function_exists('disallow_tags')) {
$tags_name = disallow_tags($tags_name);
}

Hey thanks :)