Unfiltered form accepts <script> tag , it's dangerous ?

[ande]

What do you mean , how i'm supposed to run eval() if i cant enclose it at <?php tag ?

No. What I mean is that it is not directly dangerous to store PHP code in the database as it will not be executed if just print it to page. In order for that to be dangerous you will have to run the database result in the eval() function for it to execute.

[invader7]

No. What I mean is that it is not directly dangerous to store PHP code in the database as it will not be executed if just print it to page. In order for that to be dangerous you will have to run the database result in the eval() function for it to execute.

Yes ok thanks a lot !!!

[invader7]

I think you're missing the idea here


Security should be designed into your software, not added in as an after thought. This whole "it doesnt matter its a quick fix now" ideology is stupid


Design the software with security in mind, dont design it to have security patched in later. It will not be as effective.

I think your thoughts are right , thanks !

You take input and sanitize it.



Lets say if you check for that string specifically... would it cover


<?php echo phpinfo(INFO_MODULES); ?> or any number of other ways it can be modified? how about every other way other tags can possibly be implemented? You dont strip entire bits of code... you strip santize what makes it code.

No this isn't dangerous because im searching for <?php , not the whole phpinfo()... so when i find <?php i make it <!--?php

[ande]

Honestly you should just use htmlspecialchars() or htmlentities(), either on insert or on output from DB.

[invader7]

and youve obviously made sure short tags and such are disabled as well?

obviously yes you mean <? <?= , im searching for 2 characters <?  , something else in mind ?

Honestly you should just use htmlspecialchars() or htmlentities(), either on insert or on output from DB.

Yes you are right ! , its a targeted product for a closed group of people who are not supposed to hack it and its on production. But you are right , i will follow

The best way to write safer code is manage to bypass your own code and then improve it

[techb]

Yes you are right ! , its a targeted product for a closed group of people who are not supposed to hack it and its on production. But you are right , i will follow

I was a "production" employee at an ISP tech support center, the amount of fail they had in there systems was epic. People like me, and people like in "production" WILL break things. Don't assume all others are stupid. I ran circles around the IT at my last job, and they all thought it was my supervisor. I quite on my own terms and my supervisor is still there, just don't underestimate the little guys. I did stuff to break systems in a few jobs I had, Lulz use putty again I DARE ya Mr telemarketer.

[invader7]

I was a "production" employee at an ISP tech support center, the amount of fail they had in there systems was epic. People like me, and people like in "production" WILL break things. Don't assume all others are stupid. I ran circles around the IT at my last job, and they all thought it was my supervisor. I quite on my own terms and my supervisor is still there, just don't underestimate the little guys. I did stuff to break systems in a few jobs I had, Lulz use putty again I DARE ya Mr telemarketer.

production = developement , sorry my mistake !! i wanted to write developement stage not production !!!