/    Sign up×
Community /Pin to ProfileBookmark

Allowing user to enter code for header

Copy linkTweet thisAlerts:
Dec 04.2008

I need some advise on how to do this properly.

I have an application that sells ad listings. This application will be the body of the page. I want to allow the administrator to log in and enter their own header and footer html code.

Now I can create this easy enough with a form in the administration area, and store the code in a database to retrieve when each page is opened, but I worry about sql injection and all sorts of malicious things happening by allowing the user to enter code.

So, what is the best way to handle a user entering such information to allow them to customize their pages a little?

Thanks.

to post a comment
PHP

4 Comments(s)

Copy linkTweet thisAlerts:
@chazzyDec 04.2008 — do you have to have them enter html code? can't you just have them enter links to a url, and images?
Copy linkTweet thisAlerts:
@Patty5authorDec 04.2008 — Do you mean have them type the path to some html page and then use an include to insert the code in the header?

I can do that, but what if the url is an asp page or what if it is a php page and it includes malicious code?

Those are the problems I am trying to avoid.
Copy linkTweet thisAlerts:
@svidgenDec 04.2008 — Ad programs generally don't allow the advertisers to supply any html/javascript. You want your users to be uploading a file that meets certain dimension requirements: SWF, GIF, JPG, etc. You'll not only have a decent level of security, but you'll also be meeting "common practice" requirements.

side note

If you really want to allow them to add HTML, just make sure you sanitize the data (addslashes(), mysql_real_escape_string(), etc.) on the way into the database and preg_replace() out script tags and anything else you're worried about.
Copy linkTweet thisAlerts:
@SyCoDec 04.2008 — [B]Edit:[/B] Guess I should have refreshed the page before posting this, Oh well :/ to reiterate the above points....

If it's user input you need to sanitize it. Validating is more difficult but you can exclude anything you may not want.

First off, if the code is saved as a string then PHP code will not be executed. <script> tags will allow javascript to run so I personally wouldn't allow unknown users to add <script> tags. The biggest issue with script tags is they allow remote code to be executed, aside from the problems that opens, who knows what vulnerability will be discovered next week.

This type of include allows javascript to execute remote PHP and return javascript.
[code=html]<script type="text/javascript" src="http://site.com/js_include.php"></script>[/code]
So even if you moderate the contents and changes of what the users are uploading to your database, you can't moderate changes made to the contents of the included files. A malicious user could assign HTML using the innerHTML javascript property to any div or element with an ID. Changing content beyond their allowed scope. I'm no javascript expert so head over to the JavaScript section to ask the experts there what sort of nasties you could be opening yourself up to.

You could have a key words/phrases alert database and store all words that need reviewing so, for example, any content with the phrase 'Drop table' or even just a semi colon (who uses them correctly these days?) will send an alert to you so you can see if a user attempted to add malicious content or if there is a possible hole in your script.

There's not much point using htmlentities() because you intend the string to be executed as HTML Unless you intend to use BBcode (bulletin board code). This message board allows limited HTML in the form of BBcode . The tags are replaced with their HTML equivalents. Then only plain text and the custom tags you choose to allow can be entered. Everything else is returned to its ascii equivalent.

But you do need to sanitize any user input, from textareas to checkboxes, to protect yourself from SQL injection.
×

Success!

Help @Patty5 spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 5.18,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,

tipper: @Yussuf4331,
tipped: article
amount: 1000 SATS,

tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,
)...