I use html entities to secure my site.
And my client want to add link in his post using the CMS.
how to make exception in html entities?
my code example:
<p><?php echo h($row['message']) ?></p>
//h is my function for htmlentities
My code display this message:
"You can click this link Link"
//And I dont know my data insert '\'
//It become Link
If my question is not clear please ask.
Really appreciate.
I believe what you want to do is pass into the DB with htmlentities() so it doesn't mess with your DB. To retrieve them you would use html_entity_decode(). The html_entity_decode() converts all strings with HTML entities back to there original string.
http://php.net/manual/en/function.html-entity-decode.php
Hopefully this answers your question.
Edit:
Raw data retrieved: http://www.example.com
Through htmlentities it spits out the HTML entities, which the browser cannot interpret when attempting to find that page. The use of htmlentities() (please if I'm wrong correct me) is to encode user input before passing it anywhere else.
User input: <script>hacks</script>
Passed though htmlentities:
<script>hacks< (whatever backslash is)script>
(This way it can't mess with anything in your database, better example is the use of PHP/MySQL but I'm not well versed to give that exact example at the moment.)
However this would expose your site when decoding it as well and other precautions would have to be taken.
Try this :
<?php
$link = h(stripslashes($row['message']));
?>
You can click this link <a href='<?php echo $link; ?>'>Link</a>
Related
I'm making a website where a user should be able to use HTML and CSS in their profiles but I came across one problem.
<?php
$profile = "<h1>THIS IS A TEST</h1>";
echo htmlentities($profile);
?>
That's my code, but it only show this in the profile:
<h1>THIS IS A TEST&</h1>
I don't know what is happening, nor do I know if this only happens to me.
How do I make it show only the h1 content?
Function htmlentities is showing the representation of html characters like tags etc., and is being used especially to avoid parsing as html. So if you mean to echo html so that the browser parses it as html, the last thing you want is to use this function! Just echo it out directly, no need to use htmlentities or htmlspecialchars!
You just have to use echo $profile;, that's all. Check this and don't forget to check Display as HTML as browsers display PHP echoed text as HTML unless they're told to display it differently.
eksample:
I want to make a database where admin can add "news article with code", where the code doesn't get translated, when posted on webpage.
So, someone post;
if (!isset($_GET['underside'])){
include ('front.inc.php');
}else{
include($_GET['underside']);
}
?>
(and it will be posted on the webpage, without being translated)
(the same technich as used on this page)
Use file_get_contents() to read the file into a string, replace all special characters using htmlspecialchars() and then print the string using echo().
I'm quite new here. I'm trying to make a blog/journal site that allows users to post their own journal. I'm still quite reluctant on making it because I am really afraid of malicious code injections.
So here's a sample code:
<?php
$test = "<b>blah</b>"; //User input from SQL
echo "$test";
?>
What will come out is just the word "blah" in bold right? What I was trying to achieve was to echo "<b>blah</b>" instead. I don't want people to put some PHP codes that can actually mess up my whole web page. Please keep in mind that the variable $test is actually a MYSQL query, so that variable will be needed as an example. I know you can do echo '$test'; but it just comes out as "$test" instead. I feel like pulling my hair out I can't figure it out yet.
The second solution I know of is the htmlspecialchars(); function, but I want the strings to display as what I typed, not the converted ones...
Is there any way I can do that?
I think the OP wants the HTML itself to be output to the page, and not have the tags stripped. To achieve this, you can run the string first through htmlentities()
$test = '<b>blah</b>';
echo htmlentities($test);
This will output:
<b>blah</b>
Which will render in the page as
<b>blah</b>
Echo don't execute PHP code from string. This is impossible and this is not security hole in your code.
You can use a template engine like Twig for exemple.
If htmlspecialchars(); is not the one you are looking for, try the header() option.
header('Content-type: text/plain');
When you are gonna give <b>Hi</b> to a browser, it will be displayed in Bold and not the text be returned. But you can try this way, outputting it inside a <textarea></textarea>.
Or the other way is to use htmlentities():
<?php
$test = "<b>blah</b>"; //User input from SQL
echo htmlentities("$test");
?>
One guy tried to exploit it using this script
http://www.searchr.us/web-search.phtml?search=%22%3E%3Cscript%3Ealert%28String.fromCharCode%2872%29+String.fromCharCode%28105%29%29;%3C/script%3E
How do i stop it ?
And he also said that it is vulnerable to XSS and LPI...Please help me stop it.
Thanking You,
You need to HTML-encode all user-entered data that you output, including the user's search string.
To be safe, HTML-encode all values that are not explicitly meant to be HTML code.
The quick solution is to:
<?php echo htmlspecialchars($blah); ?>
instead of
<?php echo $blah; ?>
The long solution is to read a book on web site security.
Seeing as how that is a search query string, I'm guessing you're pulling the value directly from the query string and re-displaying it to the user?
Something along the lines of "Your search of 'something' returned 0 results"?
You need to encode any user entered data before displaying it.
I made a GET form recently.But the problem is that it is highly vulnerable.You can inject your an script as below.
http://mysite.com/processget.phtml?search=Hacked
I'm able to inject any kind of script into my above URL.I'm actually echoing my GET data using an echo in my BODY,so whenever i enter a malicious script it is being executed in my BODY tag.So now how do i limit this http://mysite.com/processget.phtml?search= to just Number,letters and a few symbols which i want.
For ex.The user should only be able to enter
http://mysite.com/processget.phtml?search=A123123+*$
So can anyof you help me fix this bug.I'm kind of new to PHP,so please explain.
if (!empty($_GET['search'])) {
$search = htmlentities($_GET['search'],ENT_QUOTES,'UTF-8');
echo $search;
}
Now it's safe.
But if you want to limit to specific symbols, then you need to use regular expressions.
You can let a user enter whatever you like; the key is to escape the output. Then the string is displayed as desired, rather than included as HTML.
Use a php function like htmlentities
Strip the tags:
echo strip_tags($_GET['search']);
Actually, you may want htmlspecialchars instead, which escapes the tags instead of removing them so they display as intended:
echo htmlspecialchars($_GET['search']);