php - Escaping for username and URL text boxes -


my site got hacked few times , i'm using post comment on flat file. have tried escape string in past and, since i'm not using sql, can't use mysql_real_escape_string. however, have tried many other ways keep string free stuff this: <#$()[]{},.;!. use code can see below:

$newdata = nl2br(htmlspecialchars($_post['ta'], ent_quotes, 'utf-8'));

i use this:

$search = array("!", "$", "%", "(", ")"); $urls = str_replace($search, " ", $url);

finally, use this:

if (keychar == "`" || keychar =="#" || keychar =="^" || keychar =="*") {

none of them seem work , site still got hacked. wondering if has ideas or can point me in right direction.

i believe textarea fine. i'm not 100% sure know url textbox pix , username vulnerable. i'm trying learn how close vulnerability , can see isn't working.

<style>  div.container {      width: 100%;       border: 1px solid gray;  }  header, footer {      padding: 1em;      color: white;      background-color: black;      clear: left;      text-align: center;  }  nav {      float: left;      max-width: 160px;      margin: 0;      padding: 1em;  }  nav ul {      list-style-type: none;      padding: 0;  }    nav ul {      text-decoration: none;  }  article {      margin-left: 170px;      border-left: 1px solid gray;      padding: 1em;      overflow: hidden;  }  fieldset {  	word-break: break-all;  	border:1px solid #999;  	border-radius:8px;  	box-shadow:0 0 10px #999;  	width:97%;    }  legend {  	background:#fff;  }  table {      word-break: break-all;       width:97%;      border:0;      cellspacing:0;      cellpadding:0;   }  div {        overflow:hidden;     border: solid 2px gray;     padding: 1em;   }     </style>  <!doctype html>  <html>  <body>  <?php 			  // $date = "".date("f d y h:i:s.");    $date = "".date("g:ia \n l js f y") . "\n";     $myfile = "file.txt";  if(isset($_post['ta'])){      if(isset($_post['urls'])){          $url = $_post['urls'];	       }      $wordcount = str_word_count($_post['ta']);      $myfile ="file.txt";      $newdata = nl2br(htmlspecialchars($_post['ta'], ent_quotes, 'utf-8'));      $nn = nl2br(htmlspecialchars($_post['namee'], ent_quotes, 'utf-8'));      // $fieldsetstring =       // $fieldsetfilter = htmlspecialchars($fieldsetstring, ent_quotes, 'utf-8');      $handle = fopen($myfile, 'a+');         // fwrite($handle,  '<fieldset><legend>anonymous: ' . $date . '</legend>' . $newdata . '</fieldset></br>');      fwrite($handle, '<div><fieldset><legend><img src="'.$urls.'"  width="42" height="42">' . $nn . ' : ' . $date . '</a></legend><table><tr><td><h1>' . $newdata . '</h1></td></tr></table></fieldset></div></br>');      fclose($handle);  }  ?>   <br/>  <br/>  <br/>     <?php  if(file_exists("$myfile")){     $mydata = file_get_contents("$myfile");  }  ?>   <a></a>  <form action = "index.php" method = "post"  style="align:center">  username : <input type="text" name="namee" value="anonymous" style="text-align:center" onkeypress="return check(event)"/>  url : <input type="text" name="urls" value="http://findicons.com/files/icons/398/halloween/128/jack.png" style="text-align:center; width:30%" onkeypress="return check(event)" onkeyup="return check(event)"/></br>  <textarea name="ta" cols="64" rows="10"></textarea>  <br /><br />  <input name="mybtn" type="submit" value="submit"/>  </body>  </html>

i have tried many escapes stack overflow before post this. in fact, have been trying figure out month , i'm sure got hacked more few times. , that's know. awesome.

you can try function:

function protect($data) {     $data = trim($data);     $data = stripslashes($data);     $data = htmlspecialchars($data);     return $data; }

update: code explanation

the function takes variable or argument , passes through php's trim, stripslashes , htmlspecialchars functions. returned variable safe possible injections.


Comments

Post a Comment

Popular posts from this blog

ubuntu - PHP script to find files of certain extensions in a directory, returns populated array when run in browser, but empty array when run from terminal -

i running os ububtu 16.04. ultimate goal able run php script cron job every minute. here php script located @ /var/www/html/tests/test/index.php : <?php $directorypath = $_server['document_root']."/tests/test/data/"; echo "directorypath: $directorypath<br><br>";//check $imagefilepathsarray = glob($directorypath . "*.{png,gif}", glob_brace); echo "<br><br>imagefilepathsarray: "; print_r($imagefilepathsarray);//check ?> when open php script in browser visiting url my-ip-address/tests/test/index.php , get: directorypath: /var/www/html/tests/test/data/ imagefilepathsarray:array( [0] => /var/www/html/tests/test/data/pic.png [1] => /var/www/html/tests/test/data/pic.gif ) before writing cron job in crontab file, need check if can run anywhere using terminal . opened ubuntu terminal @ /home/ location, , executed in terminal: sudo php /var/www/html/tests/test/index.php i got following out...
Read more

php - How can i create a user dashboard -

today have questions you, want create user dashboard site, include (obviously), users data, example -email -username -and others stuff how can information, , print them in html page? if can, how can these information via php sessions? shuld use session? example, if user login, , start new session ( session_start() ), how can data print in dashboard? should use php "project"? in advice, have day , thank time!
Read more

javascript - How to detect toggling of the fullscreen-toolbar in jQuery Mobile? -

i have jquery mobile page fixed full-screen toolbar, data-tap-toggle enabled. straight under toolbar have positioned banner should slide upwards when toolbar hiding , slide downward when toolbar showing. jquery mobile toggles toolbar applying , removing ui-fixed-hidden class - sadly, can't find in documentation of toolbar widget toggle , hide or show event that. how can detect when toolbar toggled, reposition banner? .banner { position: fixed; background-color: darkseagreen; top: 46px; min-height: 48px; width: 100%; text-align: center; line-height: 48px; } <!doctype html> <html> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> <link rel="stylesheet" href="https://code.jquery.com/mobile/1.4.5/jquery.mobile-1.4.5.css"> <script src="https://code.jquery.com/jquery-1....
Read more