Search Results

Search found 104 results on 5 pages for 'htmlentities'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 3/5 | < Previous Page | 1 2 3 4 5  | Next Page >

  • Preventing server-side scripting, XSS

    - by Tim
    Hey all Are there any pre-made scripts that I can use for PHP / MySQL to prevent server-side scripting and JS injections? I know about the typical functions such as htmlentities, special characters, string replace etc. but is there a simple bit of code or a function that is a failsafe for everything? Any ideas would be great. Many thanks :)

    Read the article

  • PHP XML encoding

    - by Jeremey
    I need a function that will convert € or chr(0x20AC) or chr(8364) to € without having a static map. I tried using htmlentities(), but it only seems to work for the symbol itself and it converts to €

    Read the article

  • preg_replace on xss code

    - by proyb2
    Can this code help to sanitize malicious code in user submit form? function rex($string) { $patterns = array(); $patterns[0] = '/=/i'; $patterns[1] = '/javascript:/i'; $replacements = array(); $replacements[0] = ''; $replacements[1] = ''; return preg_replace($patterns, $replacements, $string); I have included htmlentities() to prevent XSS on client side, is all the code shown is safe enough to prevent attack?

    Read the article

  • MODX parse error function implode (is it me or modx?)

    - by Ian
    Hi, I cannot for the life of me figure this out, maybe someone can help. Using MODX a form takes user criteria to create a filter and return a list of documents. The form is one text field and a few checkboxes. If both text field and checkbox data is posted, the function works fine; if just the checkbox data is posted the function works fine; but if just the text field data is posted, modx gives me the following error: Error: implode() [function.implode]: Invalid arguments passed. I've tested this outside of modx with flat files and it all works fine leading me to assume a bug exists within modx. But I'm not convinced. Here's my code: <?php $order = array('price ASC'); //default sort order if(!empty($_POST['tour_finder_duration'])){ //duration submitted $days = htmlentities($_POST['tour_finder_duration']); //clean up post array_unshift($order,"duration DESC"); //add duration sort before default $filter[] = 'duration,'.$days.',4'; //add duration to filter[] (field,criterion,mode) $criteria[] = 'Number of days: <strong>'.$days.'</strong>'; //displayed on results page } if(!empty($_POST['tour_finder_dests'])){ //destination/s submitted $dests = $_POST['tour_finder_dests']; foreach($dests as $value){ //iterate through dests array $filter[] = 'searchDests,'.htmlentities($value).',7'; //add dests to filter[] $params['docid'] = $value; $params['field'] = 'pagetitle'; $pagetitle = $modx->runSnippet('GetField',$params); $dests_array[] = '<a href="[~'.$value.'~]" title="Read more about '.$pagetitle.'" class="tourdestlink">'.$pagetitle.'</a>'; } $dests_array = implode(', ',$dests_array); $criteria[] = 'Destinations: '.$dests_array; //displayed on results page } if(is_array($filter)){ $filter = implode('|',$filter);//pipe-separated string } if(is_array($order)){ $order = implode(',',$order);//comma-separated string } if(is_array($criteria)){ $criteria = implode('<br />',$criteria); } echo '<br />Order: '.$order.'<br /> Filter: '.$filter.'<br /> Criteria: '.$criteria; //next: extract docs using $filter and $order, display user's criteria using $criteria... ?> The echo statement is displayed above the MODX error message and the $filter array is correctly imploded. Any help will save my computer from flying out the window. Thanks

    Read the article

  • Netbeans PHP autocomplete

    - by poru
    Hello, how could I add an autocomplete for PHP build-in functions like htmlentities or var_dump? The autocompleter work for my classes but there's not autocompletion for functions like mentioned above.

    Read the article

  • php soapclient returns null but getPreviousResults has proper results

    - by Joseph.Chambers
    I've ran into trouble with SOAP, I've never had this issue before and can't find any information on line that helps me solve it. The following code $wsdl = "path/to/my/wsdl"; $client = new SoapClient($wsdl, array('trace' => true)); //$$textinput is passed in and is a very large string with rows in <item></item> tags $soapInput = new SoapVar($textinput, XSD_ANYXML); $res = $client->dataprofilingservice(array("contents" => $soapInput)); $response = $client->__getLastResponse(); var_dump($res);//outputs null var_dump($response);//provides the proper response as I would expect. I've tried passing params into the SoapClient constructor to define soap version but that didnt' help. I've also tried it with the trace param set to false and not present which as expected made $response null but $res was still null. I've tried the code on both a linux and windows install running Apache. The function definition in the WSDL is (xxxx is for security reasons) <portType name="xxxxServiceSoap"> <operation name="dataprofilingservice"> <input message="tns:dataprofilingserviceSoapIn"/> <output message="tns:dataprofilingserviceSoapOut"/> </operation> </portType> I have it working using the __getLastResponse() but its annoying me it will not work properly. I've put together a small testing script, does anyone see any issues here. //very simplifed dataset that would normally be //read in from a CSV file of about 1mb $soapInput = getSoapInput("asdf,qwer\r\nzzxvc,ewrwe\r\n23424,2113"); $wsdl = "path to wsdl"; try { $client = new SoapClient($wsdl,array('trace' => true,'exceptions' => true)); } catch (SoapFault $fault) { $error = 1; var_dump($fault); } try { $res = $client->dataprofilingservice(array("contents" => $soapInput)); $response = $client->__getLastResponse(); echo htmlentities($client->__getLastRequest()); echo '<hr>'; var_dump($res); echo "<hr>"; echo(htmlentities($response)); } catch (SoapFault $fault) { $error = 1; var_dump($fault); } function getSoapInput($input){ $rows = array(); $userInputs = explode("\r\n", $input); $userInputs = array_filter($userInputs); // $inputTemplate = " <contents>%s</contents>"; $rowTemplate = "<Item>%s</Item>"; // $soapString = ""; foreach ($userInputs as $row) { // sanitize $row = htmlspecialchars(addslashes($row)); $xmlStr = sprintf($rowTemplate, $row); $rows[] = $xmlStr; } $textinput = sprintf($inputTemplate, implode(PHP_EOL, $rows)); $soapInput = new SoapVar($textinput, XSD_ANYXML); return $soapInput; }

    Read the article

  • bbcode hyperlink issue (help!!)

    - by Jorm
    I'm having an annoying :) I use regexes from this: http://forums.codecharge.com/posts.php?post_id=77123 if you enter [url]www.bob.com[/url] it leads too http://localhost/test/www.bobsbar.com So I added before http://$1 in the replacement. That fix it but then [url]http://www.bob.com[/url] will lead to http://http://www.bobsbar.com How would you fix this? I want my users to be able to post links with AND without http:// and i want it to redirect to the site -_- Hope you understand this. Jorm Edit function bbcode_format($str) { $str = htmlentities($str); $find = array( '/\[url\](.*?)\[\/url\]/is', // hyperlink '/\[url\](http[s]?:\/\/)(.*?)\[\/url\]/is' // hyperlink http-protocol ); $replace = array( '<a href="$1" rel="nofollow" title="$1">$1</a>', '<a href="$1$2" rel="nofollow" title="$2">$2 THIS WORKS</a>' ); $str = preg_replace($find, $replace, $str); return $str; } both www.bob.com and http://www.bob.com uses the first replacement

    Read the article

  • Why is the same input returning two different MD5 hashes?

    - by Rob
    Alright, I have two files. They are the EXACT SAME. The first file is: http://iadsonline.com/servconfig.php And the second file is: http://xzerox.info/servconfig.php However, when I use md5_file() to get their MD5, They return two different MD5's. The first returns cc7819055cde3194bb3b136bad5cf58d, which is incorrect, and the second returns 96a0cec80eb773687ca28840ecc67ca1, which is correct. The file is simply an &nbsp; To verify, I've used this code: $contents = file_get_contents($URL); echo htmlentities($contents); And they both return &nbsp; So why is it hashing them differently?

    Read the article

  • Are these two functions overkill for sanitization?

    - by jpjp
    function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from a book and the author says that by using these two, I can be extra safe against XSS(the first function) and sql injections(2nd func). Are all those necessary? Also for sanitizing, I use prepared statements to prevent sql injections. I would use it like this: $variable = sanitizeString($_POST['user_input']); $variable = sanitizeMySQL($_POST['user_input']);

    Read the article

  • Wrap link around links in tweets with php preg_replace

    - by Ben Paton
    Hello I'm trying to display the latest tweet using the code below. This preg_replace works great for wrapping a link round twitter @usernames but doesn't work for web addresses in tweets. How do I get this code to wrap links around urls in tweets. <?php /** Script to pull in the latest tweet */ $username='fairgroceruk'; $format = 'json'; $tweet = json_decode(file_get_contents("http://api.twitter.com/1/statuses/user_timeline/{$username}.{$format}")); $latestTweet = htmlentities($tweet[0]->text, ENT_QUOTES); $latestTweet = preg_replace('/@([a-z0-9_]+)/i', '<a href="http://twitter.com/$1" target="_blank">@$1</a>', $latestTweet); $latestTweet = preg_replace('/http://([a-z0-9_]+)/i', '<a href="http://$1" target="_blank">http://$1</a>', $latestTweet); echo $latestTweet; ?> Thanks for the help, Ben

    Read the article

  • PHP & MySQL username submit problem

    - by peakUC
    I want to allow users to either have there username field empty at any time but I get the username error message Your username is unavailable! how can I correct this problem? Here is the PHP code. if(isset($_POST['username'])) { $u = "SELECT * FROM users WHERE username = '$username' AND user_id <> '$user_id'"; $r = mysqli_query ($mysqli, $u) or trigger_error("Query: $q\n<br />MySQL Error: " . mysqli_error($mysqli)); if (mysqli_num_rows($r) == TRUE) { // Unavailable. echo '<p class="error">Your username is unavailable!</p>'; $username = NULL; } else if(mysqli_num_rows($r) == 0) { // Available. $username = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['username'])))); } }

    Read the article

  • safely encode and pass a string from a html link to PHP program

    - by bert
    What series of steps would be reqired to safely encode and pass a string from a html href using javascript to construct the link to a php program. in javascript set up URL // encodes a URI component. path = "mypgm.php?from=" + encodeURIComponent(myvar) ; in php: // get passed variables $myvar = isset($_GET['myvar']) ? ($_GET['myvar']) : ''; // decode - (make the string readable) $myvar = (rawurldecode($myvar)); // converts characters to HTML entities (reduce risk of attack) $myvar = htmlentities($myvar); // maybe custom sanitize program as well? // see [http://stackoverflow.com/questions/2668854/php-sanitizing-strings-to-make-them-url-and-filename-safe][1] $myvar = sanitize($myvar);

    Read the article

  • display HTML content from database with formatting in it

    - by Gaurav Sharma
    Hi all, I have used wmd-editor in my cakephp v1.3 application. The config which I have written is as follows: wmd_options = { output: "HTML", lineLength: 40, buttons: "bold italic | link blockquote code image | ol ul heading hr", autostart: true }; When I submit the form the HTML in the wmd enabled textarea is saved in the database with htmlentities() done to the text then I am displaying it with html_entity_decode() method. but the text is displayed as it is including the HTML coding like this <p><strong>hello dear friends</strong></p>\n\n<pre><code>I want to make sure that everything that you type is visible clearly.\nadasfafas\n</code></pre>\n\n<blockquote>\n <p>sadgsagasdgxcbxcbxc</p>\n</blockquote>\n\n<p><em>sadfgsgasdsgasgs</em></p>\n\n<p><b><a href="http://kumu.in">this is the link</a></b></p> Please help me solve this problem Thanks

    Read the article

  • How can a hacker put a file on my server root (apache, php, 1and1)

    - by mike-sav
    Hi there, I have a site hosted on 1and1 and a couple of weeks ago I noticed a hacker had put a .php file on the server that when viewed in a browser exposed my DB schema, DB connection strings, FTP account (for file uploads using a form), etc, etc. Naturally I panicked and I wiped the server and reuploaded my files. Fortunatley I encrypt passwords using MD5 and I don't store things like credit card details, etc, etc. Now I checked my files and with all user input I use a clean function (htmlentities, sql_real_escape_string, etc, etc) that strips the input of any XSS or SQL injection. I have also made sure that the session key gets re-engineered when a user status changes (like they log into their account) to prevent session hijacking, my folder permissions are set to 755 and file permission are 644. Has anyone got any idea how this could have happened? Or if I'm missing something

    Read the article

  • what are the best practices to prevent sql injections

    - by s2xi
    Hi, I have done some research and still confused, This is my outcome of that research. Can someone please comment and advise to how I can make these better or if there is a rock solid implementation already out there I can use? Method 1: array_map('trim', $_GET); array_map('stripslashes', $_GET); array_map('mysql_real_escape_string', $_GET); Method 2: function filter($data) { $data = trim(htmlentities(strip_tags($data))); if (get_magic_quotes_gpc()) $data = stripslashes($data); $data = mysql_real_escape_string($data); return $data; } foreach($_GET as $key => $value) { $data[$key] = filter($value); }

    Read the article

  • How I Can do web programming with Lisp or Scheme?

    - by Castro
    I usually write web apps in PHP, Ruby or Perl. I am starting the study of Scheme and I want to try some web project with this language. But I can't find what is the best environment for this. I am looking for the following features: A simple way of get the request parameters (something like: get-get #key, get-post #key, get-cookie #key). Mysql access. HTML Form generators, processing, validators, etc. Helpers for filter user input data (something like htmlentities, escape variables for put in queries, etc). FLOSS. And GNU/Linux friendly. So, thanks in advance to all replies.

    Read the article

  • How to convert a url to a browser like url? ( ...%20... )

    - by Kaoukkos
    I want to get data using CURL but I have a problem. When I set the url like this $url = "https://graph.facebook.com/fql?q=SELECT name FROM page"; // continues I do not have anything returned. When I copy the browser url, this is $url = "https://graph.facebook.com/fql?q=SELECT%20name%20FROM%20page"; I get the results through CURL. I tried htmlentities and htmlspecialchars without luck. What am I missing here? $ch = curl_init($url); curl_setopt($ch,CURLOPT_RETURNTRANSFER,1); $content = curl_exec($ch);

    Read the article

  • Reporting sanitized user input to the user via AJAX

    - by JimBo
    I am writing some code to give live feedback to the user on the validation of a form using AJAX. I have got it checking length and if the field is empty. Now I want it to sanitize the users input and if the sanatized input differs from the users original input then tell them which characters are not allowed. The code I have written so far works except some characters most notably a '£' symbol result in no response. I think it relates to json_encode and its encoding. Here is the code: $user_input = 'asdfsfs£'; $strip_array = str_split(strip($user_input)); $orig_array = str_split($user_input); $diff_array = array_diff($orig_array,$strip_array); $diff_str = implode(', ',$diff_array); $final = json_encode($diff_str); function strip($input){return htmlentities(strip_tags($input),ENT_QUOTES);} Hope someone can figure out a solution.

    Read the article

  • PHP form validation submit problem?

    - by TaG
    My code is suppose to save a year like 1999 to the mysql database but it wont. It will check to see if the user has entered only numbers and is at least 4 numbers long or if nothing has been entered correctly but it wont save the correct year? How can I fix this problem. Here is the PHP code. if(isset($_POST['year']) && intval($_POST['year']) && strlen($_POST['year']) == 4) { $year = mysqli_real_escape_string($mysqli, $purifier->purify(htmlentities(strip_tags($_POST['year'])))); } else if($_POST['year'] && strlen($_POST['year']) < 4) { echo '<p class="error">year is not correct!</p>'; } else if($_POST['year'] == NULL) { // do something }

    Read the article

  • PHP & RSS Feeds & Special Characters validation Problem.

    - by BUGY
    I keep getting the following validation warning below. And I was wondering that some of my articles deal with special characters and was wondering how should I go about rendering or not rendering special characters in my RSS feeds? Should I use htmlentites or not? If so how? In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations. line 22, column 35: title should not contain HTML: &amp; PHP code. <title>' . htmlentities(strip_tags($title), ENT_QUOTES, "UTF-8") . '</title>

    Read the article

  • Send email with PHP script -> How to display mutated vowels?

    - by Sebi
    I use this php script to send an email. It works well, but german mutated vowels (ö,ä,ü, etc) are not displayed correctly. Any hints how to change that? <?php /* Geben Sie hier Ihre E-Mail Adresse zwischen den beiden " an: */ $_emails[0] = "[email protected]"; // Wenn keine $_POST Daten übermittelt wurden, dann abbrechen if(!isset($_POST) OR empty($_POST)) { header("Content-type: text/plain"); echo "Es wurden keine Daten übermittelt!"; exit; } else { // Datum, Uhrzeit und Pfad zum eigenen Script feststellen $date = date("d.m.Y"); $time = date("H:i"); $host = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; // Empfänger feststellen und auf Gültigkeit prüfen if(isset($_POST['recipient']) AND isset($_emails[ $_POST['recipient'] ]) AND preg_match("/^.*@.*\..*$/", $_emails[ $_POST['recipient'] ])) { $recipient = $_emails[ $_POST['recipient'] ]; } // Wurde kein (gültiger) Empfänger angegeben, es mit $_email[0] versuchen elseif(isset($_emails[0]) AND preg_match("/^.*@.*\..*$/", $_emails[0])) { $recipient = $_emails[0]; } // Ist auch diese Adresse ungültig, mit Fehlermeldung abbrechen else { header("Content-type: text/plain"); echo "Fehler im Script - es wurde kein Empfänger oder eine ungültige E-Mail Adresse in \ angegeben."; exit; } // Wenn Betreff übermittelt, diesen verwenden if(isset($_POST['subject'])) { $subject = $_POST['subject']; } // sonst einen Default Betreff verwenden else { $subject = "Formular Daten von {$_SERVER['HTTP_HOST']}"; } // E-Mai Kopf generieren $email = "Formular Eintrag\n" . "\n" . "Am $date um $time Uhr hast das Script auf $host Formulardaten empfangen,\n" . "welche nach Angabe des Browsers von {$_SERVER['HTTP_REFERER']} stammen.\n" . "\n" . "Der Formular Inhalt wird nachfolgend wiedergegeben.\n" . "\n"; // Alle $_POST Werte an den E-Mail Kopf anhängen foreach($_POST as $key => $value) { if($key == "redirect" OR $key == "recipient" OR $key == "subject") { continue; } $email .= "Fomular Feld '$key':\n" . "=============================\n" . "$value\n" . "\n"; } // E-Mail Fuß anfügen $email .= "=============================\n" . "Ende der automatisch generierten E-Mail."; // Versuchen E-Mail zu versenden if(!mail($recipient, $subject, $email)) { // Ist dies gescheitert, Fehlermeldung ausgeben echo "Es ist ein Fehler beim Versenden der E-Mail aufgetreten," . " eventuell liegt ein Konfigurationsfehler am Server vor.\n\n"; exit; } // Wenn gewünscht, auf Bestätigungsseite weiterleiten if(isset($_POST['redirect']) AND preg_match("=^(http|ftp)://.*\..*$=", $_POST['redirect'])) { header("Location: ".$_POST['redirect']); exit; } else { header("Content-type: text/html"); echo "Die E-Mail wurde erfolgreich versendet."; echo '<br>'; echo '<a href="http://www.ovlu.li/cms/index.php?page=kontakt">Zurueck</a>'; exit; } } ?> So i followed the hint in the first answer and the code looks now the following: <?php /* Geben Sie hier Ihre E-Mail Adresse zwischen den beiden " an: */ $_emails[0] = "[email protected]"; // Wenn keine $_POST Daten übermittelt wurden, dann abbrechen if(!isset($_POST) OR empty($_POST)) { header("Content-type: text/plain; charset=utf-8"); echo "Es wurden keine Daten übermittelt!"; exit; } else { // Datum, Uhrzeit und Pfad zum eigenen Script feststellen $date = date("d.m.Y"); $time = date("H:i"); $host = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']; // Empfänger feststellen und auf Gültigkeit prüfen if(isset($_POST['recipient']) AND isset($_emails[ $_POST['recipient'] ]) AND preg_match("/^.*@.*\..*$/", $_emails[ $_POST['recipient'] ])) { $recipient = $_emails[ $_POST['recipient'] ]; } // Wurde kein (gültiger) Empfänger angegeben, es mit $_email[0] versuchen elseif(isset($_emails[0]) AND preg_match("/^.*@.*\..*$/", $_emails[0])) { $recipient = $_emails[0]; } // Ist auch diese Adresse ungültig, mit Fehlermeldung abbrechen else { header("Content-type: text/plain"); echo "Fehler im Script - es wurde kein Empfänger oder eine ungültige E-Mail Adresse in \ angegeben."; exit; } // Wenn Betreff übermittelt, diesen verwenden if(isset($_POST['subject'])) { $subject = $_POST['subject']; } // sonst einen Default Betreff verwenden else { $subject = "Formular Daten von {$_SERVER['HTTP_HOST']}"; } // E-Mai Kopf generieren $email = "Formular Eintrag\n" . "\n" . "Am $date um $time Uhr hast das Script auf $host Formulardaten empfangen,\n" . "welche nach Angabe des Browsers von {$_SERVER['HTTP_REFERER']} stammen.\n" . "\n" . "Der Formular Inhalt wird nachfolgend wiedergegeben.\n" . "\n"; // Alle $_POST Werte an den E-Mail Kopf anhängen foreach($_POST as $key => $value) { if($key == "redirect" OR $key == "recipient" OR $key == "subject") { continue; } $email .= "Fomular Feld '$key':\n" . "=============================\n" . "$value\n" . "\n"; } // E-Mail Fuß anfügen $email .= "=============================\n" . "Ende der automatisch generierten E-Mail."; $email = htmlentities($email, ENT_QUOTES, 'uft-8'); // Versuchen E-Mail zu versenden if(!mail($recipient, $subject, $email)) { // Ist dies gescheitert, Fehlermeldung ausgeben echo "Es ist ein Fehler beim Versenden der E-Mail aufgetreten," . " eventuell liegt ein Konfigurationsfehler am Server vor.\n\n"; exit; } // Wenn gewünscht, auf Bestätigungsseite weiterleiten if(isset($_POST['redirect']) AND preg_match("=^(http|ftp)://.*\..*$=", $_POST['redirect'])) { header("Location: ".$_POST['redirect']); exit; } // sonst eine Bestätigung ausgeben else { header("Content-type: text/html"); echo "Die E-Mail wurde erfolgreich versendet."; echo '<br>'; echo '<a href="http://foto.roser.li/admin/index.php?page=kontakt">Zurueck</a>'; exit; } } ?> Now when I send the email, the following message is displayed: > Warning: htmlentities(): charset > `uft-8' not supported, assuming > iso-8859-1 in > /home/www/web21/html/roser/foto/admin/mail.php > on line 77 Die E-Mail wurde > erfolgreich versendet.

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 1 2 3 4 5  | Next Page >