SDE - exploit?

trevor · 02-08-2003, 02:31 PM

hey man,

umm....yeah, whats the problem and how do i fix it?

thanks man,

Trevor

sde · 02-08-2003, 06:21 PM

sorry man, that was a post gone way bad =)

i noticed that html is enabled in your forums.. so i was trying to be a smartass and put a meta-redirect and make it redirect to code newbie when someone viewed my post ...

however, .. something stopped part of the html from showing.. i believe it was the quotes in my post.

you should use the html entities function so people can't use any html in your forums. it is a big security risk.

for example:

PHP Code:


			
<?

$post="< html >";



$post=htmlentities($post);



echo $post;

?>

after $post goes through the htmlentiteis filter, .. it will be this:

< html >

that is so it will display proplerly in the forums, and also it will prevent any html from executing too.

does that make sense?

sorry i messed the forums up .. after posting the first one, it didn't show right away. i'm not sure why there is a gap from when you post to when it shows up... so that is why i posted the second one... i thought i experienced the bug you had problems with before .. posts not showing up for some reason .. but then after i posted the second one.. both of them were there . =/

trevor · 02-08-2003, 06:32 PM

my buddy deleted a post (dumbass) so it was missing an ID number, so it wouldn't show.

thanks for finding that, im not sure weather or not to turn html off because I like being able to post images and stuff. at least php is turned off on the posts.

the crowd the site is for wouldn't do anything bad.

well see how it turns out.

thanks again,

Trevor

02-09-2003, 07:13 AM

for images you could do something like

[ img ] blah.com/asd.jpg [ /img ]

and PHP can interpret it and put it as < img src tag.

sde · 02-09-2003, 07:36 AM

php doesn't automatically replace that . you have to write scripts to search out a pattern of an open img tag and closed image tag.. then it has to pull the info in the middle of them into a variable, and create a regular html tag with that.

02-09-2003, 07:54 AM

Quote:

Originally posted by sde
php doesn't automatically replace that . you have to write scripts to search out a pattern of an open img tag and closed image tag.. then it has to pull the info in the middle of them into a variable, and create a regular html tag with that.

I know I meant you could just write some PHP code to do that for you.....

trevor · 02-09-2003, 05:48 PM

yeah.....thats a lot of extra code when so much has to be written first.

Admin · 02-10-2003, 07:05 AM

um, i suggested that you turn off HTML like 2 weeks ago...

its good that mike posted and not me, har har.

sde · 02-10-2003, 08:57 AM

pffffftt

Admin · 02-10-2003, 09:55 AM

/me kicks mike in the shin