PHP problems
I started learning PHP a few weeks ago and ive done quite a bit of stuff, but my latest endevour is causing problems i get this whenhest i try it;
Parse error: syntax error, unexpected T_STRING in /www/110mb.com/n/a/t/t/i/e/s/_/natties/htdocs/bot.php on line 8
and the code i hast follows:
<?php
$comment="$_POST T_STRING['comment'];
if ($comment=="hi"){
echo "yo yo yo";
}elseif ($comment=="watup"){
echo "the sky";
}elseif ($comment=="idiot"){
echo "who you calling an idiot!?";
}elseif ($coment=="bye"){
echo "seeya!";
}
?>
i hope that thou are hast be as dashing at PHP as of C++.
( exuse posh english, ive been coding for to long today ).
system_meltdown wrote: $comment=htmlentities(trim($_POST['comment']));
well since you are trying to help him secure it somewhat, at least do it fully :)
$comment = htmlentities(trim($_POST['comment']), ENT_QUOTES);
the second argument - ENT_QUOTES, makes sure that both ' and " are filtered. By default they aren't filtered.
chislam wrote: system_meltdown wrote: $comment=htmlentities(trim($_POST['comment']));
well since you are trying to help him secure it somewhat, at least do it fully :)
$comment = htmlentities(trim($_POST['comment']), ENT_QUOTES);
the second argument - ENT_QUOTES, makes sure that both ' and " are filtered. By default they aren't filtered.
still works, dont know the difference. know idea what it does.
nattie wrote: [quote]chislam wrote: system_meltdown wrote: $comment=htmlentities(trim($_POST['comment']));
well since you are trying to help him secure it somewhat, at least do it fully :)
$comment = htmlentities(trim($_POST['comment']), ENT_QUOTES);
still works, dont know the difference. know idea what it does.[/quote]
ok. htmlentities is a PHP builtin function. This function changes all HTML characters such as > and <, etc. to it's entities. So, < becomes & l t; and > becomes &g t; (there is really no spaces between the & and l and t nor is there between g and t, but when I post on the forum, it looks like < and >.
The reason you want to do this, is to patch your application from XSS exploitation mainly. However, ' and " can also be used for XSS and / or SQL injection among other exploits. By default htmlentities does not change ' to ' and " to ". So, that's why I correct System_Meltdown for forgetting the second parameter to htmlentities which happens to be ENT_QUOTES, which does actually filter ' and ". If you are still lost, then read here php.net/htmlentities If you are coding in PHP, then make sure you have PHP.net at a click away, so that you can always look up functions, etc.
chislam wrote: [quote]system_meltdown wrote: $comment=htmlentities(trim($_POST['comment']));
well since you are trying to help him secure it somewhat, at least do it fully :)
$comment = htmlentities(trim($_POST['comment']), ENT_QUOTES);
the second argument - ENT_QUOTES, makes sure that both ' and " are filtered. By default they aren't filtered.[/quote]
Heh, I don't tend to bother with ent_quotes, as I normally have magic_quotes_gpc turned on.
well htmlspecialchars is good, but i never use strip_tags. Reason being is because if you do <h1>asdf</h1>, then it will strip it fine, and there's no XSS. But… say you have a textbox, and you break out of the textbox like
">hey im out of the textbox
then it will work, because when you use strip_tags and you just have a greater than sign, >, then it doesn't strip it as long as you don't have a less than sign, <. I'm not entirely sure if this has been reported to PHP and fixed, but it probably should.