I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected.

The user can enter html tags; but, I restrict the acceptable tags to benign ones. e.g., <p>, <b>, <table>, etc. e.g., no <embed... <script... etc.

Just to be extra safe, I've added a function that parses for executables in the raw, entered text. If found, I post and nasty error message and ignore the entry altogether.

Here are my regex patterns. I tried finding a complete list of browser executables; but was unsuccessful, probably because I didn't use the right key words.

Anyone have suggestions for additional patterns?

"error_reporting\(0\)",//Most hacks I've seen make certain they turn of error reporting
"\<?php",//Here for the heck of it.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to