It's general error overlooked by developers, that while coding a general text box is given for entering the user details to the form, but its not taken care that, what if user enters the HTML tags into the text box.
If developer is using the database to store those details, then MySql and PHP settings might take care of adding the data to database correctly, but while rendering the data onto a web page, it gets
overlooked. Server simply declare them as mere HTML character and send it behind the code.
Which in turn causes the application crash..
Additionally, in case of making site SQL Injection proof, developer really need to take care of HTML post on site and eliminate or replace those HTML Characters.
Below is simple script I have written to either remove or replace the HTML characters from posted data. This script is simple and with minimal size of code for achieving the target.
// Start of script
Usage : validateData([param1]);
==============================
function replaceHTML(&$value,$key)
{
$value=htmlentities($value);
}
function removeHTML(&$value,$key)
{
$value=strip_tags($value);
}
function validateData($replaceOption='replace')
{
$arrPostedData=array_merge($_POST,$_GET);
switch($replaceOption)
{
case "replace" : array_walk($arrPostedData,'replaceHTML');
break;
case "remove" : array_walk($arrPostedData,'removeHTML');
break;
}
echo "<>";
print_r($arrPostedData);
echo "< /pre >";
}
e.g.
validateData('replace');
validateData('remove');
validateData();
=====================
Above piece of code in PHP which will help developer to have parse the inputted data from user and will either give option to completely remove the HTML tags off the data or will give feasibility to replace those tags with its equivalent...
Parameter sent while calling function will decide what to do...This parameter is optional and would take bydefault replace if nothing passed while calling... moreover, developer can customize the function as per his/her need...
Monday, January 26, 2009
Sunday, January 25, 2009
Sending class object into email body using ob_* functions
It has been several times seen in my past career that developers ( mostly newbie) generally find much difficulty in sending the content of class object through email... Occasionally, it has been seen that even though we can print the object content on browser and can view the object content and the values the object is holding, it becomes sometime necessity that we get the content of object through email....
Following is the piece of code, which will definitely be helpful for your development...
// Start of code
ob_start();
$strBody="Hi, There is an Error in creating Class Object while script was in second loop. Record Id :".$records["recordDetailsId"];
print_r($objClass);
$strBody.=ob_get_contents();
ob_end_flush();
mail("foo@mycompany.com","Error in Creating Object ",$strBody,"From: My Site\n");
// End of code
So you can easily find how only three functions i.e. ob_start() , ob_get_contents() and ob_end_flush() serve the purpose ...
More details about these functions can be found at php.net
Following is the piece of code, which will definitely be helpful for your development...
// Start of code
ob_start();
$strBody="Hi, There is an Error in creating Class Object while script was in second loop. Record Id :".$records["recordDetailsId"];
print_r($objClass);
$strBody.=ob_get_contents();
ob_end_flush();
mail("foo@mycompany.com","Error in Creating Object ",$strBody,"From: My Site
// End of code
So you can easily find how only three functions i.e. ob_start() , ob_get_contents() and ob_end_flush() serve the purpose ...
More details about these functions can be found at php.net
Subscribe to:
Posts (Atom)