How to prevent php code in textbox and textarea
For example not allow entering <?php phpinfo(); ?> in textbox.
Is there any built in validation without using custom function.
How to prevent php code in textbox and textarea
For example not allow entering <?php phpinfo(); ?> in textbox.
Is there any built in validation without using custom function.
This shouldn’t cause you any problems because you (generally) shouldn’t be running code that comes from user submitted content.
Can you demonstrate how you’re using the input which is creating the security hole?
It is not a security hole.
For example, two fields title and content. If user enter [color=#1C2837][size=2]<?php phpinfo(); ?> as title. Title won’t display in user side.[/size][/color]
If you echo <?php whatever ?> without encoding, for any browser, that’s no different than echoing a <span>.
You will want to echo CHtml::encode($model->title); in order to convert the < and > into entities.
This also raises the question, if this input got into your database, this means you are pretty vulnerable to xss attacks(so yes, you do have a security hole), so you should do something with the way you treat the input from your users.
Yes, as twisted1919 has said, you need to be using CHtml::encode() to safely encode the data before outputting it. Any input provided by the user can then be safely displayed.
Thank you for your reply.
I had fixed this using regular expression.
If you have used regex for this, i will assure you that you have not fixed your issue.
In my blind attempt to prove this, insert a title as:
This is my title <script>alert("nuked!")</script>
After save you should have a problem when viewing.
But please note, even if the above doesn’t trigger an issue it doesn’t mean you still don’t have one 