Help! Hacking problem!

Anon

No, I don't want to hack. But I want to keep others from entering form-based hacks onto my php page.

Here is the quandry: I have a php page with a textarea at the bottom. When the visitor enters their name and address into the textarea, and clicks the submit button, the page will reload with the visitor's name and address echoed at the top of the page.

However, I noticed that a user can enter in all kinds of stuff into that textarea! I tried entering a whole php page into that little textarea, clicked the button, and it appeared all over my page.

My question: How can I filter out any malicious scripts that may be entered? The only way I know how is to limit the amount of characters entered, using something like
if (strlen($textarea) > 100 )
{ echo "sorry_too_many_characters"; }{
echo "thank you";}

But, then, I'm sure there is a way to get around that limitation. Maybe to filter out any brackets "{" or ">" or something? What would I use? ereg_replace or something?

A valid name and address would only have alphabet a-z and numbers 0-9, and maybe a number sign #

thanks in advance

mr_man

You could use the strip_tags and htmlspecialchars functions something like this

$textboxname = strip_tags($textboxname);
$textboxname = htmlspecialchars($textboxname);

Anon

for starters make the script use 'POST' not get
this will stop the text being echoed* and will also stop alot of attacks.

here is an easy way to make your script use POST.

/* if your running php4.1.2 or newer u will need this
$query_string1 = $POST[query_string1];
$query_string2 = $POST[query_string2];

(this just gets the query strings)
if you had a mail form the query strings might be..
$name
$email
etc
*/

/ CHECK REQUEST METHOD /
if ($REQUEST_METHOD == "GET" || $REQUEST_METHOD == "HEAD" || $REQUEST_METHOD == "PUT"){
echo"sorry bad request method - bye bye";
exit;
}

ok so now your script uses POST
so it cant be called from anywhere but your page & it wont show anything!..

altho it uses post people can still fake headers.. so to make it a bit more secure we add some referer checking.

/ CHECK REFERERS /
// array for allowed domains (lower case please)
$referers = array('yoursite.com', 'www.yoursite.com', 'yoursite.org', 'www.yoursite.org');

// add upper case referrers
$size = sizeof($referers);
for($i = 0; $i < $size; $i++){
$referers[] = strtoupper($referers[$i]);
}

// check referers
for($i = 0; $i < sizeof($referers); $i++){
if(substr($HTTP_SERVER_VARS['HTTP_REFERER'], 7, strlen($referers[$i]))
== $referers[$i]){
$bad_referer = FALSE;
break;
}
else{
$bad_referer = TRUE;
}
}
if($bad_referer){
echo "i dont like your referer";
exit;
}

ok so now our script has only 1 request method & it has referer checking., (better then most scripts so far)

by using POST people cant manually type there own input in the address bar so this basically solves your problem. they can make there own form and change the max length and it wont work because of there bad referers.

have fun