-1

I'm trying to get help with this question and consequently build my website www.videocontractor.com. I've posed this question and solicited bids on the requisite code on freelancer.com. People on there have told me that it is indeed possible for a third party to fill out a php form on my site and in turn update the java code in my index file. I'm not sure I believe them. From the project description:

I'm looking to add a module on www.videocontractor.com and www.photocontractor.com that will enable visitors to the sites to add their business listing. I'm not sure if this can be done. I'm would like the javascript in the index.html file to be updated by site visitors. I think a PHP solution is needed. I'm open to other ideas.

Can someone on here tell me yes or no if I can add the functionality that has been somewhat described above? Are there any alternatives I should look into that would provide me with the same end result.

https://www.freelancer.com/projects/PHP-Javascript/PHP-Java-for-business-directory.html

Brad
  • 159,648
  • 54
  • 349
  • 530
user2579076
  • 1
  • 3
  • 2
    Your question amounts to this: can a user upload text to a php script that updates a file with the uploaded text. Answer: of course. –  Sep 14 '13 at 16:15

2 Answers2

1

From your description, you have asked someone to write code that modifies files on disk. While it is possible to do this in a safe way, I recommend against it.

What I recommend you do instead is keep your entries in a database, and generate resources dynamically, upon request. Be sure to use prepared/parameterized queries (PDO has this capability), and any data you output in the context of HTML use htmlspecialchars(). If you are outputting data into JavaScript, use json_encode(). This will ensure that the data remains just that... data, and not possible code for execution.

Brad
  • 159,648
  • 54
  • 349
  • 530
  • So the php form puts info into a database and that database then updates the html/java according to strict rules. These rules will prevent hacking in general and specifically code execution. – user2579076 Sep 14 '13 at 16:39
  • Where does Java come into play here? Are you confusing Java with JavaScript? Yes, the PHP form inserts data into the database. However, the database doesn't do anything but hold data. The next time some HTML or JavaScript is requested, it is generated on the fly by a PHP script which reads the data out of the database. – Brad Sep 14 '13 at 17:49
-2

It all depends on what you are doing later with that form. If you are putting it straight inside a query to a database without cleaning it, then it is completely possible to change your website. They can also use MySQL injections that way, and you could possibly loose your entire database.

If you want to filter what they write in the form, you can use strip_tags and after that addslashes, which will completely prevent any possible damage.

Vilsol
  • 722
  • 1
  • 7
  • 17
  • 1
    `strip_tags()` and `addslashes()` **do nothing** to prevent any of the attacks you describe. See my answer here: http://stackoverflow.com/a/7810880/362536 – Brad Sep 14 '13 at 16:17
  • Well if he wants them to disallow to implement their own javascript code, then he can easily use strip_tags, because then the browser wouldn't even know it is a javascript code. addslashes() would prevent mysql injection attacks, but if you really want to, you can convert all doubleslashes to single slashes. – Vilsol Sep 14 '13 at 16:20
  • No! If he wants to avoid people adding JavaScript to some HTML, he should be escaping that data properly for output into HTML, via `htmlspecialchars()`. That is the only safe way, and the proper way to ensure you have valid HTML. And `addslashes()` is completely useless against SQL injection attacks. At a minimum, you **must** use the escape function provided by your database API, and that means after a character set has been configured. It's best to use prepared/parameterized queries to avoid this problem completely. – Brad Sep 14 '13 at 16:23