0

I have created a very basic commenting system that allows users to comment. The problem is that some malicious uses can try to write some HTML or JavaScript inside the comments. If the comments get published, will that JavaScript be able run on other user's devices? I can take care of the JavaScript when I check the comments on server side.

However, I still don't know how to deal with PHP inside the comments. Let's say someone includes a PHP script inside the comments. I think that as soon as I start parsing the comment on my server to remove malicious content. The PHP script inside the comment will start running and mess the whole thing up. Am I right?

Is there any way I can sanitize PHP inside the comments? If the PHP posted by a user in a comment runs on my server won't I be in trouble?

Let's say a user enters the following comment:

unlink(glob(*.php));

and I do the following inside my comment parsing script:

$comment = $_POST['comment'];

Am I in trouble?

Am I making the question clear? Let me know if I need to add anything.

Vineet Sharma
  • 221
  • 2
  • 11
  • 2
    As long as you don't `include()`, `require()` or `eval()` the comment's content (nobody should be doing that, unless very good reasons), you are perfectly safe php-wise. You might still be vulnerable to XSS and SQL injections though. – Calimero Sep 11 '17 at 19:21
  • Thanks @Calimero. I am editing my question a little to be sure that I understand what you are saying. :) – Vineet Sharma Sep 11 '17 at 19:24
  • 1
    `$comment` is just a string, it won't doing anything. If you made it `exec('destroy my system');` it wouldn't launch the shell unless you did `eval($comment)` which you should never do. – chris85 Sep 11 '17 at 19:29
  • @chris85 what if the user tried to use `'` or `"` in their script to mess up the strings? – Vineet Sharma Sep 11 '17 at 19:30
  • 1
    No worries here :-) If you want to harden security look at the javascript side of things. And remember when you display the comment, you are doing it in the middle of your html, served under your website domain (with full access to the DOM, user cookies, localStorage...) – Calimero Sep 11 '17 at 19:30
  • 1
    They can put as many `'` and `"`s as they want it's not going to get outside of the PHP storage. It could inject the DOM but it sounds like you said you are already taking care of that. – chris85 Sep 11 '17 at 19:32
  • @VineetSharma in your last comment you are talking about SQL injection attacks which is a topic in itself. Easiest way to be safe is to perform prepared queries through PDO. – Calimero Sep 11 '17 at 19:32
  • 1
    @Calimero (Could be XSS too, `"` can close an `input` value, then inject the DOM) – chris85 Sep 11 '17 at 19:33
  • Thank you guys. I am just a beginner so I wanted to make sure that I am not doing something wrong that can take the website down. :D – Vineet Sharma Sep 11 '17 at 19:34

0 Answers0