I'm currently writing an php application (a bullitin board type thing) where users can enter different input via <input type=text> and <textarea>.
After they have submitted their input others will be able to see it.
At this time the user input is validated by the functions "StripSlashes" and "escaspeshellcmd".
My questions is: what other security precautions (so that users cannot enter dangerous commands which could list directories, execute programs, etc.) should I consider before I let users enter and view their input on my pages where php, cgi and ssi is enabled.
The pages are running on Unix/Apache 1.3.6
Tom
Hi Tom,
For incoming data, the functions to look at (depending on your needs) are:
addslashes(), trim()
For sending user-created data back to the browser, you should look at:
nl2br(), stripslashes(), htmlspecialchars(), and htmlentities
Also look into magic quotes. This can be a big time saver.