Allowing Users to Edit HTML

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I am a consultant developing a PHP-based site (fully operational now, 
we're adding some new features).

One thing I need to do is allow resellers of my client's services to 
edit HTML which will then be used on the web pages their customers see. 
In other words they get to customize the appearance of their portion of 
the site.  Most of the data entry involved is stuff where they plug in 
some data and I create the HTML with it -- stuff like colors and 
titles.  But in some cases I need to allow them to enter HTML code 
themselves.

I am currently running the code through htmlentities() before 
displaying it in the form field for them to edit.  The _POST data is 
run through trim(), then substr() to limit the length, then 
html_entity_decode(), before doing any further processing.  We also use 
strip_tags() on all fields in _POST except the HTML data, and 
everything that goes into the database is run through 
mysql_real_escape_string().

Do these methods seem reasonably secure?  Am I missing something?  The 
risk is minimized by the fact that the HTML the user enters is 
displayed to their own customers, whom they presumably don't want to 
attack (and if they did they could just do it on their own web site).  
But I still want to avoid as many opportunities as possible for either 
inadvertent or deliberate errors to cause trouble.

Thanks for any comments,

--
Tom

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux