I am toying with this idea of letting my users change some CSS on their profiles. <?php if($user->profile_css): ?> <style type="text/css"> <?php print ($user->profile_css) ?></style> <?php endif ?> Code (markup): Basically I have created a field that is inserted into the style tags with php. What happens if someone enters php into this field instead of CSS.
The php gets executed before anything is sent to the browser, so the browser would just see <style type="text/css">whatever your php printed in here</style> Code (markup):
yes , but what if they put a php script in there that could mess up the page or call soemthign from somwhere else or try to access my db
It wouldn't get executed. It would be like putting <style><? echo "asdfasdf" ?></style> Code (markup): in an HTML file. Nothing would happen.
If you were to allow users to have a CSS section in their profile, you would need to make sure you clean it by stripping out any HTML tags and removing any instances of the text 'javascript:' as some browsers allow JavaScript to be executed inside stylesheets. The easiest way to accomplish this would be to replace <?php print ($user->profile_css) ?> with <?php print eregi_replace("javascript:","",strip_tags($user->profile_css)); ?>
You are using a regular expression to remove a string? Man I so don't want to see the rest of your code.
str_ireplace would probably be better. I just couldn't think of a non-case sensitive version of str_replace at the time. Your social grace amazes me.
Regular expressions are used for finding strings based on patterns and rules. Icheb complained about my use of the eregi_replace function, which uses regular expressions, because it uses a bit more processing power. The following code should work fine. <?php print str_ireplace("javascript:","",strip_tags($user->profile_css)); ?> This snippet of code removes any html tags and removes any occurrence of the string 'javascript:' from the data and then prints it. It would probably be a good idea to clean the string of tags and such before storing it in the database, rather than clean it every time you pull it out of the database to save processing time.