tags:

views:

96

answers:

6
Q: 

Php: How can I prevent attacks from url links written by users?

When a user enters a web url in a comment, that url becomes a link.

How do I prevent attacks from those links? any measures I can take?

thanx

+3  A: 

There is nothing you can do except moderation. There is no way for a computer to determine if a link is sane or not. You can check against blacklists, you can check for some words in the domain, but other than that there's not much you can do, sorry...

Franz  2009-11-18 18:35:09
P.S.: You could disallow links ;)
Franz  2009-11-18 18:35:21
This is true, there is no system that absolutely filters out everything, but you can at least put measures in place to slow down the majority of the problems. It's like putting in a fence to keep burglars out: it wont stop all burglars, but it will stop a midget burglar.
Jeremy Morgan  2009-11-18 18:36:52
+2  A: 

  1. You can write your own filtering system that flags posts based on spam words, and checks links for spam or adult related stuff

  2. Use a 3rd party tool like Aksimet that checks for you

  3. Use a moderation system so that any post with a link has to be approved by you.

  4. All of the above. You could even throw a CAPTCHA in there as well to slow down bots.

Jeremy Morgan  2009-11-18 18:35:19
+1  A: 

don't allow link tags in comments? use the php strip_tagsfunction to remove html tags from submitted comments (you can add a list of tags that are allowed to the function, too).

Zenon  2009-11-18 18:37:13
+1  A: 

You could use a blacklist (which is not going to catch most things), a whitelist (which is going to block most non-harmful links), or a redirect screen that warns the user "Don't be an idiot, this link might be malicious" (which doesn't prevent the links, but lets you say you warned the user and it's their own fault). Pick your poison.

Brian Schroth  2009-11-18 18:38:13
+1  A: 

This will sanitize your URL locally but will have zero impact on malicious external sites if the user clicks the link:

$url = "http://www.mytesturl.com";
$url = filter_var($var, FILTER_SANITIZE_URL);

The filter will remove all characters, except letters, digits and $-.+!'(),{}|\\^~[]`<>#%";/?:@&=

cballou  2009-11-18 18:40:45
A: 

Check out mollom.com, this 3rd-party service will prompt the user for CAPTCHA only if it appears as spam.

jwhat  2009-11-18 19:24:38

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases