Hall of Fame

[fourdeltaOne]

hello!

I do not know how, but today some who tried to find a hole or hack site

strange started writing codes, scripts in the comments.

in the comments left here are the codes.

Code Select Expand

1 code ####################################
 
<html><body><h1>TEST</h1></body></html>
 
 
2 code ####################################
 
<?php echo "test";?>
 
3 code  ####################################
 
<?php     for($i = 0; $i <10; $i++) {echo $i;}?>
 
4 code  ####################################
 
 
<!--?php 
	for($i = 0; $i <10; $i++) {
echo $i;
}?-->
 
 
5 code  ####################################
 
 
<!--?php echo DB; ?-->
<?php echo DB; ?>
 
 
6 code  ####################################
 
 
<script>
function count_rabbits() {
    for(var i=1; i<=3; i++) {
 
        alert("Кролик номер "+i)
    }
 
}
count_rabbits();
 
 
</script>
 
7 code  ####################################
 
 
 
<input  type="file" />

I want to ask may prohibit write html, php, java code?

[PHPVibe A.]

You think you got hacked cause that comment had code in it?
I have hundreds of those per month
If the code just parses and not executes, then the toDb() function does a nice job

[fourdeltaOne]

Alex. all may be)

possible to disable html in comments?

[PHPVibe A.]

Simplest way

/lib/ajax/addComment.php

Replace

Code Select Expand

$com_body = toDb($_REQUEST['comment']);

with

Code Select Expand

$com_body = toDb(strip_tags($_REQUEST['comment']));

[fourdeltaOne]

nothing has changed. are the same.

[PHPVibe A.]

New ones? Cause old ones won't change.

[fourdeltaOne]

yes, same.

[PHPVibe A.]

I'll look into it and get back to you.