Can the user input PHP code?

Can the user input PHP code?

I've just had a disturbing thought: can an end user input PHP code directly via FCKeditor?

I've tried: it doesn't seem to be possible.

I wanted to know: is there any way round for the user to do this?

I thought: this would be very very danderous - th euser could add code to delete files!!

Thanks.

OM

Fri, 05/09/2008 - 20:23

om3

Joined: 05/05/2008

Posts: 4

Re: Can the user input PHP code?

anyone?

Mon, 05/12/2008 - 18:48

syco

Joined: 21/04/2008

Posts: 25

Re: Can the user input PHP code?

opening and closing tags are changed to their ascii equavalent

<?
?>

in the source is

<p>&lt;?</p>
<p>&nbsp;</p>
<p>?&gt;</p>

You should still treat the input of FCK like any other users input. Assume someone will try to hack it so sanitize all inputs especially before committing it to a database.

Mon, 05/12/2008 - 21:21

om3

Joined: 05/05/2008

Posts: 4

Re: Can the user input PHP code?

and how does one sanitise?
surely that should be something thats built into fckeditor?
are there other ways of adding?
let me know.
thanks.

Fri, 09/12/2008 - 18:02

connectcase

Joined: 09/09/2007

Posts: 31

Re: Can the user input PHP code?

If you leave the

 FCKConfig.ProtectedSource.Add( /<\?[\s\S]*?\?>/g ) ;   // PHP style server side code

uncommented AND remove the Source button on your toolbar, you should be okay, right?