in a blog system i am converting an image with a certain url to an iframe. This also generates a javascript but im not sure if this is really safe. So please help me out here.
preg_match_all('~<img src="http://the-image.jpg" ([^>]+)>~i', $blog_entry, $matches);
$iframe = array();
foreach ($matches[1] as $str) {
preg_match_all('~([a-z]([a-z0-9]*)?)=("|\')(.*?)("|\')~is', $str, $pairs);
$iframe[] = array_combine($pairs[1], $pairs[4]);
}
$iframe_width = htmlspecialchars($iframe['0']['width']);
$iframe_src = mysql_real_escape_string($iframe['0']['alt']);
$iframe_id = htmlspecialchars($iframe['0']['border']);
$iframe_width = strip_tags($iframe_width);
$iframe_src = strip_tags($iframe_src);
$iframe_id = strip_tags($iframe_id);
$t_blog_entry = preg_replace('~<img src="http://the-image.jpg" ([^>]+)>~i','<iframe src="'. $iframe_src .'" scrolling="no" frameborder="0" width="'. $iframe_width .'" height="0" style="border:none; overflow:hidden;" allowTransparency="true" id="'. $iframe_id .'-iframe"></iframe>',$blog_entry);
This also generates a javascript like this:
<script type="text/javascript">
$(document).ready(function() {
$.getJSON("http://api.votelr.com/api-height.php?id=<?php echo ''. $votelr_id .''; ?>&callback=?", function(datavotelr){
$('#<?php echo ''. addslashes($votelr_id) .''; ?>-iframe').css('height', datavotelr);
});
});
Maybe im crazy here and this is totally unsafe? To let a user somehow manipulate javascript or something, and is there a way to get around this?
mysql_real_escape_string requires a mysql connection to work.
htmlspecialchars doesn’t has the same effect that htmlentities has I believe the last is better.
Whatever is an int type cast it
$id = (int) $value_int;
But if you only whant to convert a image to be inside an iframe you can use only javascript and don’t need php
Create a Element Iframe and “add” the img tag to it.