Punctuation

[Nesneros]

 
what happens to all the punctuation once the entry is submitted? It all disappears! Is there anyway to fix that?

[Flash-db]

Yes:

Open up GuestBook.php and look for these Lines;

   $Name = ereg_replace("[^A-Za-z0-9 ]", "", $Name);
   $Email = ereg_replace("[^A-Za-z0-9 \@\.\-\/\']", "", $Email);
   $Comments = ereg_replace("[^A-Za-z0-9 \@\.\-\/\']", "", $Comments);

These are all regular expressions.  They are used to take out punctuation and special characters that may cause an error - if someone knew what to add in and maliciously tried to deface the guestbook.

Where this is not a real problem at all with the guestbook (and can probably be removed - it's just a habit of mine to go through all data that's being posted and remove anything that is not needed.

The ereg_replace function will replace anything that is not indicated by the exclussion area.  In the case below we remove all characters not fitting a specific pattern of characters  A-Z  a-z and integers 0-9  Then we also allow the special characters @, . , -, / , ' to be included.   All other characters such as the $ (dollar sign)  = (equal sign), & (ampersand) etc are removed.   To allow more characters to be included just add a backslash then the character.

   $Email = ereg_replace("[^A-Za-z0-9 \@\.\-\/\']", "", $Email);

You can also just remove these lines and you'll probably be ok.  But some of the ones you might have to worry about would be the $, &, ||, = etc.  As an example of this - what if someone made an entry of  " &GuestBook=This one sucks".   Then &GuestBook=This one sucks is added to the text file.  Flash may then read in this GuestBook Variable instead of the correct Guestbook variable.

In addition what if someone entered in .:::. in one of their post's.  This is what is used to seperate the array of Post's in the guestbook.  This would mess up the order and theirfore the guestbook.

Because most sites use special characters to either seperate their data into arrays or put it into a specific format.  This becomes one of the basic ways you can hack a site.  Theirfore it's usually important to control what characters someone can enter and which ones they can't.  It's always specific and based on what format you putting the data into - but their are alot of similiarities.  A lot of places will just seperate their arrays with a comma or semi colon making it an easy task for someone to do this.

I'm sure you could even find something or someway on this site to mess up some of the applications using this method.  (since it's not really a mission critical site I'm sure I left some loopholes in their somewhere).  Hopefully no one really goes that far into trying to find them though.  

If you really want to be picky about this you should always test to see how the variables are coming to the script  (GET, POST, Cookie, Session).  You would use for example:  $EmailGood = $HTTP_POST_VARS[Email]; for that.  That's just another precaution you can take like removing special characters.

Anyways hopefully that will solve your problem - All the characters in the guestbook are being removed by those couple of lines - so hopefully you'll be able to change them around to find which ones you need to remove and which ones you can leave.