The problem with using a database escaping string for output escaping is
that something like (despite being the world's lamest XSS)
<script>
location.href('google.com')
</script>
Would output mostly the same and with some cleverness, it wouldn't be too
hard to get that to function properly with a full fledged XSS attack. I'd
personally use one of the FILTER_* constants in conjunction with the filter
functions themselves, say filter_var and FILTER_SANITIZE_SPECIAL_CHARS.
On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
<[email protected]>wrote:
> On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> > mysql_real_escape_string() only sanitise the input. I would personally
> > only allow [a-zA-Z0-9-_] in search string but that's just me ;)
> > Validate the input in some way, or make extra sanitisation of it
> > before running the search query.
> >
> > Regarding the HTML output, just entities() it and you'll be good :)
> >
> > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
> > <[email protected]> wrote:
> >
> > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote:
> > > As far for the output, just html entities () it and you will
> > be good.
> > >
> > > You better check the search query for sql injection, which
> > is more
> > > dangerous.
> > >
> > > HTH
> > > Nitsan
> > >
> > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
> > > <[email protected]> wrote:
> > > Hi all,
> > >
> > > I'm looking at adding a new search feature to my
> > site, and one
> > > of the
> > > elements of this is to echo back in the search
> > results page,
> > > the
> > > original string the user searched for. Up until now,
> > XSS
> > > hasn't (afaik)
> > > been an issue for my site, but I can see from a mile
> > off this
> > > will be.
> > > What would you guys recommend to avoid this?
> > >
> > > I'd thought initially of using a mixture of
> > > html_special_chars() and a
> > > regex (as yet not sure what I'll be stripping out
> > with this)
> > > to sanitise
> > > the output for display on the results page, but is
> > this
> > > enough?
> > >
> > > Thanks
> > > Ash
> > > www.ashleysheridan.co.uk
> > >
> > >
> >
> > I always use mysql_real_escape_string() for that sort of
> > thing, not had
> > a problem with it, but is there anything you think I should be
> > wary of?
> >
> >
> > Thanks
> > Ash
> > www.ashleysheridan.co.uk
> >
> >
> >
> >
> [just bringing it back on list]
>
> Well, I don't understand, what is the problem with
> mysql_real_escape_string() for sanitising input to use for a search? It
> should escape anything out so that the query can't be used in ways that
> I don't want no?
>
> I'd thought about using a whitelist-only regex, but that seems a little
> limiting tbh, and as my site contains code, it's not unreasonable to
> expect some people might want to search for particular code excerpts.
>
>
> Thanks
> Ash
> www.ashleysheridan.co.uk
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
