On Tue, 2010-02-16 at 09:36 -0500, Mike Alaimo wrote:
> The data is displayed on the screen, and the user can change it as many
> times as they want.
> What do you think now Ash?
> On Tue, Feb 16, 2010 at 9:29 AM, Ashley Sheridan
> > On Tue, 2010-02-16 at 09:07 -0500, Mike Alaimo wrote:
> > Can anyone guide me here? I have the desire to store user entered
> > data into the session. I am regexing it to be only a-zA-z0-9 and a
> > space. The data is stored in an object and then serialized before
> > storing it into the session. Does anyone see any potential security
> > risks here?
> > Thanks,
> > Mike
> > I think you're fine, I can't see any problems. I think most of the time you
> > have to worry when you're actually doing something with the data, like
> > inserting it into a file or database, or outputting it to a screen, as these
> > are the times that injections can take place.
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
Well, if it's only alpha-numerica data with spaces, I don't see any
problems still. Anything input from the user that gets output to the
screen should be carefully parsed to ensure that any HTML it contains is
either removed or escaped to make it safe.
Data stored in a database should be filtered out to make sure that the
user isn't shoving in their own queries, otherwise you'll end up with
situations like this: http://xkcd.com/327/