On Tue, Dec 05, 2006 at 01:10:35PM +0100, Daniel McBrearty wrote:
How does one do this?
If you have a text input field which can be in *any* language, which
will get stored in the db, how do you protect against script
injection?
If it's just english, I normally only accept characters from
yes, I would know the language being supported. There are a lot of
languages though. Does it work with Chinese, or Marathi (Devanagari)?
I didn't know that \W did that though. guess I need to look into it.
Never seen that in the perldocs - any idea where I can look for the
small print?
On
On Tue, Dec 05, 2006 at 02:11:27PM +0100, Daniel McBrearty wrote:
hmmm ... I'll start here ...
http://www.perl.com/doc/manual/html/pod/perllocale.html
Read perllocale, perlre (the section on \w and \W escapes for
word/non-word characters) and locale.
You will need the correct locales
If you're talking about sql injection then presumably you could do
this exactly the same as you would any other input field - use sql
placeholders in a prepared query rather than blindly pasting
untrusted input as sql.
This is what I'm talking about. I don't know this technique - I
thought
On 12/5/06, Daniel McBrearty [EMAIL PROTECTED] wrote:
This is what I'm talking about. I don't know this technique - I
thought the only approach was to filter input. I'm using DBIx, AFAIK
it does use placeholders ... ? If so, I can just take input, do some
basic sanity filtering, and store?
thanks people, this is very helpful. Well, everything is postgresql /
linux, so MSSQL will never be an issue.
Also I only ever use utf8 ... so I guess I'm home and dry. It would be
very neat to be able to do this without locale-switching (and
installing).
as a matter of interest, does anyone
Brandon Black wrote:
On 12/5/06, Daniel McBrearty [EMAIL PROTECTED] wrote:
This is what I'm talking about. I don't know this technique - I
thought the only approach was to filter input. I'm using DBIx, AFAIK
it does use placeholders ... ? If so, I can just take input, do some
basic sanity
On Dec 5, 2006, at 5:28 AM, Daniel McBrearty wrote:
If you're talking about sql injection then presumably you could do
this exactly the same as you would any other input field - use sql
placeholders in a prepared query rather than blindly pasting
untrusted input as sql.
This is what I'm
I'll never forget the hours I spent discovering that mysql needs some
little-documented command on connect, even though all tables are
declared as UTF8 ... one of the factors that decided me on postgresql
for the next version.
In the first implementation of engoi, I was pretty paranoid about
Jonathan Rockway wrote:
Nilson Santos Figueiredo Junior wrote:
This way, everything will probably just work, even when the user has a
on their names or any other weird characters.
No, you can inject plenty of bad code without . You need to escape ,
, , , and '.
Otherwise, consider
On 12/5/06, Jonathan Rockway [EMAIL PROTECTED] wrote:
Nilson Santos Figueiredo Junior wrote:
This way, everything will probably just work, even when the user has a
on their names or any other weird characters.
No, you can inject plenty of bad code without . You need to escape ,
, , , and '.
11 matches
Mail list logo
