On 25/04/07, Richard Lynch [EMAIL PROTECTED] wrote:
On Mon, April 23, 2007 9:48 am, WeberSites LTD wrote:
I'm trying to understand from the examples why anyone
that has get_magic_quotes_gpc() returning true would
need to use stripslashes() and then mysql_real_escape_string().
wouldn't that
Dotan Cohen wrote:
On 25/04/07, Justin Frim [EMAIL PROTECTED] wrote:
I'm assuming then you want the data to be able to contain _some_ mark-up
considered to be safe?
Not at this stage, no. Maybe if the users ask for it, but not now in
the beginning. The universe's best engineer, Scotty,
On 25/04/07, Justin Frim [EMAIL PROTECTED] wrote:
Dotan Cohen wrote:
On 25/04/07, Justin Frim [EMAIL PROTECTED] wrote:
I'm assuming then you want the data to be able to contain _some_ mark-up
considered to be safe?
Not at this stage, no. Maybe if the users ask for it, but not now in
the
Dotan Cohen wrote:
I currently an using htmlencode, so and show as expected. I do
expect the math faculty to use those symbols :).
Then you're already protected from XSS attacks, no HTML filters
necessary. Easy as pi. ;-)
(ok, that one was lame)
--
PHP General Mailing List
On 26/04/07, Justin Frim [EMAIL PROTECTED] wrote:
Then you're already protected from XSS attacks, no HTML filters
necessary. Easy as pi. ;-)
(ok, that one was lame)
At least you didn't say ez as pi (ez would be 2.71 * Z variable, of course).
Dotan Cohen
Dotan Cohen wrote:
It would be BBcode if anything. It may be the product of the
lazy, but I feel more secure parsing it than [x]HTML.
BBCode is a pretty useless markup format. If you only want to allow /
interpret a small subset of HTML, you can use a simple approach like this:
On 26/04/07, Chris Shiflett [EMAIL PROTECTED] wrote:
Dotan Cohen wrote:
It would be BBcode if anything. It may be the product of the
lazy, but I feel more secure parsing it than [x]HTML.
BBCode is a pretty useless markup format. If you only want to allow /
interpret a small subset of HTML,
Just my two cents worth...
Magic quotes are the work of the devil. It's a shame that so many PHP
installations have them enabled, and a huge disappointment that PHP is
actually distributed with this stuff enabled! The mere fact that a
script can't change this setting creates a real hassle
On 24/04/07, Justin Frim [EMAIL PROTECTED] wrote:
Just my two cents worth...
Magic quotes are the work of the devil. It's a shame that so many PHP
installations have them enabled, and a huge disappointment that PHP is
actually distributed with this stuff enabled! The mere fact that a
script
On 4/24/07, Dotan Cohen [EMAIL PROTECTED] wrote:
Thanks. Most of that has already been done now, but I'll certainly
keep your functions handy. I'll likely need them at some point.
One thing you might want to keep in mind is that this little fix is
going to get executed on each request if you
On Mon, April 23, 2007 9:48 am, WeberSites LTD wrote:
I'm trying to understand from the examples why anyone
that has get_magic_quotes_gpc() returning true would
need to use stripslashes() and then mysql_real_escape_string().
wouldn't that just add slashes to the same places?
If you were 100%
On Tue, April 24, 2007 3:33 pm, Justin Frim wrote:
(unfortunately in PHP these are enabled by default. AHH! Which
idiot
thought this was a good idea to turn them on by default?
Rasmus thought it was a Good Idea because it was very convenient for
his needs at the time, which as simple
Eric Butera wrote:
One thing you might want to keep in mind is that this little fix is
going to get executed on each request if you just throw it in an
include.
...big snip...
That means lots function calls happened before you could even say
hello world. You might want to add wrapper
Dotan Cohen wrote:
On 24/04/07, Justin Frim [EMAIL PROTECTED] wrote:
if (get_magic_quotes_gpc()) {
/*
(unfortunately in PHP these are enabled by default. AHH! Which idiot
thought this was a good idea to turn them on by default? Good
programming
practise is to manually encode only
:[EMAIL PROTECTED]
Sent: Monday, April 23, 2007 2:35 AM
To: Dotan Cohen; php php
Subject: RE: [PHP] Preventing SQL Injection/ Cross Site Scripting
There are many good resources out there, and one of my favorites for this
type of information is from Chris Shiflett.
http://shiflett.org/articles/sql
On 4/23/07, WeberSites LTD [EMAIL PROTECTED] wrote:
I'm trying to understand from the examples why anyone
that has get_magic_quotes_gpc() returning true would
need to use stripslashes() and then mysql_real_escape_string().
wouldn't that just add slashes to the same places?
berber
Yes, sort
-
From: Weber Sites [mailto:[EMAIL PROTECTED] On Behalf Of WeberSites
LTD
Sent: Monday, April 23, 2007 10:49 AM
To: Buesching, Logan J; 'Dotan Cohen'; 'php php'
Subject: RE: [PHP] Preventing SQL Injection/ Cross Site Scripting
I'm trying to understand from the examples why anyone
that has
] Preventing SQL Injection/ Cross Site Scripting
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
$_POST[commentform]=str_replace (', '', $_POST[commentform]);
//q-qq
$_POST
-Message d'origine-
De : Dotan Cohen [mailto:[EMAIL PROTECTED]
Envoyé : samedi 21 avril 2007 03:08
À : php php
Objet : [PHP] Preventing SQL Injection/ Cross Site Scripting
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored
On 21/04/07, Leonard Burton [EMAIL PROTECTED] wrote:
Hi Dotan,
Why not use mysql_escape_string()?
I use mysql_real_escape_string() as the second to last function in there.
Dotan Cohen
http://dotancohen.com/eng/army_pictures.php
http://lyricslist.com/lyrics/artist_albums/575/7a3.html
--
On 21/04/07, Tim [EMAIL PROTECTED] wrote:
-Message d'origine-
De : Dotan Cohen [mailto:[EMAIL PROTECTED]
Envoyé : samedi 21 avril 2007 03:08
À : php php
Objet : [PHP] Preventing SQL Injection/ Cross Site Scripting
I've got a comments form that I'd like to harden against SQL
2007. 04. 21, szombat keltezéssel 13.20-kor Dotan Cohen ezt írta:
On 21/04/07, Tim [EMAIL PROTECTED] wrote:
-Message d'origine-
De : Dotan Cohen [mailto:[EMAIL PROTECTED]
Envoyé : samedi 21 avril 2007 03:08
À : php php
Objet : [PHP] Preventing SQL Injection/ Cross Site
At 4:08 AM +0300 4/21/07, Dotan Cohen wrote:
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
I highly recommend Essential PHP Security by Chris Shiflett -- he
covers
Dotan Cohen wrote:
I recommend you dig deeper into that xss page you might even
find a script that filters xss.
Obviously I keep missing it.
You might find these examples useful:
http://phpsecurity.org/code/ch01-3
http://phpsecurity.org/code/ch01-4
Hope that helps.
Chris
--
Chris
On 21/04/07, tedd [EMAIL PROTECTED] wrote:
At 4:08 AM +0300 4/21/07, Dotan Cohen wrote:
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
I highly recommend Essential PHP
On 21/04/07, Chris Shiflett [EMAIL PROTECTED] wrote:
Dotan Cohen wrote:
I recommend you dig deeper into that xss page you might even
find a script that filters xss.
Obviously I keep missing it.
You might find these examples useful:
http://phpsecurity.org/code/ch01-3
Dotan Cohen wrote:
One note, I remove semicolons from the user input to thrart SQL
injection as they can be used to terminate an SQL query and are
very uncommon in regular speech. However, htmlspecialchars()
and htmlentities add semicolons when converting. Is this
dangerous, ie, can this be
On Fri, April 20, 2007 8:08 pm, Dotan Cohen wrote:
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
After seeing this:
http://ha.ckers.org/xss.html
and another similar
On Sat, April 21, 2007 5:20 am, Dotan Cohen wrote:
Although I can semicolons and the like, greater than and less than
signs I want to keep as there are some rather witty people from the
Mathematics faculty who will be using the comments. I'll str_replace()
them to gt; and lt; however.
Store
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
$_POST[commentform]=str_replace (', '', $_POST[commentform]);
//q-qq
$_POST[commentform]=str_replace (--, ,
Hi Dotan,
Why not use mysql_escape_string()?
On 4/20/07, Dotan Cohen [EMAIL PROTECTED] wrote:
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
31 matches
Mail list logo
