On Mon, Jun 15, 2009 at 10:48:04AM -0400, Bob McConnell wrote:
> From: Ashley Sheridan
> > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> >> mysql_real_escape_string() only sanitise the input. I would
> personally
> >> only allow [a-zA-Z0-9-_] in search string but that's just me ;)
> >
From: Ashley Sheridan
> On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
>> mysql_real_escape_string() only sanitise the input. I would
personally
>> only allow [a-zA-Z0-9-_] in search string but that's just me ;)
>> Validate the input in some way, or make extra sanitisation of it
>> before
On Thu, 2009-06-11 at 18:27 +0200, Jan G.B. wrote:
> 2009/6/11 HallMarc Websites
>
> >
> >
> > > -Original Message-
> > > From: tedd [mailto:tedd.sperl...@gmail.com]
> > > Sent: Thursday, June 11, 2009 9:28 AM
> > > To: PHP-Genera
2009/6/11 HallMarc Websites
>
>
> > -Original Message-
> > From: tedd [mailto:tedd.sperl...@gmail.com]
> > Sent: Thursday, June 11, 2009 9:28 AM
> > To: PHP-General List
> > Subject: Re: [PHP] Preventing XSS Attacks
> >
> > At 7:08 PM +01
> -Original Message-
> From: tedd [mailto:tedd.sperl...@gmail.com]
> Sent: Thursday, June 11, 2009 9:28 AM
> To: PHP-General List
> Subject: Re: [PHP] Preventing XSS Attacks
>
> At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote:
> >
> >So someth
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote:
So something like this would be acceptable?:
$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:'';
$searchTerms = htmlentities($searchTerms);
$dbSearchTerms = mysql_real_escape_string($searchTerms);
Giving me two variables, one for display o
On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nun wrote:
> Usually I would support you on this one. In chemistry you always keep
> your stock "pure" and make any observations or mixtures in clean and
> other glasses in order to keep it pure.
>
> When it comes to printing an output or hosting it in a
Usually I would support you on this one. In chemistry you always keep
your stock "pure" and make any observations or mixtures in clean and
other glasses in order to keep it pure.
When it comes to printing an output or hosting it in a variables and
then printing it out it is just a matter of taste.
Ashley Sheridan wrote:
> On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote:
>> On Wed, Jun 10, 2009 at 2:26 PM, Ashley
>> Sheridan wrote:
>>> On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
wrote:
> On Wed, 2009-06-10
On Wed, Jun 10, 2009 at 2:56 PM, Ashley
Sheridan wrote:
> On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote:
>> On Wed, Jun 10, 2009 at 2:26 PM, Ashley
>> Sheridan wrote:
>> > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
>> >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
>> >>
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote:
> On Wed, Jun 10, 2009 at 2:26 PM, Ashley
> Sheridan wrote:
> > On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
> >> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
> >> wrote:
> >>
> >> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sh
On Wed, Jun 10, 2009 at 2:26 PM, Ashley
Sheridan wrote:
> On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
>> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
>> wrote:
>>
>> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
>> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyana
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
> On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
> wrote:
>
> > On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
> > > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
> > > > Ashley Sheridan wrote:
> > > > > On Wed,
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
wrote:
> On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
> > On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
> > > Ashley Sheridan wrote:
> > > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
> > > >
> > >
On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote:
> That would do the job.
>
> If you are already digging into it, take a look at XSRF/CSRF which are
> both can be very harmful, especially for ecommerce websites.
>
> On Wed, Jun 10, 2009 at 8:08 PM, Ashley
> Sheridan wrote:
> > On Wed, 200
That would do the job.
If you are already digging into it, take a look at XSRF/CSRF which are
both can be very harmful, especially for ecommerce websites.
On Wed, Jun 10, 2009 at 8:08 PM, Ashley
Sheridan wrote:
> On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
>> On Wed, 2009-06-10 at 2
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
> On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
> > Ashley Sheridan wrote:
> > > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
> > >
> > >>> I've been doing a bit of reading, and I can't really understa
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
> Ashley Sheridan wrote:
> > On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
> >
> >>> I've been doing a bit of reading, and I can't really understand why XSS
> >>> is such an issue. Sure, if a user can insert a
Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
> > I've been doing a bit of reading, and I can't really understand why XSS
> > is such an issue. Sure, if a user can insert a
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a
Ashley Sheridan wrote:
> On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
>> mysql_real_escape_string() only sanitise the input. I would personally
>> only allow [a-zA-Z0-9-_] in search string but that's just me ;)
>> Validate the input in some way, or make extra sanitisation of it
>> befor
On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote:
> The problem with using a database escaping string for output escaping
> is that something like (despite being the world's lamest XSS)
>
> location.href('google.com')
>
> Would output mostly the same and with some cleverness, it wouldn't be
The problem with using a database escaping string for output escaping is
that something like (despite being the world's lamest XSS)
location.href('google.com')
Would output mostly the same and with some cleverness, it wouldn't be too
hard to get that to function properly with a full fledged XSS a
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> mysql_real_escape_string() only sanitise the input. I would personally
> only allow [a-zA-Z0-9-_] in search string but that's just me ;)
> Validate the input in some way, or make extra sanitisation of it
> before running the search query.
>
Hi all,
I'm looking at adding a new search feature to my site, and one of the
elements of this is to echo back in the search results page, the
original string the user searched for. Up until now, XSS hasn't (afaik)
been an issue for my site, but I can see from a mile off this will be.
What would y
26 matches
Mail list logo
