Greetings,
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , , \ and all non-printing
strings. Did I miss any? Thanks.
Troy
Troy S wrote:
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , , \ and all non-printing
strings. Did I miss any? Thanks.
Do it the other way, allow only characters
you know are safe and strip the rest. Use, for
Troy S wrote:
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , , \ and all non-printing
strings. Did I miss any? Thanks.
Why do you need to remove them? So I can't type grin? Is that a
security violation? All you need to do is
-Oorspronkelijk bericht-
Van: John W. Holmes [mailto:[EMAIL PROTECTED]
Troy S wrote:
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , , \ and all non-printing
strings. Did I miss any? Thanks.
Why do you need to
Wouter van Vliet wrote:
John W. Holmes
Troy S wrote:
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , , \ and all non-printing
strings. Did I miss any? Thanks.
Why do you need to remove them? So I can't type grin? Is that a
security
-Oorspronkelijk bericht-
Van: John W. Holmes [mailto:[EMAIL PROTECTED]
Verzonden: vrijdag 21 november 2003 14:38
Wouter van Vliet wrote:
John W. Holmes
Troy S wrote:
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , ,
--- Troy S [EMAIL PROTECTED] wrote:
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , , \ and all non-printing
strings. Did I miss any?
As others have mentioned, this is the wrong approach if security is your
concern. If someone is
* Thus wrote Troy S ([EMAIL PROTECTED]):
Greetings,
What is the best way to remove the characters from strings that may
cause security problems? Namely, `, ', , , , \ and all non-printing
strings. Did I miss any? Thanks.
Cause security problems in what sense?
Curt
--
My PHP key is
From: Wouter van Vliet [EMAIL PROTECTED]
Let's make this personal: what would be your answer if I would advice the
friendly person to do this:
Heh.. I hope you're just kidding about making it personal... I was just
presenting security problems with various solutions.
?php
(..) $Content
--- CPT John W. Holmes [EMAIL PROTECTED] wrote:
Let's make this personal: what would be your answer if I would
advice the friendly person to do this:
Heh.. I hope you're just kidding about making it personal.
I think it might be a language subtlety that wasn't intended to mean what
we
From: Chris Shiflett [EMAIL PROTECTED]
--- CPT John W. Holmes [EMAIL PROTECTED] wrote:
I'm against letting users enter HTML in their data, also. I'd rather
emply a bbcode type solution, turning [b] into b, etc.
I disagree with John here, but that's OK. :-) We seem to have different
CPT John W. Holmes wrote:
From: Wouter van Vliet [EMAIL PROTECTED]
Let's make this personal: what would be your answer if I would advice
the friendly person to do this:
Heh.. I hope you're just kidding about making it
personal... I was just presenting security problems with various
--- CPT John W. Holmes [EMAIL PROTECTED] wrote:
Heh... my turn to disagree again. You can do a simple str_replace()
to convert lt;bgt; back into b, but you're going to have to
do it for each case. Also by doing that blindly, you can end up with
orphaned tags affecting the rest of your page
Chris Shiflett wrote:
--- CPT John W. Holmes [EMAIL PROTECTED] wrote:
Heh... my turn to disagree again. You can do a simple str_replace()
to convert lt;bgt; back into b, but you're going to have to
do it for each case. Also by doing that blindly, you can end up with
orphaned tags affecting
Chris Shiflett wrote:
--- CPT John W. Holmes [EMAIL PROTECTED] wrote:
Heh... my turn to disagree again. You can do a simple str_replace()
to convert lt;bgt; back into b, but you're going to have to
do it for each case. Also by doing that blindly, you can end up with
orphaned tags affecting the
John W. Holmes wrote:
My only point was that I felt you _did_ need to use regular expression
to ensure you're only converting paired tags. Just using str_replace()
could leave orphaned tags unless you're keeping a count of what's been
replaced. :)
I would suggest to use xml parsing functions
16 matches
Mail list logo
