From: Ashley Sheridan
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would
personally
only allow [a-zA-Z0-9-_] in search string but that's just me ;)
Validate the input in some way, or make extra sanitisation of it
before running
On Mon, Jun 15, 2009 at 10:48:04AM -0400, Bob McConnell wrote:
From: Ashley Sheridan
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would
personally
only allow [a-zA-Z0-9-_] in search string but that's just me ;)
Validate
On Thu, 2009-06-11 at 18:27 +0200, Jan G.B. wrote:
2009/6/11 HallMarc Websites m...@hallmarcwebsites.com
-Original Message-
From: tedd [mailto:tedd.sperl...@gmail.com]
Sent: Thursday, June 11, 2009 9:28 AM
To: PHP-General List
Subject: Re: [PHP] Preventing XSS Attacks
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote:
So something like this would be acceptable?:
$searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:'';
$searchTerms = htmlentities($searchTerms);
$dbSearchTerms = mysql_real_escape_string($searchTerms);
Giving me two variables, one for display
-Original Message-
From: tedd [mailto:tedd.sperl...@gmail.com]
Sent: Thursday, June 11, 2009 9:28 AM
To: PHP-General List
Subject: Re: [PHP] Preventing XSS Attacks
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote:
So something like this would be acceptable?:
$searchTerms
2009/6/11 HallMarc Websites m...@hallmarcwebsites.com
-Original Message-
From: tedd [mailto:tedd.sperl...@gmail.com]
Sent: Thursday, June 11, 2009 9:28 AM
To: PHP-General List
Subject: Re: [PHP] Preventing XSS Attacks
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote
Hi all,
I'm looking at adding a new search feature to my site, and one of the
elements of this is to echo back in the search results page, the
original string the user searched for. Up until now, XSS hasn't (afaik)
been an issue for my site, but I can see from a mile off this will be.
What would
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would personally
only allow [a-zA-Z0-9-_] in search string but that's just me ;)
Validate the input in some way, or make extra sanitisation of it
before running the search query.
The problem with using a database escaping string for output escaping is
that something like (despite being the world's lamest XSS)
script
location.href('google.com')
/script
Would output mostly the same and with some cleverness, it wouldn't be too
hard to get that to function properly with a full
On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote:
The problem with using a database escaping string for output escaping
is that something like (despite being the world's lamest XSS)
script
location.href('google.com')
/script
Would output mostly the same and with some cleverness, it
Ashley Sheridan wrote:
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
mysql_real_escape_string() only sanitise the input. I would personally
only allow [a-zA-Z0-9-_] in search string but that's just me ;)
Validate the input in some way, or make extra sanitisation of it
before
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a script tag, what
difference will that make to anyone else, as it is only on their own
browser.
1. User 1 logs on to the application. Fills up the form with malicious
JS
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a script tag, what
difference will that make to anyone else, as it is only on their own
browser.
1.
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a script tag, what
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
I've been doing a bit of reading, and I can't really understand why XSS
That would do the job.
If you are already digging into it, take a look at XSRF/CSRF which are
both can be very harmful, especially for ecommerce websites.
On Wed, Jun 10, 2009 at 8:08 PM, Ashley
Sheridana...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote:
That would do the job.
If you are already digging into it, take a look at XSRF/CSRF which are
both can be very harmful, especially for ecommerce websites.
On Wed, Jun 10, 2009 at 8:08 PM, Ashley
Sheridana...@ashleysheridan.co.uk
Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote:
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a script tag, what
difference will that make to anyone else, as it is only on their own
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote:
Ashley Sheridan wrote:
On Wed, Jun 10, 2009 at 2:26 PM, Ashley
Sheridana...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:
On Wed,
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote:
On Wed, Jun 10, 2009 at 2:26 PM, Ashley
Sheridana...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
a...@ashleysheridan.co.ukwrote:
On Wed,
On Wed, Jun 10, 2009 at 2:56 PM, Ashley
Sheridana...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote:
On Wed, Jun 10, 2009 at 2:26 PM, Ashley
Sheridana...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
On Wed, Jun 10,
Ashley Sheridan wrote:
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote:
On Wed, Jun 10, 2009 at 2:26 PM, Ashley
Sheridana...@ashleysheridan.co.uk wrote:
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote:
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan
Usually I would support you on this one. In chemistry you always keep
your stock pure and make any observations or mixtures in clean and
other glasses in order to keep it pure.
When it comes to printing an output or hosting it in a variables and
then printing it out it is just a matter of taste.
On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nunnitsa...@gmail.com wrote:
Usually I would support you on this one. In chemistry you always keep
your stock pure and make any observations or mixtures in clean and
other glasses in order to keep it pure.
When it comes to printing an output or
26 matches
Mail list logo