RE: [PHP] Preventing XSS Attacks

2009-06-15 Thread Bob McConnell
From: Ashley Sheridan On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running

Re: [PHP] Preventing XSS Attacks

2009-06-15 Thread Paul M Foster
On Mon, Jun 15, 2009 at 10:48:04AM -0400, Bob McConnell wrote: From: Ashley Sheridan On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate

Re: [PHP] Preventing XSS Attacks

2009-06-13 Thread Ashley Sheridan
On Thu, 2009-06-11 at 18:27 +0200, Jan G.B. wrote: 2009/6/11 HallMarc Websites m...@hallmarcwebsites.com -Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: Thursday, June 11, 2009 9:28 AM To: PHP-General List Subject: Re: [PHP] Preventing XSS Attacks

Re: [PHP] Preventing XSS Attacks

2009-06-11 Thread tedd
At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: So something like this would be acceptable?: $searchTerms = (isset($_REQUEST['q']))?$_REQUEST['q']:''; $searchTerms = htmlentities($searchTerms); $dbSearchTerms = mysql_real_escape_string($searchTerms); Giving me two variables, one for display

RE: [PHP] Preventing XSS Attacks

2009-06-11 Thread HallMarc Websites
-Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: Thursday, June 11, 2009 9:28 AM To: PHP-General List Subject: Re: [PHP] Preventing XSS Attacks At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote: So something like this would be acceptable?: $searchTerms

Re: [PHP] Preventing XSS Attacks

2009-06-11 Thread Jan G.B.
2009/6/11 HallMarc Websites m...@hallmarcwebsites.com -Original Message- From: tedd [mailto:tedd.sperl...@gmail.com] Sent: Thursday, June 11, 2009 9:28 AM To: PHP-General List Subject: Re: [PHP] Preventing XSS Attacks At 7:08 PM +0100 6/10/09, Ashley Sheridan wrote

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before running the search query.

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Eddie Drapkin
The problem with using a database escaping string for output escaping is that something like (despite being the world's lamest XSS) script location.href('google.com') /script Would output mostly the same and with some cleverness, it wouldn't be too hard to get that to function properly with a full

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote: The problem with using a database escaping string for output escaping is that something like (despite being the world's lamest XSS) script location.href('google.com') /script Would output mostly the same and with some cleverness, it

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Shawn McKenzie
Ashley Sheridan wrote: On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: mysql_real_escape_string() only sanitise the input. I would personally only allow [a-zA-Z0-9-_] in search string but that's just me ;) Validate the input in some way, or make extra sanitisation of it before

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Sudheer Satyanarayana
I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1. User 1 logs on to the application. Fills up the form with malicious JS

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own browser. 1.

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Nitsan Bin-Nun
That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote:

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 19:59 +0200, Nitsan Bin-Nun wrote: That would do the job. If you are already digging into it, take a look at XSRF/CSRF which are both can be very harmful, especially for ecommerce websites. On Wed, Jun 10, 2009 at 8:08 PM, Ashley Sheridana...@ashleysheridan.co.uk

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Sudheer Satyanarayana
Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana wrote: I've been doing a bit of reading, and I can't really understand why XSS is such an issue. Sure, if a user can insert a script tag, what difference will that make to anyone else, as it is only on their own

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Eddie Drapkin
On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:05 +0530, Sudheer Satyanarayana

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed, 2009-06-10 at 23:17 +0530, Sudheer Satyanarayana wrote: Ashley Sheridan wrote:

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Andrew Ballard
On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed, 2009-06-10 at 19:03 +0100, Ashley Sheridan wrote: On Wed,

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Ashley Sheridan
On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan a...@ashleysheridan.co.ukwrote: On Wed,

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Andrew Ballard
On Wed, Jun 10, 2009 at 2:56 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10,

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Shawn McKenzie
Ashley Sheridan wrote: On Wed, 2009-06-10 at 14:40 -0400, Andrew Ballard wrote: On Wed, Jun 10, 2009 at 2:26 PM, Ashley Sheridana...@ashleysheridan.co.uk wrote: On Wed, 2009-06-10 at 14:14 -0400, Eddie Drapkin wrote: On Wed, Jun 10, 2009 at 2:08 PM, Ashley Sheridan

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Nitsan Bin-Nun
Usually I would support you on this one. In chemistry you always keep your stock pure and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or hosting it in a variables and then printing it out it is just a matter of taste.

Re: [PHP] Preventing XSS Attacks

2009-06-10 Thread Andrew Ballard
On Wed, Jun 10, 2009 at 3:10 PM, Nitsan Bin-Nunnitsa...@gmail.com wrote: Usually I would support you on this one. In chemistry you always keep your stock pure and make any observations or mixtures in clean and other glasses in order to keep it pure. When it comes to printing an output or