Re: [PHP] Question about a security function

2010-05-21 Thread David Otton
On 20 May 2010 16:51, Al n...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain my whitelist tags. e.g., the two examples

Re: [PHP] Question about a security function

2010-05-21 Thread Ashley Sheridan
On Fri, 2010-05-21 at 14:24 +0100, David Otton wrote: On 20 May 2010 16:51, Al n...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must

Re: [PHP] Question about a security function

2010-05-21 Thread Al
On 5/21/2010 9:24 AM, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then only contain

Re: [PHP] Question about a security function

2010-05-21 Thread David Otton
On 21 May 2010 14:21, Ashley Sheridan a...@ashleysheridan.co.uk wrote: I still think you might be better off using BBCode, which is used on websites just for this very purpose. When any input comes back, you can remove all the HTML completely and replace the BBCode tags that you allow. This

Re: [PHP] Question about a security function

2010-05-21 Thread Al
On 5/21/2010 9:21 AM, Ashley Sheridan wrote: On Fri, 2010-05-21 at 14:24 +0100, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the

Re: [PHP] Question about a security function

2010-05-21 Thread Jim Lucas
Al wrote: On 5/21/2010 9:24 AM, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw entry gets past the blacklist, it must then

Re: [PHP] Question about a security function

2010-05-21 Thread Al
On 5/21/2010 10:36 AM, Jim Lucas wrote: Al wrote: On 5/21/2010 9:24 AM, David Otton wrote: On 20 May 2010 16:51, Aln...@ridersite.org wrote: I'm not being clear. First pass is thru the blacklist, which effectually tells hacker to not bother and totally deletes the entry. If the raw

Re: [PHP] Question about a security function

2010-05-20 Thread Peter Lind
On 20 May 2010 14:53, Al n...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected. The user can enter html tags; but, I restrict the acceptable tags to benign ones. e.g., p, b,

Re: [PHP] Question about a security function

2010-05-20 Thread David Otton
On 20 May 2010 13:53, Al n...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected. The user can enter html tags; but, I restrict the acceptable tags to benign ones. e.g., p, b,

Re: [PHP] Question about a security function

2010-05-20 Thread Ashley Sheridan
On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote: On 20 May 2010 13:53, Al n...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is infected. The user can enter html tags; but, I

Re: [PHP] Question about a security function

2010-05-20 Thread Al
On 5/20/2010 10:07 AM, Ashley Sheridan wrote: On Thu, 2010-05-20 at 14:27 +0100, David Otton wrote: On 20 May 2010 13:53, Aln...@ridersite.org wrote: I have a password-protected, user, on-line editor that I'm hardening against hackers just in case a user's pw is stolen or local PC is

Re: [PHP] Question about a security function

2010-05-20 Thread David Otton
On 20 May 2010 15:52, Al n...@ridersite.org wrote: I agree blacklisting is a flawed approach in general. My approach is to strictly confine entry text to a whitelist of benign, acceptable tags. The But that's not what you've done. You've blacklisted the following patterns: \script\x20,

Re: [PHP] Question about a security function

2010-05-20 Thread Al
On 5/20/2010 11:23 AM, David Otton wrote: On 20 May 2010 15:52, Aln...@ridersite.org wrote: I agree blacklisting is a flawed approach in general. My approach is to strictly confine entry text to a whitelist of benign, acceptable tags. The But that's not what you've done. You've

Re: [PHP] Question about a security function

2010-05-20 Thread Ashley Sheridan
On Thu, 2010-05-20 at 11:51 -0400, Al wrote: On 5/20/2010 11:23 AM, David Otton wrote: On 20 May 2010 15:52, Aln...@ridersite.org wrote: I agree blacklisting is a flawed approach in general. My approach is to strictly confine entry text to a whitelist of benign, acceptable tags. The

Re: [PHP] Question about a security function

2010-05-20 Thread Jim Lucas
Al wrote: On 5/20/2010 11:23 AM, David Otton wrote: On 20 May 2010 15:52, Aln...@ridersite.org wrote: I agree blacklisting is a flawed approach in general. My approach is to strictly confine entry text to a whitelist of benign, acceptable tags. The But that's not what you've done.

Re: [PHP] Question about a security function

2010-05-20 Thread Al
On 5/20/2010 12:02 PM, Jim Lucas wrote: Al wrote: On 5/20/2010 11:23 AM, David Otton wrote: On 20 May 2010 15:52, Aln...@ridersite.org wrote: I agree blacklisting is a flawed approach in general. My approach is to strictly confine entry text to a whitelist of benign, acceptable tags.

Re: [PHP] Question about a security function

2010-05-20 Thread Ashley Sheridan
On Thu, 2010-05-20 at 12:40 -0400, Al wrote: On 5/20/2010 12:02 PM, Jim Lucas wrote: Al wrote: On 5/20/2010 11:23 AM, David Otton wrote: On 20 May 2010 15:52, Aln...@ridersite.org wrote: I agree blacklisting is a flawed approach in general. My approach is to strictly confine

Re: [PHP] Question about a security function

2010-05-20 Thread Al
On 5/20/2010 12:43 PM, Ashley Sheridan wrote: On Thu, 2010-05-20 at 12:40 -0400, Al wrote: On 5/20/2010 12:02 PM, Jim Lucas wrote: Al wrote: On 5/20/2010 11:23 AM, David Otton wrote: On 20 May 2010 15:52, Aln...@ridersite.orgwrote: I agree blacklisting is a flawed approach in