On 26/04/07, Chris Shiflett <[EMAIL PROTECTED]> wrote:
Dotan Cohen wrote:
> It would be BBcode if anything. It may be the product of the
> lazy, but I feel more secure parsing it than [x]HTML.
BBCode is a pretty useless markup format. If you only want to allow /
interpret a small subset of HTML,
Dotan Cohen wrote:
> It would be BBcode if anything. It may be the product of the
> lazy, but I feel more secure parsing it than [x]HTML.
BBCode is a pretty useless markup format. If you only want to allow /
interpret a small subset of HTML, you can use a simple approach like this:
http://shiflet
On 26/04/07, Justin Frim <[EMAIL PROTECTED]> wrote:
Then you're already protected from XSS attacks, no HTML filters
necessary. Easy as pi. ;-)
(ok, that one was lame)
At least you didn't say ez as pi (ez would be 2.71 * Z variable, of course).
Dotan Cohen
http://lyricslist.com/lyrics/art
Dotan Cohen wrote:
I currently an using htmlencode, so < and > show as expected. I do
expect the math faculty to use those symbols :).
Then you're already protected from XSS attacks, no HTML filters
necessary. Easy as pi. ;-)
(ok, that one was lame)
--
PHP General Mailing List (http://
On 25/04/07, Justin Frim <[EMAIL PROTECTED]> wrote:
Dotan Cohen wrote:
> On 25/04/07, Justin Frim <[EMAIL PROTECTED]> wrote:
>
>> I'm assuming then you want the data to be able to contain _some_ mark-up
>> considered to be safe?
>>
>
> Not at this stage, no. Maybe if the users ask for it, but no
Dotan Cohen wrote:
On 25/04/07, Justin Frim <[EMAIL PROTECTED]> wrote:
I'm assuming then you want the data to be able to contain _some_ mark-up
considered to be safe?
Not at this stage, no. Maybe if the users ask for it, but not now in
the beginning. The universe's best engineer, Scotty, on
On 25/04/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Mon, April 23, 2007 9:48 am, WeberSites LTD wrote:
> I'm trying to understand from the examples why anyone
> that has get_magic_quotes_gpc() returning true would
> need to use stripslashes() and then mysql_real_escape_string().
>
> wouldn't
Dotan Cohen wrote:
On 24/04/07, Justin Frim <[EMAIL PROTECTED]> wrote:
if (get_magic_quotes_gpc()) {
/*
(unfortunately in PHP these are enabled by default. AHH! Which idiot
thought this was a good idea to turn them on by default? Good
programming
practise is to manually encode only t
Eric Butera wrote:
One thing you might want to keep in mind is that this little "fix" is
going to get executed on each request if you just throw it in an
include.
...big snip...
That means lots function calls happened before you could even say
hello world. You might want to add wrapper fun
On Tue, April 24, 2007 3:33 pm, Justin Frim wrote:
> (unfortunately in PHP these are enabled by default. AHH! Which
> idiot
> thought this was a good idea to turn them on by default?
Rasmus thought it was a Good Idea because it was very convenient for
his needs at the time, which as simple f
On Mon, April 23, 2007 9:48 am, WeberSites LTD wrote:
> I'm trying to understand from the examples why anyone
> that has get_magic_quotes_gpc() returning true would
> need to use stripslashes() and then mysql_real_escape_string().
>
> wouldn't that just add slashes to the same places?
If you were
On 4/24/07, Dotan Cohen <[EMAIL PROTECTED]> wrote:
Thanks. Most of that has already been done now, but I'll certainly
keep your functions handy. I'll likely need them at some point.
One thing you might want to keep in mind is that this little "fix" is
going to get executed on each request if yo
On 24/04/07, Justin Frim <[EMAIL PROTECTED]> wrote:
Just my two cents worth...
Magic quotes are the work of the devil. It's a shame that so many PHP
installations have them enabled, and a huge disappointment that PHP is
actually distributed with this stuff enabled! The mere fact that a
script
Just my two cents worth...
Magic quotes are the work of the devil. It's a shame that so many PHP
installations have them enabled, and a huge disappointment that PHP is
actually distributed with this stuff enabled! The mere fact that a
script can't change this setting creates a real hassle an
ssage-
From: Weber Sites [mailto:[EMAIL PROTECTED] On Behalf Of WeberSites
LTD
Sent: Monday, April 23, 2007 10:49 AM
To: Buesching, Logan J; 'Dotan Cohen'; 'php php'
Subject: RE: [PHP] Preventing SQL Injection/ Cross Site Scripting
I'm trying to understand from the
On 4/23/07, WeberSites LTD <[EMAIL PROTECTED]> wrote:
I'm trying to understand from the examples why anyone
that has get_magic_quotes_gpc() returning true would
need to use stripslashes() and then mysql_real_escape_string().
wouldn't that just add slashes to the same places?
berber
Yes, sort
J [mailto:[EMAIL PROTECTED]
Sent: Monday, April 23, 2007 2:35 AM
To: Dotan Cohen; php php
Subject: RE: [PHP] Preventing SQL Injection/ Cross Site Scripting
There are many good resources out there, and one of my favorites for this
type of information is from Chris Shiflett.
http://shiflett.org/ar
There are many good resources out there, and one of my favorites for this type
of information is from Chris Shiflett.
http://shiflett.org/articles/sql-injection
http://shiflett.org/articles/foiling-cross-site-attacks
http://shiflett.org/blog/2007/mar/allowing-html-and-preventing-xss
Those are a
On Sat, April 21, 2007 5:20 am, Dotan Cohen wrote:
> Although I can semicolons and the like, greater than and less than
> signs I want to keep as there are some rather witty people from the
> Mathematics faculty who will be using the comments. I'll str_replace()
> them to > and < however.
Store th
On Fri, April 20, 2007 8:08 pm, Dotan Cohen wrote:
> I've got a comments form that I'd like to harden against SQL Injection
> / XSS attacks. The data is stored in UTF-8 in a mysql database. I
> currently parse the data as such:
> After seeing this:
> http://ha.ckers.org/xss.html
> and another simi
Dotan Cohen wrote:
> One note, I remove semicolons from the user input to thrart SQL
> injection as they can be used to terminate an SQL query and are
> very uncommon in regular speech. However, htmlspecialchars()
> and htmlentities add semicolons when converting. Is this
> dangerous, ie, can this
On 21/04/07, Chris Shiflett <[EMAIL PROTECTED]> wrote:
Dotan Cohen wrote:
> > I recommend you dig deeper into that xss page you might even
> > find a script that filters xss.
>
> Obviously I keep missing it.
You might find these examples useful:
http://phpsecurity.org/code/ch01-3
http://phpsecu
On 21/04/07, tedd <[EMAIL PROTECTED]> wrote:
At 4:08 AM +0300 4/21/07, Dotan Cohen wrote:
>I've got a comments form that I'd like to harden against SQL Injection
>/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
>currently parse the data as such:
I highly recommend "Essential PH
Dotan Cohen wrote:
> > I recommend you dig deeper into that xss page you might even
> > find a script that filters xss.
>
> Obviously I keep missing it.
You might find these examples useful:
http://phpsecurity.org/code/ch01-3
http://phpsecurity.org/code/ch01-4
Hope that helps.
Chris
--
Chris
At 4:08 AM +0300 4/21/07, Dotan Cohen wrote:
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
I highly recommend "Essential PHP Security" by Chris Shiflett -- he
covers tho
2007. 04. 21, szombat keltezéssel 13.20-kor Dotan Cohen ezt írta:
> On 21/04/07, Tim <[EMAIL PROTECTED]> wrote:
> >
> >
> > > -Message d'origine-
> > > De : Dotan Cohen [mailto:[EMAIL PROTECTED]
> > > Envoyé : samedi 21 avril 2007 03:08
> > > À : php php
> > > Objet : [PHP] Preventing SQL I
On 21/04/07, Tim <[EMAIL PROTECTED]> wrote:
> -Message d'origine-
> De : Dotan Cohen [mailto:[EMAIL PROTECTED]
> Envoyé : samedi 21 avril 2007 03:08
> À : php php
> Objet : [PHP] Preventing SQL Injection/ Cross Site Scripting
>
> I've got a comments form that I'd like to harden against
On 21/04/07, Leonard Burton <[EMAIL PROTECTED]> wrote:
Hi Dotan,
Why not use mysql_escape_string()?
I use mysql_real_escape_string() as the second to last function in there.
Dotan Cohen
http://dotancohen.com/eng/army_pictures.php
http://lyricslist.com/lyrics/artist_albums/575/7a3.html
--
P
> -Message d'origine-
> De : Dotan Cohen [mailto:[EMAIL PROTECTED]
> Envoyé : samedi 21 avril 2007 03:08
> À : php php
> Objet : [PHP] Preventing SQL Injection/ Cross Site Scripting
>
> I've got a comments form that I'd like to harden against SQL Injection
> / XSS attacks. The data is
Hi Dotan,
Why not use mysql_escape_string()?
On 4/20/07, Dotan Cohen <[EMAIL PROTECTED]> wrote:
I've got a comments form that I'd like to harden against SQL Injection
/ XSS attacks. The data is stored in UTF-8 in a mysql database. I
currently parse the data as such:
$_POST["commentform"]=str_r
30 matches
Mail list logo
