I was just writing a sanitisation route for a bit of user input. The data is
an English text description of a product, and will go into a DB, then back
out to other user's browsers.
As per normal practise, I was working on the basis of leaving in all
characters that I considered safe and stripping out everything else. This
led me to think of what characters are actually safe, given that the user
will want to be able to use at least basic punctuation, currency symbols
and so on. Avoiding < and > seemed obvious, but most other things have a
use I think.
My current line looks like this:
$data = preg_replace( '/[^\s\w\d@"\'()[]{}:#~!$%&*_-+.,]/', "", $data );
(Note that's a list of chars that are *not* to be replaced.) Are any of
these dangerous? Or have I left out some that are harmless and should be in
there?
--
The email address used to post is a spam pit. Contact me at http://www.derekfountain.org : <a
href="http://www.derekfounta in.org/">Derek Fountain</a> 11  1725 
Derek Fountain wrote: I was just writing a sanitisation route for a bit of user input. The data is
an English text description of a product, and will go into a DB, then back
out to other user's browsers.
As per normal practise, I was working on the basis of leaving in all
characters that I considered safe and stripping out everything else. This
led me to think of what characters are actually safe, given that the user
will want to be able to use at least basic punctuation, currency symbols
and so on. Avoiding < and > seemed obvious, but most other things have a
use I think.
My current line looks like this:
$data = preg_replace( '/[^\s\w\d@"\'()[]{}:#~!$%&*_-+.,]/', "", $data );
Two remarks on your pattern syntax: First, the second of
the two square brackets that appear to be in the character
class is in fact not. It is the closing square bracket, and
every non-metacharacter afterwards must be in the subject
string for the replacement to occur. Second, the hyphen, if
it were inside a character class, would cause a warning.
Either escape it or put it where it is not interpreted as a
metacharacter; that is, at the beginning or at the end.
(Note that's a list of chars that are *not* to be replaced.) Are any of
these dangerous? Or have I left out some that are harmless and should be in
there?
How about semicolons and pound signs ('Ł')?
--
Jock
.oO(Derek Fountain) I was just writing a sanitisation route for a bit of user input. The data is
an English text description of a product, and will go into a DB, then back
out to other user's browsers.
As per normal practise, I was working on the basis of leaving in all
characters that I considered safe and stripping out everything else. This
led me to think of what characters are actually safe
Safe for what? In normal text every character can be safe if handled
properly.
given that the user
will want to be able to use at least basic punctuation, currency symbols
and so on. Avoiding < and > seemed obvious, but most other things have a
use I think.
What's wrong with < and >?
Micha
"Derek Fountain" <no****@example .com> wrote in message
news:42******** **************@ per-qv1-newsreader-01.iinet.net.au ... I was just writing a sanitisation route for a bit of user input. The data
is an English text description of a product, and will go into a DB, then back
out to other user's browsers.
As per normal practise, I was working on the basis of leaving in all
characters that I considered safe and stripping out everything else. This
led me to think of what characters are actually safe, given that the user
will want to be able to use at least basic punctuation, currency symbols
and so on. Avoiding < and > seemed obvious, but most other things have a
use I think.
My current line looks like this:
$data = preg_replace( '/[^\s\w\d@"\'()[]{}:#~!$%&*_-+.,]/', "", $data );
(Note that's a list of chars that are *not* to be replaced.) Are any of
these dangerous? Or have I left out some that are harmless and should be
in there?
What encoding are you using? None of the characters above (maybe except 255)
is special, so I think can be safely included. People like to have their
curly quotes and m-dashes.
Derek Fountain wrote:
I was just writing a sanitisation route for a bit of user input.
The data is an English text description of a product, and will
go into a DB, then back out to other user's browsers.
I think you should clarify your definition of "safe". Safe against
what? There are at least three issues that need to be worked on
here: use of potentially improper HTML formatting by users,
malicious Javascript, and SQL injection...
Also, do you plan to store user inputs as HTML or plain text?
Cheers,
NC
>> $data = preg_replace( '/[^\s\w\d@"\'()[]{}:#~!$%&*_-+.,]/', "", $data );
Two remarks on your pattern syntax: First, the second of
the two square brackets that appear to be in the character
class is in fact not. It is the closing square bracket, and
every non-metacharacter afterwards must be in the subject
string for the replacement to occur. Second, the hyphen, if
it were inside a character class, would cause a warning.
Ahem, yeah, I spotted those not long after posting... :o} Thanks for the
pointer though!
--
The email address used to post is a spam pit. Contact me at http://www.derekfountain.org : <a
href="http://www.derekfounta in.org/">Derek Fountain</a>
Michael Fesser wrote: will want to be able to use at least basic punctuation, currency symbols
and so on. Avoiding < and > seemed obvious, but most other things have a
use I think.
What's wrong with < and >?
When returned to an innocent user's browser they allow cross site scripting.
--
The email address used to post is a spam pit. Contact me at http://www.derekfountain.org : <a
href="http://www.derekfounta in.org/">Derek Fountain</a>
.oO(Derek Fountain) Michael Fesser wrote:will want to be able to use at least basic punctuation, currency symbols
and so on. Avoiding < and > seemed obvious, but most other things have a
use I think.
What's wrong with < and >?
When returned to an innocent user's browser they allow cross site scripting.
Yep, I know. But that's not a problem with the chars itself, but rather
because of improper I/O handling. Use htmlspecialchar s() whenever you
print text out to an HTML page and there's no reason anymore to forbid
such "special" chars.
Micha
NC wrote: Derek Fountain wrote:
I was just writing a sanitisation route for a bit of user input.
The data is an English text description of a product, and will
go into a DB, then back out to other user's browsers.
I think you should clarify your definition of "safe". Safe against
what?
Safe for sending through a database API into the DB, then sending back out
to another user's browser...
There are at least three issues that need to be worked on
here: use of potentially improper HTML formatting by users,
malicious Javascript, and SQL injection...
....and not facilitating exploits based on those or any other attack vectors.
The fact several people asked me to define "safe" puzzled me somewhat. How
many interpretations are there of the word in the context of sending data
strings into a DB and back out to a user's browser? I've a feeling I'm
missing something! :o)
Also, do you plan to store user inputs as HTML or plain text?
As typed into a browser textarea input field. I'm expecting plain text, but
want the user to be able to provide as much punctuation, slang, smilies,
etc. as they like, as long as nothing goes in that might compromise the
system or another user's browser/session.
I know to leave < and > out to prevent XSS. I'm not sure about the entity
constructors & and ;. I'm tempted to leave the single quote out because it
is too useful in SQL injection. I'm suspicious of backticks because of
command injection - that's from my Perl background, although I'm not sure
if that's justified in PHP. I have a natural urge to surpress anything that
might be used in scripting, like #, !, and slashes, but again, not for a
reason I actually claim to understand.
Perhaps I'm going about this the wrong way? What do other PHP coders do with
a text value before considering it "safe" to store and relay back to other
user's browsers?
--
The email address used to post is a spam pit. Contact me at http://www.derekfountain.org : <a
href="http://www.derekfounta in.org/">Derek Fountain</a>
.oO(Derek Fountain) Perhaps I'm going about this the wrong way? What do other PHP coders do with
a text value before considering it "safe" to store and relay back to other
user's browsers?
Every input/output operation of (string) data may need some special
escaping/encoding applied before to be safe, dependent on the target
media. In your case I would simply do it this way:
1) Every user-submitted string data is run through stripslashes() if
magic quotes are enabled (check with get_magic_quote s_gpc()). This way
you get the raw data, don't have to rely on some obscure configuration
setting and can apply a proper escaping yourself whenever necessary.
2) Before storing the data into the DB all the strings are run through
mysql_real_esca pe_string() to escape certain chars (like single quotes)
which might cause trouble for the DB.
3) When printing the data out again to an HTML page htmlspecialchar s()
is called on all strings, which converts some chars that have a special
meaning in HTML (<, >, &, ") to named entity references.
That's all. There's no need to take special care of some particular
chars, the mentioned functions above take care of problems like SQL
injection and XSS.
Micha This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Sasha |
last post by:
Hi,
I am extending standard IEnumerator, and I was just wondering what is the
best way to make enumarator safe? What do I mean by safe? Detect deletes and
all...
My idea is to have private Guid state field in the collection, and every
time something is inserted or deleted from the collection, I will just
change the guid. Enumerator will just have to compare the guid received in
the begging to the current one. If they are different, the...
|
by: Ofir |
last post by:
Hellow,
I have a program that draws lines,text,images on a graphics object,
from a Thread, using GDI+.
are GDI+ considered to be thread safe, or i must invoke my draw method to
the main thraed, and draw from there.
thanks,
|
by: Dave Crypto |
last post by:
Hi There,
SUMMARY:
I need to know what the actual maximum date limit possible on a row of
a MYSQL database.
MORE DETAILS:
For example, does a MYSQL database only allow 4032 bytes of data to be
|
by: Xah Lee |
last post by:
in March, i posted a essay “What is Expressiveness in a Computer
Language”, archived at:
http://xahlee.org/perl-python/what_is_expresiveness.html
I was informed then that there is a academic paper written on this
subject.
On the Expressive Power of Programming Languages, by Matthias
Felleisen, 1990.
http://www.ccs.neu.edu/home/cobbe/pl-seminar-jr/notes/2003-sep-26/expressive-slides.pdf
|
by: chandy |
last post by:
I've been working with web technologies for ten years and in all that
time a safe urlencoding for a space has always been %20 on every
platform I have ever used. Now I am using asp.net and it's encoding a
space as a +. What on earth is this? Since when was a plus considered
a safe alternative to a space for transmission in a url? Heck there's
even an encoding for a plus sign, which shows just how un-safe this is!
So, rant over, is...
| | |
by: _mario.lat |
last post by:
hallo,
what does it means "the function is not thread-safe"?
thak you in advance,
Mario.
|
by: Kevin Blount |
last post by:
I'm putting a radG:GridTemplateColumn together (which is probably
irelevant), and within it I'm using a Label, as so:
<asp:Label ID="defaultDescription" runat="server" Text='<%#
Eval("description") %>'></asp:Label>
Fo this Label, I'd like to only show the first 50 chars of the
"description", but I've no idea how to change the Eval to do this.. is
there a way?
|
by: Maric Michaud |
last post by:
Le Monday 16 June 2008 18:58:06 Ethan Furman, vous avez écrit :
As Larry Bates said the python way is to use str.join, but I'd do it with a
genexp for memory saving, and a set to get O(1) test of presence.
to_remove = set('chars')
''.join(e for in string_ if e not in to_remove)
Note that this one will hardly be defeated by other idioms in python (even
regexp).
|
by: =?GB2312?B?17/HvyBaaHVvLCBRaWFuZw==?= |
last post by:
Hi,
I would like to have someone comments on what's the best practice
defining error codes in C.
Here's what I think:
solution A:
using enum
pros: type safe. better for debug (some debugger will show the name
not only the value)
cons: enum can not be forward declared which makes all error codes
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
| | |
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
