bruce wrote:
two questions: 1) css scripting. how can it be prevented?? what are some of the methods that you guys use?
Before outputting anything user-sourced to the browser, htmlspecialchars() it, preferably with the ENT_QUOTES option. If you want to allow some HTML, only then parse the string to un-escape certain HTML tags.
If you're outputting user-sourced data into an inline <script> tag, you will want to be even more careful; use the type functions to check that it is the correct type or force it into the correct type.
Personally, I *never* output user-sourced data into <script> tags. It can always be avoided in my experience.
2) what are some of the actual code methods used in real sites to deal with URL/Query (GET/POST) parsing?
I'm not going to give you some real code because it will be very dependent on your specific needs. Here's some pointers, though:
Check the types if it's a problem for you (using PHP's many type functions); otherwise just run them through mysql_real_escape_string (or your DBMS's equivalent) before putting them in the database.
Putting an integer into a string field (or vice-versa with non-strict DBMSs like MySQL) won't be a problem in terms of security, but could confuse you when someone's name is "8752" or their phone number is "0".
You need to weigh up whether the accuracy of your data is important enough to throw an error in those situations. If it is then also consider doing simple checking to fix common errors without bothering the user again.
-- Jasper Bryant-Greene Freelance web developer http://jasper.bryant-greene.name/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
