Re: Preventing XSS Attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> mysql_real_escape_string() only sanitise the input. I would personally
> only allow [a-zA-Z0-9-_] in search string but that's just me ;)
> Validate the input in some way, or make extra sanitisation of it
> before running the search query.
> 
> Regarding the HTML output, just entities() it and you'll be good :)
> 
> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
> <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>         
>         On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote:
>         > As far for the output, just html entities () it and you will
>         be good.
>         >
>         > You better check the search query for sql injection, which
>         is more
>         > dangerous.
>         >
>         > HTH
>         > Nitsan
>         >
>         > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
>         > <ash@xxxxxxxxxxxxxxxxxxxx> wrote:
>         >         Hi all,
>         >
>         >         I'm looking at adding a new search feature to my
>         site, and one
>         >         of the
>         >         elements of this is to echo back in the search
>         results page,
>         >         the
>         >         original string the user searched for. Up until now,
>         XSS
>         >         hasn't (afaik)
>         >         been an issue for my site, but I can see from a mile
>         off this
>         >         will be.
>         >         What would you guys recommend to avoid this?
>         >
>         >         I'd thought initially of using a mixture of
>         >         html_special_chars() and a
>         >         regex (as yet not sure what I'll be stripping out
>         with this)
>         >         to sanitise
>         >         the output for display on the results page, but is
>         this
>         >         enough?
>         >
>         >         Thanks
>         >         Ash
>         >         www.ashleysheridan.co.uk
>         >
>         >
>         
>         I always use mysql_real_escape_string() for that sort of
>         thing, not had
>         a problem with it, but is there anything you think I should be
>         wary of?
>         
>         
>         Thanks
>         Ash
>         www.ashleysheridan.co.uk
>         
>         
> 
> 
[just bringing it back on list]

Well, I don't understand, what is the problem with
mysql_real_escape_string() for sanitising input to use for a search? It
should escape anything out so that the query can't be used in ways that
I don't want no?

I'd thought about using a whitelist-only regex, but that seems a little
limiting tbh, and as my site contains code, it's not unreasonable to
expect some people might want to search for particular code excerpts.


Thanks
Ash
www.ashleysheridan.co.uk


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux