Ashley Sheridan wrote: > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: >> mysql_real_escape_string() only sanitise the input. I would personally >> only allow [a-zA-Z0-9-_] in search string but that's just me ;) >> Validate the input in some way, or make extra sanitisation of it >> before running the search query. >> >> Regarding the HTML output, just entities() it and you'll be good :) >> >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan >> <ash@xxxxxxxxxxxxxxxxxxxx> wrote: >> >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: >> > As far for the output, just html entities () it and you will >> be good. >> > >> > You better check the search query for sql injection, which >> is more >> > dangerous. >> > >> > HTH >> > Nitsan >> > >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan >> > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: >> > Hi all, >> > >> > I'm looking at adding a new search feature to my >> site, and one >> > of the >> > elements of this is to echo back in the search >> results page, >> > the >> > original string the user searched for. Up until now, >> XSS >> > hasn't (afaik) >> > been an issue for my site, but I can see from a mile >> off this >> > will be. >> > What would you guys recommend to avoid this? >> > >> > I'd thought initially of using a mixture of >> > html_special_chars() and a >> > regex (as yet not sure what I'll be stripping out >> with this) >> > to sanitise >> > the output for display on the results page, but is >> this >> > enough? >> > >> > Thanks >> > Ash >> > www.ashleysheridan.co.uk >> > >> > >> >> I always use mysql_real_escape_string() for that sort of >> thing, not had >> a problem with it, but is there anything you think I should be >> wary of? >> >> >> Thanks >> Ash >> www.ashleysheridan.co.uk >> >> >> >> > [just bringing it back on list] > > Well, I don't understand, what is the problem with > mysql_real_escape_string() for sanitising input to use for a search? It > should escape anything out so that the query can't be used in ways that > I don't want no? > > I'd thought about using a whitelist-only regex, but that seems a little > limiting tbh, and as my site contains code, it's not unreasonable to > expect some people might want to search for particular code excerpts. > > > Thanks > Ash > www.ashleysheridan.co.uk > You would use mysql_real_escape_string() before using the string in a db query (searching). You should use htmlentities() and/or strip tags before displaying the string. -- Thanks! -Shawn http://www.spidean.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
