From: Ashley Sheridan > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: >> mysql_real_escape_string() only sanitise the input. I would personally >> only allow [a-zA-Z0-9-_] in search string but that's just me ;) >> Validate the input in some way, or make extra sanitisation of it >> before running the search query. >> >> Regarding the HTML output, just entities() it and you'll be good :) >> >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan >> <ash@xxxxxxxxxxxxxxxxxxxx> wrote: >> >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: >> > As far for the output, just html entities () it and you will >> be good. >> > >> > You better check the search query for sql injection, which >> is more >> > dangerous. >> > >> > HTH >> > Nitsan >> > >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan >> > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: >> > Hi all, >> > >> > I'm looking at adding a new search feature to my >> site, and one >> > of the >> > elements of this is to echo back in the search >> results page, >> > the >> > original string the user searched for. Up until now, >> XSS >> > hasn't (afaik) >> > been an issue for my site, but I can see from a mile >> off this >> > will be. >> > What would you guys recommend to avoid this? >> > >> > I'd thought initially of using a mixture of >> > html_special_chars() and a >> > regex (as yet not sure what I'll be stripping out >> with this) >> > to sanitise >> > the output for display on the results page, but is >> this >> > enough? >> > >> >> I always use mysql_real_escape_string() for that sort of >> thing, not had >> a problem with it, but is there anything you think I should be >> wary of? >> > > Well, I don't understand, what is the problem with > mysql_real_escape_string() for sanitising input to use for a search? It > should escape anything out so that the query can't be used in ways that > I don't want no? > > I'd thought about using a whitelist-only regex, but that seems a little > limiting tbh, and as my site contains code, it's not unreasonable to > expect some people might want to search for particular code excerpts. What if we don't use MySQL? We are using Postgres on our web servers. None of the MySQL libraries are available. I am currently reviewing a half-dozen different and incomplete black-list sanitization functions that don't to a very good job while removing characters that we need to be able to use. I need to identify a clean strategy to replace or restructure them. Bob McConnell Sorry for posting this so late, I just got back from a week of vacation. bm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php