On Mon, Jun 15, 2009 at 10:48:04AM -0400, Bob McConnell wrote: > From: Ashley Sheridan > > On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote: > >> mysql_real_escape_string() only sanitise the input. I would > personally > >> only allow [a-zA-Z0-9-_] in search string but that's just me ;) > >> Validate the input in some way, or make extra sanitisation of it > >> before running the search query. > >> > >> Regarding the HTML output, just entities() it and you'll be good :) > >> > >> On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan > >> <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > >> > >> On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun wrote: > >> > As far for the output, just html entities () it and you > will > >> be good. > >> > > >> > You better check the search query for sql injection, which > >> is more > >> > dangerous. > >> > > >> > HTH > >> > Nitsan > >> > > >> > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan > >> > <ash@xxxxxxxxxxxxxxxxxxxx> wrote: > >> > Hi all, > >> > > >> > I'm looking at adding a new search feature to my > >> site, and one > >> > of the > >> > elements of this is to echo back in the search > >> results page, > >> > the > >> > original string the user searched for. Up until > now, > >> XSS > >> > hasn't (afaik) > >> > been an issue for my site, but I can see from a > mile > >> off this > >> > will be. > >> > What would you guys recommend to avoid this? > >> > > >> > I'd thought initially of using a mixture of > >> > html_special_chars() and a > >> > regex (as yet not sure what I'll be stripping out > >> with this) > >> > to sanitise > >> > the output for display on the results page, but is > >> this > >> > enough? > >> > > >> > >> I always use mysql_real_escape_string() for that sort of > >> thing, not had > >> a problem with it, but is there anything you think I should > be > >> wary of? > >> > > > > Well, I don't understand, what is the problem with > > mysql_real_escape_string() for sanitising input to use for a search? > It > > should escape anything out so that the query can't be used in ways > that > > I don't want no? > > > > I'd thought about using a whitelist-only regex, but that seems a > little > > limiting tbh, and as my site contains code, it's not unreasonable to > > expect some people might want to search for particular code excerpts. > > What if we don't use MySQL? We are using Postgres on our web servers. > None of the MySQL libraries are available. I am currently reviewing a > half-dozen different and incomplete black-list sanitization functions > that don't to a very good job while removing characters that we need to > be able to use. I need to identify a clean strategy to replace or > restructure them. PostgreSQL has a function called pg_escape_string() which probably performs a function similar to MySQL's function. See http://us2.php.net/manual/en/function.pg-escape-string.php But you'll still need other functions (as above in this thread) to do a thorough job. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
