Outputting values from database: security question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey,

I'm in the process of developing a administration back-end for a website which
will enable users to update news items etc and have come across a security
dilemma concerning outputting content stored in the database and possible
malicious code.

When the user enters information into the Add News form, the fields are verified
for correct formatting / string length etc. Any HTML tags are then converted and
set as session vars (for ease of movement between pages):

foreach ($_POST as $key => $value)
{
	$_SESSION[$key] = trim(htmlentities($value, ENT_NOQUOTES, "ISO-8859-15"));
}

On the preview page, the data is converted for display as it would be online:

echo replaceUBB(nl2br(stripslashes($_SESSION['my_news_item'])));

where replaceUBB() is a function which replaces [b]...[/b] with <b>...</b>,
[url]...[/url] with <a href='...'>...</a> etc.
This function uses preg_replace for URLs and str_replace for the rest (it's
pretty long but I can post it if nec?).

Once the user has checked it and confirmed it is OK, it is passed for submission
to the database. As I know any values in $_SESSION to be entered will have had
HTML entities converted, I am using:

foreach ($_SESSION as $key => $value)
{
	$_SESSION[$key] = strip_tags($value);
}

so I know my vars haven't been tampered with on the submit page and had html /
php entered, malicious or otherwise.

My dilemma is whether to now convert the vars using replaceUBB() before
inputting in the db or to input without any tags and convert the output on
demand online.

Converting before and outputting straight from the database would leave me
vulnerable if the database is cracked and malicious code stored.

Converting after with 
echo replaceUBB(strip_tags($my_news_item));

would be safer as malicious code would not be converted by replaceUBB() and
therefore not executed. But, with some pages echoing up to 50 records (eg the
News Archive), the multiple calls to a function containing preg_replace would
surely have a detrimental effect on page load times?

If anyone could give me guidance on which would be the most sensible, I would be
very grateful. Or, I am missing a third (or fourth, or fifth...) option, I am
open to suggestions =o)

Thanks,
David

-- 
--------------------------
David Green
http://www.thefinalsigh.co.uk

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [PHP Users]     [Postgresql Discussion]     [Kernel Newbies]     [Postgresql]     [Yosemite News]
  Powered by Linux