On Wed, 2009-06-10 at 12:55 -0400, Eddie Drapkin wrote:
> The problem with using a database escaping string for output escaping
> is that something like (despite being the world's lamest XSS)
> <script>
> location.href('google.com')
> </script>
> Would output mostly the same and with some cleverness, it wouldn't be
> too hard to get that to function properly with a full fledged XSS
> attack. I'd personally use one of the FILTER_* constants in
> conjunction with the filter functions themselves, say filter_var and
> FILTER_SANITIZE_SPECIAL_CHARS.
>
>
> On Wed, Jun 10, 2009 at 12:44 PM, Ashley Sheridan
> <[email protected]> wrote:
> On Wed, 2009-06-10 at 18:28 +0200, Nitsan Bin-Nun wrote:
> > mysql_real_escape_string() only sanitise the input. I would
> personally
> > only allow [a-zA-Z0-9-_] in search string but that's just
> me ;)
> > Validate the input in some way, or make extra sanitisation
> of it
> > before running the search query.
> >
> > Regarding the HTML output, just entities() it and you'll be
> good :)
> >
> > On Wed, Jun 10, 2009 at 6:32 PM, Ashley Sheridan
> > <[email protected]> wrote:
> >
> > On Wed, 2009-06-10 at 18:18 +0200, Nitsan Bin-Nun
> wrote:
> > > As far for the output, just html entities () it
> and you will
> > be good.
> > >
> > > You better check the search query for sql
> injection, which
> > is more
> > > dangerous.
> > >
> > > HTH
> > > Nitsan
>
> > >
> > > On Wed, Jun 10, 2009 at 6:19 PM, Ashley Sheridan
> > > <[email protected]> wrote:
> > > Hi all,
> > >
> > > I'm looking at adding a new search feature
> to my
> > site, and one
> > > of the
> > > elements of this is to echo back in the
> search
> > results page,
> > > the
> > > original string the user searched for. Up
> until now,
> > XSS
> > > hasn't (afaik)
> > > been an issue for my site, but I can see
> from a mile
> > off this
> > > will be.
> > > What would you guys recommend to avoid
> this?
> > >
> > > I'd thought initially of using a mixture
> of
> > > html_special_chars() and a
> > > regex (as yet not sure what I'll be
> stripping out
> > with this)
> > > to sanitise
> > > the output for display on the results
> page, but is
> > this
> > > enough?
> > >
> > > Thanks
> > > Ash
> > > www.ashleysheridan.co.uk
> > >
> > >
> >
>
> > I always use mysql_real_escape_string() for that
> sort of
> > thing, not had
> > a problem with it, but is there anything you think I
> should be
> > wary of?
> >
> >
> > Thanks
> > Ash
> > www.ashleysheridan.co.uk
> >
> >
> >
> >
>
> [just bringing it back on list]
>
> Well, I don't understand, what is the problem with
> mysql_real_escape_string() for sanitising input to use for a
> search? It
> should escape anything out so that the query can't be used in
> ways that
> I don't want no?
>
> I'd thought about using a whitelist-only regex, but that seems
> a little
> limiting tbh, and as my site contains code, it's not
> unreasonable to
> expect some people might want to search for particular code
> excerpts.
>
>
>
> Thanks
> Ash
> www.ashleysheridan.co.uk
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>
Oh no, I think I'm misunderstood here. I was going to use
mysql_real_escape_string only for the database input, and use
htmlentities for the display output, as essentially they are separate,
and should be treated as such.
I've been doing a bit of reading, and I can't really understand why XSS
is such an issue. Sure, if a user can insert a <script> tag, what
difference will that make to anyone else, as it is only on their own
browser.
Thanks
Ash
www.ashleysheridan.co.uk
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
