NYCPHP Meetup

NYPHP.org

[nycphp-talk] User Input Data scrubbing

Elijah Insua tmpvar at gmail.com
Fri Nov 28 17:35:06 EST 2008


hrm.. it depends on a bunch of different things, including your db charset
and the charset in your html.  You can convert between them.. but why hack
it when you can filter the data when it goes into the database?

Filter once, its faster and consistent.


-- Elijah

On Fri, Nov 28, 2008 at 5:15 PM, Michele Waldman <mmwaldman at nyc.rr.com>wrote:

>  But if I replace ' with &#39;, there aren't two passes that need to be
> made.
>
>
>
> Michele
>
>
>  ------------------------------
>
> *From:* talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> *On Behalf Of *Elijah Insua
> *Sent:* Friday, November 28, 2008 5:09 PM
>
> *To:* NYPHP Talk
> *Subject:* Re: [nycphp-talk] User Input Data scrubbing
>
>
>
> Michelle,
>
> you should clean the data in 2 different ways.  first, get rid of all of
> the xss stuff.  Then before you insert the cleaned data into the database,
> clean out any attempts at SQL injection.
>
> There are tons of frameworks and libraries out there that handle exactly
> this.
>
>
> -- Elijah
>
> On Fri, Nov 28, 2008 at 4:59 PM, Michele Waldman <mmwaldman at nyc.rr.com>
> wrote:
>
> What about inserting a comment
>
>
>
> <script>alert('hi');</script>'; delete from users;
>
>
>
> Like I'm going to name my table users?
>
>
>
> With that one statement about they have performed a sql injection and html
> injection in one stroke.
>
>
>
> Bada bing bada bang bada boom
>
>
>
> Next time I display their comment out of the database they are popping up
> an alert to every user and my users are gone.
>
>
>
> Michele
>
>
>
>
>  ------------------------------
>
> *From:* talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org]
> *On Behalf Of *Elijah Insua
> *Sent:* Friday, November 28, 2008 3:27 PM
> *To:* NYPHP Talk
>
>
> *Subject:* Re: [nycphp-talk] User Input Data scrubbing
>
>
>
> Michele,
>
>
>
>
> SQL injection and Html injection are two separate issues.
>
> SQL injection is something like a user posting ';DELETE FROM users;  where
> it deletes all of your user accounts.
>
> Html/Cross Site Scripting is more along the lines of what you are talking
> about.  There are tons of libraries out there
> that attempt to kill off as many of these as possible.
>
> As far as your 255 character theory, it is not completely true.  There are
> other character sets such as UTF-8 which allow
> for 65 thousand characters.  I would seriously invest some time into
> finding a library that you can integrate.
>
> - Elijah
>
> On Fri, Nov 28, 2008 at 3:04 PM, Michele Waldman <mmwaldman at nyc.rr.com>
> wrote:
>
> Could ya'll repost any responses to this.  Apparently, my new email address
> wasn't subscribed to the mailing list.
>
>
>  ------------------------------
>
> *From:* Michele Waldman [mailto:mmwaldman at nyc.rr.com]
> *Sent:* Friday, November 28, 2008 2:06 PM
> *To:* 'NYPHP Talk'
> *Subject:* User Input Data scrubbing
>
>
>
> I'm trying to scrub data input to insert into a database which I will later
> display on the website.
>
>
>
> In order to prevent sql injections and html injections into the code, I
> figured I'd just replace non alphanumeric characters with their html special
> character codes and remove any control characters all together except
> carriage return.
>
>
>
> The ascii character codes only go up to 255.
>
>
>
> However, there are lots more characters in html.
>
>
>
> If the user creates a string from which was generated using html using
> characters outside of the ascii character codes, what do those get
> translated to in the string?  A garage character?
>
>
>
> Is that a concern?  Or is my only concern those 255 characters in the ascii
> chart?  I'm thinking the 255 characters covers it all.  The characters are a
> finite set which were long ago predefined, unless that changes in the
> future, right?  This means scrubbing the data is a short function.
>
>
>
> I'm not using mysql_real_escape_string, because I replace all ' and " with
> their html character code.
>
>
>
> I'm not using htmlspecialchars, because it wasn't thorough enough.  I
> simply wrote a function that replaces just about every character with it's
> html character code.
>
>
>
> I'm doing this in php after the data is passed to me.
>
>
>
> Now, in the case of ajax, I just need to come up with a good approach for
> checking the data received from php, which may vary depending on the type of
> ajax used.
>
>
>
> Michele
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
>
>
> _______________________________________________
> New York PHP User Group Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> http://www.nyphp.org/show_participation.php
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20081128/16ec3fe7/attachment.html>


More information about the talk mailing list