| Re: BB type posting - is this secure? [message #176408 is a reply to message #176398] |
Wed, 04 January 2012 07:24  |
Curtis Dyer
Messages: 34
Registered: January 2011
Karma:
|
Member |
|
|
Michael Joel <no(at)please(dot)com> wrote:
> On Fri, 30 Dec 2011 10:59:46 +0100, "Álvaro G. Vicario"
> <alvaro(dot)NOSPAMTHANX(at)demogracia(dot)com(dot)invalid> wrote:
>
>> El 29/12/2011 23:45, Michael Joel escribió/wrote:
>>> I am allowing posts to the page and wanted to see if this is
>>> secure.
>>>
>>> data from sql is placed in an array (say $MyArray):
>>>
>>> $MyArray["Post"] = nl2br(stripslashes($MyArray["Post"]));
[I'm including some of what Álvaro wrote for sufficient context:]
>> What sense does it make to strip slashes in data that comes
>> from a database? If stored data is valid, this will basically
>> corrupt it as soon as it contains a backslash:
> .......... SNIP ................
>
>
> Sorry I did not make it clear.
>
> stripslashes is used as it comes out of the db, addslashes are
> used as it goes in (but as mention mysql_real_escape_string is
> to be used).
The use of stripslashes() on DB output is not needed when properly
sanitized data is inserted into the DB in the first place. It
seems like you're misunderstanding the process.
In my experience, it's best to store data in the DB exactly as the
users provide it. We sanitize the data as a necessary step to
prevent arbitrary and malicious SQL from being executed. Upon
retrieving the data for output, none of the artifacts remain from
the sanitization step.
This is a simplified model of how you might conceptualize handling
the data.
Incoming data
Sanitization (e.g., prepared statements)
|
V
Database
|
V
Outgoing data
Escape data (e.g. htmlspecialchars())
You might well do something else with the outgoing data. It
depends on what you're doing. Álvaro demonstrates upthread.
> Someone else also claimed the strip_tags($MyString, "<br>");
> will strip <br> - but it does not. Maybe it will <br /> but then
> just change it to "<br><br />"
If you're referring to my previous reply* to your OP, then no, I
did not claim that at all. I merely suggested, *as an
alternative*, to make the call to nl2br() last so you don't need
to use the filter parameter for strip_tags().
---
* Message ID: <jdit4j$jj1$1(at)dont-email(dot)me>
<snip>
--
Curtis Dyer
<?$x='<?$x=%c%s%c;printf($x,39,$x,39);?>';printf($x,39,$x,39);?>
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]